export CLUSTERNAME=rke2-cluster-import
kubectl get clusterregistrationtokens.management.cattle.io -n $(kubectl get cluster -n fleet-default ${CLUSTERNAME} -o jsonpath='{.status.clusterName}') default-token -o json | jq -r '.status.command'
# insecure command
kubectl get clusterregistrationtokens.management.cattle.io -n $(kubectl get cluster -n fleet-default ${CLUSTERNAME} -o jsonpath='{.status.clusterName}') default-token -o json | jq -r '.status.insecureCommand'
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- RKE2 SERVER NODES (CONTROL PLANE) --- | |
### Setup RKE2 Server | |
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/ | |
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U | |
### Configure RKE2 Config | |
cat << EOF >> /etc/rancher/rke2/config.yaml | |
profile: cis-1.23 | |
selinux: true | |
secrets-encryption: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### FIRST RKE2 SERVER NODE (CONTROL PLANE NODES) | |
### Set Variables | |
export DOMAIN= | |
export TOKEN= | |
export vRKE2= | |
export Registry= | |
export RegistryUsername= | |
export RegistryPassword= | |
### Apply System Settings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
for app in rke2; do | |
output=$(curl -ks "https://update.${app}.io/v1-release/channels" | jq --arg app "${app}" -r '.data[]|select(.id==("stable","latest","testing"))|[$app, .name, .latest]|@tsv') | |
[ -n "$output" ] && echo "$output" | |
done && echo | |
for app in k3s; do | |
output=$(curl -ks "https://update.${app}.io/v1-release/channels" | jq --arg app "${app}" -r '.data[]|select(.id==("stable","latest","testing"))|[$app, .name, .latest]|@tsv') | |
[ -n "$output" ] && echo "$output" |
Feature/Functionality | Provisioned Clusters | EKS, AKS, GKE, and OKE Clusters | Imported Clusters |
---|---|---|---|
Cluster Access with kubectl or kubeconfig |
✓ | ✓ | ✓ |
Cluster Access Management (RBAC) | ✓ | ✓ | ✓ |
Modifying Cluster Configuration | ✓ | ✓ | |
Upgrading Cluster Kubernetes Version | ✓ | ✓ | |
Node Management (Adding/Removing/Scaling) | ✓ | ✓ | |
Node Access with Shell (ssh ) |
✓ | ✓ | |
Ability to Rotate Certificates | ✓ | ✓ | |
Ability to Rotate Encryption Keys | ✓ | ✓ |
view the repo: https://github.com/rancherfederal/rancher-cluster-templates
Step 1: Create the IAM Policy
aws iam create-policy --policy-name aws-rgs-rancher-mgmt-policy --policy-document '{
"Version": "2012-10-17",
"Statement": [
view the upstream gist by bgulla -> https://gist.github.com/bgulla/7a6a72bdc5df6febb1e22dbc32f0ca4f
additional docs from bcdurden -> https://github.com/bcdurden/rke2-kube-vip
cat << EOF >> /etc/sysctl.conf
### Modified System Settings
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# enable container-selinux | |
amazon-linux-extras enable selinux-ng | |
# create os release file | |
echo "2023" >> /etc/amazon-linux-release | |
# download and install rke2 | |
curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.27 INSTALL_RKE2_TYPE=server sh - | |
# enable and start rke2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Configure Rancher Pod Security Standards/Pod Security Admissions | |
cat << EOF >> /etc/rancher/rke2/rancher-psact.yaml | |
apiVersion: apiserver.config.k8s.io/v1 | |
kind: AdmissionConfiguration | |
plugins: | |
- name: PodSecurity | |
configuration: | |
apiVersion: pod-security.admission.config.k8s.io/v1 | |
kind: PodSecurityConfiguration | |
defaults: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Add and Update the Helm Repository | |
helm repo add neuvector https://neuvector.github.io/neuvector-helm | |
helm repo update | |
### Create the NeuVector Namespace and Install NeuVector | |
kubectl create namespace cattle-neuvector-system | |
helm upgrade -i neuvector neuvector/core --namespace cattle-neuvector-system --set k3s.enabled=true --set k3s.runtimePath=/run/k3s/containerd/containerd.sock --set manager.ingress.enabled=true --set manager.svc.type=ClusterIP --set controller.pvc.enabled=true --set manager.ingress.host=neuvector.10.0.0.15.sslip.io --set global.cattle.url=https://rancher.10.0.0.15.sslip.io --set controller.ranchersso.enabled=true --set rbac=true | |
### Wait for the deployment/rollout |
NewerOlder