apt -y install fail2ban nano sudo vlan ifupdown2 ipvsadm ipset wget curl mtr-tiny net-tools tmux unattended-upgrades open-iscsi glances btop htop
wget -O /etc/sysctl.d/65-k8s.conf https://gist.github.com/bouroo/bc52ad58a6e75d44e5235b229e9ca988/raw/8d299c486eb5689f045f25e3619cbc91ffc2de86/65-k8s.conf
wget -O /etc/sysctl.d/90-k8s.conf https://gist.github.com/bouroo/bc52ad58a6e75d44e5235b229e9ca988/raw/8d299c486eb5689f045f25e3619cbc91ffc2de86/90-k8s.conf
sysctl --system
usermod -aG sudo debian
nano /etc/modules-load.d/ipvs.conf
ip_vs_lc
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
nano /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
dns-nameservers 1.1.1.2 8.8.8.8
dns-search ${DOMAIN}
# The primary network interface
allow-hotplug eno1
iface eno1 inet static
address ${PUBLIC_IP/CIDR}
gateway ${PUBLIC_GW}
# Private network interface
allow-hotplug enp0s0f1
iface enp4s0f1 inet manual
mtu 8996
# Private network interface
auto vlan255
iface vlan255 inet static
mtu 8996
address ${PRIVATE_IP/CIDR}
vlan-raw-device enp0s0f1
up ip route add ${PRIVATE_NET/CIDR} via ${PUBLIC_GW}
down ip route del ${PRIVATE_NET/CIDR} via ${PUBLIC_GW}
mkdir -p /etc/rancher/rke2/
nano /etc/rancher/rke2/config.yaml
server: https://${SERVER_IP}:9345
token: ${SERVER_TOKEN}
node-ip: ${PRIVATE_IP}
node-external-ip: ${PUBLIC_IP}
tls-san:
- "rke2.${DOMAIN}"
- "${PRIVATE_IP}"
#disable:
# - "rke2-ingress-nginx"
kube-proxy-arg:
- "ipvs-scheduler=lc"
- "proxy-mode=ipvs"
- "ipvs-strict-arp=true"
kube-proxy-extra-mount:
- "/lib/modules:/lib/modules:ro"
#kubelet-arg:
# - "max-pods=220"
nano /etc/rancher/rke2/registries.yaml
mirrors:
registry.${DOMAIN}:
endpoint:
- "https://registry.${DOMAIN}"
configs:
"registry.${DOMAIN}":
auth:
username: ${REGISTRY_USER}
password: ${REGISTRY_PASSWD}
curl -sfL https://get.rke2.io | sh -
systemctl enable rke2-server
systemctl start rke2-server
Edit helm kube-system/rke2-coredns
...
servers:
- plugins:
- name: autopath
parameters: '@kubernetes'
- name: errors
- configBlock: lameduck 5s
name: health
- name: ready
- configBlock: |-
pods verified
fallthrough in-addr.arpa ip6.arpa
ttl 30
name: kubernetes
parameters: cluster.local in-addr.arpa ip6.arpa
- name: prometheus
parameters: 0.0.0.0:9153
- name: forward
parameters: . /etc/resolv.conf
- name: cache
parameters: 30
- name: loop
- name: reload
- name: loadbalance
port: 53
zones:
- zone: .
...