Skip to content

Instantly share code, notes, and snippets.

@dkeightley

dkeightley/rke2-lab-setup-cis-selinux.md

Last active November 11, 2022 02:24
Show Gist options
  • Save dkeightley/54271865caaca1812a1f913951172c45 to your computer and use it in GitHub Desktop.
Save dkeightley/54271865caaca1812a1f913951172c45 to your computer and use it in GitHub Desktop.
Download ZIP
rke2-lab-setup-cis-selinux
Raw
rke2-lab-setup-cis-selinux.md

Server node 1

Install

RH-based

curl -sfL https://get.rke2.io | INSTALL_RKE2_METHOD=rpm sh -
sudo cp -f /usr/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf
mkdir -p /etc/rancher/rke2
cat > /etc/rancher/rke2/config.yaml <<EOF
selinux: true
profile: cis-1.5
write-kubeconfig-mode: "0640"
EOF

Debian-based

curl -sfL https://get.rke2.io | sh -
sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf
mkdir -p /etc/rancher/rke2
cat > /etc/rancher/rke2/config.yaml <<EOF
profile: cis-1.5
write-kubeconfig-mode: "0640"
EOF

Setup

sudo systemctl restart systemd-sysctl
useradd -r -c "etcd user" -s /sbin/nologin -M etcd
systemctl enable rke2-server
systemctl start rke2-server

Server node 2

Install

cat /var/lib/rancher/rke2/server/node-token  # get the token from node 1
IP=<private ip of node 1>
TOKEN=<token from node 1>

RH-based

curl -sfL https://get.rke2.io | INSTALL_RKE2_METHOD=rpm sh -
sudo cp -f /usr/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf
mkdir -p /etc/rancher/rke2
cat > /etc/rancher/rke2/config.yaml <<EOF
server: https://${IP}:9345
token: ${TOKEN}
selinux: true
profile: cis-1.5
write-kubeconfig-mode: "0640"
EOF

Debian-based

curl -sfL https://get.rke2.io | sh -
sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf
mkdir -p /etc/rancher/rke2
cat > /etc/rancher/rke2/config.yaml <<EOF
server: https://${IP}:9345
token: ${TOKEN}
profile: cis-1.5
write-kubeconfig-mode: "0640"
EOF

Setup

sudo systemctl restart systemd-sysctl
useradd -r -c "etcd user" -s /sbin/nologin -M etcd
systemctl enable rke2-server
systemctl start rke2-server

Kubectl

export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
export PATH=$PATH:/var/lib/rancher/rke2/bin

etcd members

etcd=$(crictl ps | awk '/etcd/ {print $1}')
ETCDCTL_ENDPOINTS=$(crictl exec ${etcd} /bin/sh -c "etcdctl --cert /var/lib/rancher/rke2/server/tls/etcd/server-client.crt --key /var/lib/rancher/rke2/server/tls/etcd/server-client.key --cacert /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt member list | cut -d, -f5 | sed -e 's/ //g' | paste -sd ','")
crictl exec ${etcd} /bin/sh -c "ETCDCTL_ENDPOINTS=$ETCDCTL_ENDPOINTS etcdctl --cert /var/lib/rancher/rke2/server/tls/etcd/server-client.crt --key /var/lib/rancher/rke2/server/tls/etcd/server-client.key --cacert /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt --write-out table endpoint status"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment