view the repo: https://github.com/rancherfederal/rancher-cluster-templates
Step 1: Create the IAM Policy
aws iam create-policy --policy-name aws-rgs-rancher-mgmt-policy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*",
"kms:*",
"ec2:*",
"autoscaling:*",
"elasticloadbalancing:*",
"ecr:*"
],
"Resource": "*"
}
]
}'
Step 2: Create the IAM Role
aws iam create-role --role-name aws-rgs-rancher-mgmt-role --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
}'
Step 3: Attach the IAM Policy to the IAM Role
iam_policy_arn=$(aws iam list-policies --query 'Policies[?PolicyName==`aws-rgs-rancher-mgmt-policy`].Arn' --output text)
aws iam attach-role-policy --role-name aws-rgs-rancher-mgmt-role --policy-arn $iam_policy_arn
Step 4: Create the IAM Instance Profile
aws iam create-instance-profile --instance-profile-name aws-rgs-rancher-mgmt-profile
Step 5: Attach the IAM Role to the IAM Instance Profile
aws iam add-role-to-instance-profile --instance-profile-name aws-rgs-rancher-mgmt-profile --role-name aws-rgs-rancher-mgmt-role
Step 6: Attach the IAM Instance Profile to the Rancher Manager Nodes
aws ec2 describe-instances --filters Name=instance-state-name,Values=running --query 'Reservations[*].Instances[*].[InstanceId, Tags[?Key==`Name`].Value[], State.Name]' --output table
# do this for each rancher manager node (usually three nodes)
aws ec2 associate-iam-instance-profile --instance-id YourInstanceID --iam-instance-profile Name=aws-rgs-rancher-mgmt-profile
Step 1: Create the values.yaml
:
# be sure to add all "required" values...
# amazonec2, azure, digitalocean, harvester, vsphere, custom
cloudprovider: amazonec2
# rancher manager url
rancher:
cattle:
url: rancher.ranchers.io
# cluster values
cluster:
# annotations:
# key: value
# labels:
# key: value
name: rke2-cluster-aws
config:
systemDefaultRegistry: rgcrprod.azurecr.us # default registry
kubernetesVersion: v1.26.11+rke2r1 # https://github.com/rancher/rke2/releases
localClusterAuthEndpoint:
enabled: false
# agentEnvVars:
# - key:value
cni: canal # canal, calico, cilium, multus,canal, multus,calico, multus,cilium
docker: false
disable_kube_proxy: false
etcd_expose_metrics: false
profile: cis-1.23 # cis-1.6, cis-1.23
selinux: true
secrets_encryption: true
write_kubeconfig_mode: 0600
use_service_account_credentials: true
protect_kernel_defaults: true
cloud_provider_name: aws # aws, azure, harvester, vsphere
# cloud_provider_config: '' # cloud provider config secret here (example: secret://fleet-default:cloudprovider)
kube_controller_manager_arg: # (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager)
- bind-address=127.0.0.1
- use-service-account-credentials=true
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube_scheduler_arg: # (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler)
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube_apiserver_arg: # (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver)
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- authorization-mode=RBAC,Node
- anonymous-auth=false
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
- audit-log-mode=blocking-strict
- audit-log-maxage=30
kubelet_arg: # (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet)
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
- streaming-connection-idle-timeout=5m
registries:
enabled: true
configs:
- name: rgcrprod.azurecr.us
authConfigSecretName: registry-creds
caBundle: ''
insecureSkipVerify: false
tlsSecretName: ''
mirrors:
- name: docker.io
endpoints:
- rgcrprod.azurecr.us
upgradeStrategy:
controlPlaneConcurrency: 10%
controlPlaneDrainOptions:
enabled: false
# deleteEmptyDirData: true
# disableEviction: false
# force: false
# gracePeriod: -1
# ignoreDaemonSets: true
# ignoreErrors: false
# skipWaitForDeleteTimeoutSeconds: 0
# timeout: 120
workerConcurrency: 10%
workerDrainOptions:
enabled: false
# deleteEmptyDirData: true
# disableEviction: false
# force: false
# gracePeriod: -1
# ignoreDaemonSets: true
# ignoreErrors: false
# skipWaitForDeleteTimeoutSeconds: 0
# timeout: 120
# node and nodepool(s) values
nodepools:
- name: control-plane-nodes
quantity: 3
etcd: true
controlplane: true
worker: false
# labels:
# key: value
# taints:
# key: value
paused: false
# accessKey: # only required if not using cloudCredentialSecretName
# secretKey: # only required if not using cloudCredentialSecretName
# sessionToken: # only required if not using cloudCredentialSecretName
ami: ami-079db87dc4c10ac91 # required (example: ami-123456789)
# blockDurationMinutes: 0
deviceName: /dev/sda1
encryptEbsVolume: false
# kmsKey: ''
endpoint: ''
# httpEndpoint: ''
# httpTokens: ''
iamInstanceProfile: 'aws-rgs-mgmt-cluster-iam-profile-control' # required (example: rancher-iam-instance-profile) - https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon
insecureTransport: false
instanceType: m5.xlarge # required (example: us-east-1)
region: us-east-1 # required (example: us-east-1)
createSecurityGroup: false
securityGroups: ['aws-rgs-mgmt-cluster-sg'] # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements
# openPort:
# - "80"
# - "443"
keypairName: ''
securityGroupReadonly: false
sshKeyContents: ''
subnetId: subnet-076aa666bf2adc2a8 # required (example: subnet-123456789)
zone: a # required (example: a)
monitoring: false
privateAddressOnly: true
requestSpotInstance: false
# spotPrice: ''
tags: provisioner,rancher,KeepRunning,true
retries: 5
rootSize: 128
sshUser: ec2-user
volumeType: gp3
vpcId: vpc-0934dc8778cdf65db # required (example: vpc-123456789)
useEbsOptimizedInstance: false
usePrivateAddress: true
userdata: |
#cloud-config
package_update: true
packages: ['iptables', 'container-selinux', 'libnetfilter_conntrack', 'libnfnetlink', 'libnftnl', 'policycoreutils-python-utils', 'cryptsetup', 'nfs-utils', 'iscsi-initiator-utils', 'zip', 'zstd', 'tree', 'jq']
write_files:
- path: /etc/sysctl.conf
owner: root
content: |
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
vm.max_map_count = 262144
net.ipv4.ip_local_port_range=1024 65000
net.core.somaxconn=10000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.core.somaxconn=4096
net.core.netdev_max_backlog=4096
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.neigh.default.gc_thresh1=8096
net.ipv4.neigh.default.gc_thresh2=12288
net.ipv4.neigh.default.gc_thresh3=16384
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
- path: /etc/rancher/rke2/audit-policy.yaml
owner: root
content: |
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: rke2-audit-policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
- level: RequestResponse
resources:
- group: ""
resources: ["*"]
- path: /etc/rancher/rke2/rancher-pss.yaml
owner: root
content: |
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [calico-apiserver,
calico-system,
carbide-docs-system,
carbide-stigatron-system,
cattle-alerting,
cattle-csp-adapter-system,
cattle-elemental-system,
cattle-epinio-system,
cattle-externalip-system,
cattle-fleet-local-system,
cattle-fleet-system,
cattle-gatekeeper-system,
cattle-global-data,
cattle-global-nt,
cattle-impersonation-system,
cattle-istio,
cattle-istio-system,
cattle-logging,
cattle-logging-system,
cattle-monitoring-system,
cattle-neuvector-system,
cattle-prometheus,
cattle-provisioning-capi-system,
cattle-resources-system,
cattle-sriov-system,
cattle-system,
cattle-ui-plugin-system,
cattle-windows-gmsa-system,
cert-manager,
cis-operator-system,
fleet-default,
fleet-local,
ingress-nginx,
istio-system,
kube-node-lease,
kube-public,
kube-system,
longhorn-system,
rancher-alerting-drivers,
security-scan,
tigera-operator]
runcmd:
- sudo sysctl -p > /dev/null 2>&1
- sudo curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.17.stable.1/rke2-selinux-0.17-1.el8.noarch.rpm && sudo rpm -i rke2-selinux-0.17-1.el8.noarch.rpm
- sudo echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
- sudo systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
- sudo echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf
- sudo mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
- sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
- name: worker-nodes
quantity: 3
etcd: false
controlplane: false
worker: true
# labels:
# key: value
# taints:
# key: value
paused: false
# accessKey: # only required if not using cloudCredentialSecretName
# secretKey: # only required if not using cloudCredentialSecretName
# sessionToken: # only required if not using cloudCredentialSecretName
ami: ami-079db87dc4c10ac91 # required (example: ami-123456789)
deviceName: /dev/sda1
encryptEbsVolume: false
endpoint: ''
iamInstanceProfile: 'aws-rgs-mgmt-cluster-iam-profile-worker' # required (example: rancher-iam-instance-profile)
insecureTransport: false
instanceType: m5.2xlarge
region: us-east-1 # required (example: us-east-1)
createSecurityGroup: false
securityGroups: ['aws-rgs-mgmt-cluster-sg'] # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements
# openPort:
# - "80"
# - "443"
keypairName: ''
securityGroupReadonly: false
sshKeyContents: ''
subnetId: subnet-076aa666bf2adc2a8 # required (example: subnet-123456789)
zone: a # required (example: a)
monitoring: false
privateAddressOnly: true
requestSpotInstance: false
# spotPrice: ''
tags: provisioner,rancher,KeepRunning,true
retries: 5
rootSize: 256
sshUser: ec2-user
volumeType: gp3
vpcId: vpc-0934dc8778cdf65db # required (example: vpc-123456789)
useEbsOptimizedInstance: false
usePrivateAddress: true
userdata: |
#cloud-config
package_update: true
packages: ['iptables', 'container-selinux', 'libnetfilter_conntrack', 'libnfnetlink', 'libnftnl', 'policycoreutils-python-utils', 'cryptsetup', 'nfs-utils', 'iscsi-initiator-utils', 'zip', 'zstd', 'tree', 'jq']
write_files:
- path: /etc/sysctl.conf
owner: root
content: |
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
vm.max_map_count = 262144
net.ipv4.ip_local_port_range=1024 65000
net.core.somaxconn=10000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.core.somaxconn=4096
net.core.netdev_max_backlog=4096
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.neigh.default.gc_thresh1=8096
net.ipv4.neigh.default.gc_thresh2=12288
net.ipv4.neigh.default.gc_thresh3=16384
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
runcmd:
- sudo sysctl -p > /dev/null 2>&1
- sudo curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.17.stable.1/rke2-selinux-0.17-1.el8.noarch.rpm && sudo rpm -i rke2-selinux-0.17-1.el8.noarch.rpm
- sudo echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
- sudo systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
- sudo echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf
- sudo mkdir -p /etc/rancher/rke2/
# addons values
addons:
monitoring:
enabled: false
# version:
# values:
# values here
longhorn:
enabled: false
# version:
# values:
# values here
neuvector:
enabled: false
# version:
# values:
# values here
Step 2: Create the Cluster
helm upgrade -i cluster oci://ghcr.io/rancherfederal/rancher-cluster-templates -n fleet-default -f values-aws.yaml