zackbradys/rke2-hardened-install-tips

## rke2-hardened-install-tips
### FIRST RKE2 SERVER NODE (CONTROL PLANE NODES)
### Set Variables
export DOMAIN=
export TOKEN=
export vRKE2=
export Registry=
export RegistryUsername=
export RegistryPassword=

### Apply System Settings
cat << EOF >> /etc/sysctl.conf
### Modified System Settings
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
vm.max_map_count = 262144
net.ipv4.ip_local_port_range=1024 65000
net.core.somaxconn=10000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.core.somaxconn=4096
net.core.netdev_max_backlog=4096
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.neigh.default.gc_thresh1=8096
net.ipv4.neigh.default.gc_thresh2=12288
net.ipv4.neigh.default.gc_thresh3=16384
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
EOF
sysctl -p > /dev/null 2>&1

### Install Packages
yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup
yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq

### Modify Settings
echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf

### Setup RKE2 Server
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis-1.23
selinux: true
secrets-encryption: true
write-kubeconfig-mode: 0600
use-service-account-credentials: true
kube-controller-manager-arg:
- bind-address=127.0.0.1
- use-service-account-credentials=true
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-scheduler-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-apiserver-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- authorization-mode=RBAC,Node
- anonymous-auth=false
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
- audit-log-mode=blocking-strict
- audit-log-maxage=30
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
- streaming-connection-idle-timeout=5m
token: $TOKEN
tls-san:
  - $DOMAIN
system-default-registry: $Registry
EOF

### Configure RKE2 Audit Policy
cat << EOF >> /etc/rancher/rke2/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
  name: rke2-audit-policy
rules:
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets"]
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["*"]
EOF

### Configure RKE2 Pod Security Standards
cat << EOF >> /etc/rancher/rke2/rancher-pss.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
  - name: PodSecurity
    configuration:
      apiVersion: pod-security.admission.config.k8s.io/v1
      kind: PodSecurityConfiguration
      defaults:
        enforce: "restricted"
        enforce-version: "latest"
        audit: "restricted"
        audit-version: "latest"
        warn: "restricted"
        warn-version: "latest"
      exemptions:
        usernames: []
        runtimeClasses: []
        namespaces: [calico-apiserver,
                     calico-system,
                     carbide-docs-system,
                     carbide-stigatron-system,
                     cattle-alerting,
                     cattle-csp-adapter-system,
                     cattle-elemental-system,
                     cattle-epinio-system,
                     cattle-externalip-system,
                     cattle-fleet-local-system,
                     cattle-fleet-system,
                     cattle-gatekeeper-system,
                     cattle-global-data,
                     cattle-global-nt,
                     cattle-impersonation-system,
                     cattle-istio,
                     cattle-istio-system,
                     cattle-logging,
                     cattle-logging-system,
                     cattle-monitoring-system,
                     cattle-neuvector-system,
                     cattle-prometheus,
                     cattle-provisioning-capi-system,
                     cattle-resources-system,
                     cattle-sriov-system,
                     cattle-system,
                     cattle-ui-plugin-system,
                     cattle-windows-gmsa-system,
                     cert-manager,
                     cis-operator-system,
                     fleet-default,
                     fleet-local,
                     harbor-system,
                     ingress-nginx,
                     istio-system,
                     kube-node-lease,
                     kube-public,
                     kube-system,
                     longhorn-system,
                     rancher-alerting-drivers,
                     security-scan,
                     tigera-operator]
EOF

### Setup Carbide Registry
cat << EOF >> /etc/rancher/rke2/registries.yaml
mirrors:
  docker.io:
    endpoint:
      - "https://$Registry"

configs:
  "$Registry":
    auth:
      username: $RegistryUsername
      password: $RegistryPassword
EOF

### Download and Install RKE2 Server
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=server sh -

### Enable and Start RKE2 Server
systemctl enable rke2-server.service && systemctl start rke2-server.service

### Symlink kubectl and containerd
sudo ln -s /var/lib/rancher/rke2/data/v1*/bin/kubectl /usr/bin/kubectl
sudo ln -s /var/run/k3s/containerd/containerd.sock /var/run/containerd/containerd.sock

### Update and Source BASHRC
cat << EOF >> ~/.bashrc
export PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin/
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
export DOMAIN=${DOMAIN}
export TOKEN=${TOKEN}
export vRKE2=${vRKE2}
export Registry=${Registry}
export RegistryUsername=${RegistryUsername}
export RegistryPassword=${RegistryPassword}
alias k=kubectl
EOF

### ADDITIONAL RKE2 SERVER NODES (CONTROL PLANE NODES)
### Set Variables
export DOMAIN=
export TOKEN=
export vRKE2=
export Registry=
export RegistryUsername=
export RegistryPassword=

### Apply System Settings
cat << EOF >> /etc/sysctl.conf
### Modified System Settings
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
vm.max_map_count = 262144
net.ipv4.ip_local_port_range=1024 65000
net.core.somaxconn=10000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.core.somaxconn=4096
net.core.netdev_max_backlog=4096
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.neigh.default.gc_thresh1=8096
net.ipv4.neigh.default.gc_thresh2=12288
net.ipv4.neigh.default.gc_thresh3=16384
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
EOF
sysctl -p > /dev/null 2>&1

### Install Packages
yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup
yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq

### Modify Settings
echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf

### Setup RKE2 Server
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis-1.23
selinux: true
secrets-encryption: true
write-kubeconfig-mode: 0600
use-service-account-credentials: true
kube-controller-manager-arg:
- bind-address=127.0.0.1
- use-service-account-credentials=true
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-scheduler-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-apiserver-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- authorization-mode=RBAC,Node
- anonymous-auth=false
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
- audit-log-mode=blocking-strict
- audit-log-maxage=30
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
- streaming-connection-idle-timeout=5m
server: https://$DOMAIN:9345
token: $TOKEN
tls-san:
  - $DOMAIN
system-default-registry: $Registry
EOF

### Configure RKE2 Audit Policy
cat << EOF >> /etc/rancher/rke2/audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
  name: rke2-audit-policy
rules:
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets"]
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["*"]
EOF

### Configure RKE2 Pod Security Standards
cat << EOF >> /etc/rancher/rke2/rancher-pss.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
  - name: PodSecurity
    configuration:
      apiVersion: pod-security.admission.config.k8s.io/v1
      kind: PodSecurityConfiguration
      defaults:
        enforce: "restricted"
        enforce-version: "latest"
        audit: "restricted"
        audit-version: "latest"
        warn: "restricted"
        warn-version: "latest"
      exemptions:
        usernames: []
        runtimeClasses: []
        namespaces: [calico-apiserver,
                     calico-system,
                     carbide-docs-system,
                     carbide-stigatron-system,
                     cattle-alerting,
                     cattle-csp-adapter-system,
                     cattle-elemental-system,
                     cattle-epinio-system,
                     cattle-externalip-system,
                     cattle-fleet-local-system,
                     cattle-fleet-system,
                     cattle-gatekeeper-system,
                     cattle-global-data,
                     cattle-global-nt,
                     cattle-impersonation-system,
                     cattle-istio,
                     cattle-istio-system,
                     cattle-logging,
                     cattle-logging-system,
                     cattle-monitoring-system,
                     cattle-neuvector-system,
                     cattle-prometheus,
                     cattle-provisioning-capi-system,
                     cattle-resources-system,
                     cattle-sriov-system,
                     cattle-system,
                     cattle-ui-plugin-system,
                     cattle-windows-gmsa-system,
                     cert-manager,
                     cis-operator-system,
                     fleet-default,
                     fleet-local,
                     harbor-system,
                     ingress-nginx,
                     istio-system,
                     kube-node-lease,
                     kube-public,
                     kube-system,
                     longhorn-system,
                     rancher-alerting-drivers,
                     security-scan,
                     tigera-operator]
EOF

### Setup Carbide Registry
cat << EOF >> /etc/rancher/rke2/registries.yaml
mirrors:
  docker.io:
    endpoint:
      - "https://$Registry"

configs:
  "$Registry":
    auth:
      username: $RegistryUsername
      password: $RegistryPassword
EOF

### Download and Install RKE2 Server
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=server sh -

### Enable and Start RKE2 Server
systemctl enable rke2-server.service && systemctl start rke2-server.service

### RKE2 AGENT NODES (WORKER NODES)
### Set Variables
export DOMAIN=
export TOKEN=
export vRKE2=
export Registry=
export RegistryUsername=
export RegistryPassword=

### Apply System Settings
cat << EOF >> /etc/sysctl.conf
### Modified System Settings
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
vm.max_map_count = 262144
net.ipv4.ip_local_port_range=1024 65000
net.core.somaxconn=10000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.core.somaxconn=4096
net.core.netdev_max_backlog=4096
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.neigh.default.gc_thresh1=8096
net.ipv4.neigh.default.gc_thresh2=12288
net.ipv4.neigh.default.gc_thresh3=16384
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
EOF
sysctl -p > /dev/null 2>&1

### Install Packages
yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup
yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq

### Modify Settings
echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf

### Setup RKE2 Agent
mkdir -p /etc/rancher/rke2/

### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis-1.23
selinux: true
write-kubeconfig-mode: 0600
kube-apiserver-arg:
- authorization-mode=RBAC,Node
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
server: https://$DOMAIN:9345
token: $TOKEN
system-default-registry: $Registry
EOF

### Setup Carbide Registry
cat << EOF >> /etc/rancher/rke2/registries.yaml
mirrors:
  docker.io:
    endpoint:
      - "https://$Registry"

configs:
  "$Registry":
    auth:
      username: $RegistryUsername
      password: $RegistryPassword
EOF

### Download and Install RKE2 Agent
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=agent sh -

### Enable and Start RKE2 Agent
systemctl enable rke2-agent.service && systemctl start rke2-agent.service
	### FIRST RKE2 SERVER NODE (CONTROL PLANE NODES)
	### Set Variables
	export DOMAIN=
	export TOKEN=
	export vRKE2=
	export Registry=
	export RegistryUsername=
	export RegistryPassword=

	### Apply System Settings
	cat << EOF >> /etc/sysctl.conf
	### Modified System Settings
	vm.swappiness=0
	vm.panic_on_oom=0
	vm.overcommit_memory=1
	kernel.panic=10
	kernel.panic_on_oops=1
	vm.max_map_count = 262144
	net.ipv4.ip_local_port_range=1024 65000
	net.core.somaxconn=10000
	net.ipv4.tcp_tw_reuse=1
	net.ipv4.tcp_fin_timeout=15
	net.core.somaxconn=4096
	net.core.netdev_max_backlog=4096
	net.core.rmem_max=16777216
	net.core.wmem_max=16777216
	net.ipv4.tcp_max_syn_backlog=20480
	net.ipv4.tcp_max_tw_buckets=400000
	net.ipv4.tcp_no_metrics_save=1
	net.ipv4.tcp_rmem=4096 87380 16777216
	net.ipv4.tcp_syn_retries=2
	net.ipv4.tcp_synack_retries=2
	net.ipv4.tcp_wmem=4096 65536 16777216
	net.ipv4.neigh.default.gc_thresh1=8096
	net.ipv4.neigh.default.gc_thresh2=12288
	net.ipv4.neigh.default.gc_thresh3=16384
	net.ipv4.tcp_keepalive_time=600
	net.ipv4.ip_forward=1
	net.ipv6.conf.all.disable_ipv6 = 1
	net.ipv6.conf.default.disable_ipv6 = 1
	fs.inotify.max_user_instances=8192
	fs.inotify.max_user_watches=1048576
	EOF
	sysctl -p > /dev/null 2>&1

	### Install Packages
	yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup
	yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq

	### Modify Settings
	echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
	systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
	echo -e "[keyfile]\nunmanaged-devices=interface-name:cali;interface-name:flannel" > /etc/NetworkManager/conf.d/rke2-canal.conf

	### Setup RKE2 Server
	mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
	useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

	### Configure RKE2 Config
	cat << EOF >> /etc/rancher/rke2/config.yaml
	profile: cis-1.23
	selinux: true
	secrets-encryption: true
	write-kubeconfig-mode: 0600
	use-service-account-credentials: true
	kube-controller-manager-arg:
	- bind-address=127.0.0.1
	- use-service-account-credentials=true
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	kube-scheduler-arg:
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	kube-apiserver-arg:
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	- authorization-mode=RBAC,Node
	- anonymous-auth=false
	- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
	- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
	- audit-log-mode=blocking-strict
	- audit-log-maxage=30
	kubelet-arg:
	- protect-kernel-defaults=true
	- read-only-port=0
	- authorization-mode=Webhook
	- streaming-connection-idle-timeout=5m
	token: $TOKEN
	tls-san:
	- $DOMAIN
	system-default-registry: $Registry
	EOF

	### Configure RKE2 Audit Policy
	cat << EOF >> /etc/rancher/rke2/audit-policy.yaml
	apiVersion: audit.k8s.io/v1
	kind: Policy
	metadata:
	name: rke2-audit-policy
	rules:
	- level: Metadata
	resources:
	- group: ""
	resources: ["secrets"]
	- level: RequestResponse
	resources:
	- group: ""
	resources: ["*"]
	EOF

	### Configure RKE2 Pod Security Standards
	cat << EOF >> /etc/rancher/rke2/rancher-pss.yaml
	apiVersion: apiserver.config.k8s.io/v1
	kind: AdmissionConfiguration
	plugins:
	- name: PodSecurity
	configuration:
	apiVersion: pod-security.admission.config.k8s.io/v1
	kind: PodSecurityConfiguration
	defaults:
	enforce: "restricted"
	enforce-version: "latest"
	audit: "restricted"
	audit-version: "latest"
	warn: "restricted"
	warn-version: "latest"
	exemptions:
	usernames: []
	runtimeClasses: []
	namespaces: [calico-apiserver,
	calico-system,
	carbide-docs-system,
	carbide-stigatron-system,
	cattle-alerting,
	cattle-csp-adapter-system,
	cattle-elemental-system,
	cattle-epinio-system,
	cattle-externalip-system,
	cattle-fleet-local-system,
	cattle-fleet-system,
	cattle-gatekeeper-system,
	cattle-global-data,
	cattle-global-nt,
	cattle-impersonation-system,
	cattle-istio,
	cattle-istio-system,
	cattle-logging,
	cattle-logging-system,
	cattle-monitoring-system,
	cattle-neuvector-system,
	cattle-prometheus,
	cattle-provisioning-capi-system,
	cattle-resources-system,
	cattle-sriov-system,
	cattle-system,
	cattle-ui-plugin-system,
	cattle-windows-gmsa-system,
	cert-manager,
	cis-operator-system,
	fleet-default,
	fleet-local,
	harbor-system,
	ingress-nginx,
	istio-system,
	kube-node-lease,
	kube-public,
	kube-system,
	longhorn-system,
	rancher-alerting-drivers,
	security-scan,
	tigera-operator]
	EOF

	### Setup Carbide Registry
	cat << EOF >> /etc/rancher/rke2/registries.yaml
	mirrors:
	docker.io:
	endpoint:
	- "https://$Registry"

	configs:
	"$Registry":
	auth:
	username: $RegistryUsername
	password: $RegistryPassword
	EOF

	### Download and Install RKE2 Server
	curl -sfL https://get.rke2.io \| INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=server sh -

	### Enable and Start RKE2 Server
	systemctl enable rke2-server.service && systemctl start rke2-server.service

	### Symlink kubectl and containerd
	sudo ln -s /var/lib/rancher/rke2/data/v1*/bin/kubectl /usr/bin/kubectl
	sudo ln -s /var/run/k3s/containerd/containerd.sock /var/run/containerd/containerd.sock

	### Update and Source BASHRC
	cat << EOF >> ~/.bashrc
	export PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin/
	export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
	export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
	export DOMAIN=${DOMAIN}
	export TOKEN=${TOKEN}
	export vRKE2=${vRKE2}
	export Registry=${Registry}
	export RegistryUsername=${RegistryUsername}
	export RegistryPassword=${RegistryPassword}
	alias k=kubectl
	EOF

	### ADDITIONAL RKE2 SERVER NODES (CONTROL PLANE NODES)
	### Set Variables
	export DOMAIN=
	export TOKEN=
	export vRKE2=
	export Registry=
	export RegistryUsername=
	export RegistryPassword=

	### Apply System Settings
	cat << EOF >> /etc/sysctl.conf
	### Modified System Settings
	vm.swappiness=0
	vm.panic_on_oom=0
	vm.overcommit_memory=1
	kernel.panic=10
	kernel.panic_on_oops=1
	vm.max_map_count = 262144
	net.ipv4.ip_local_port_range=1024 65000
	net.core.somaxconn=10000
	net.ipv4.tcp_tw_reuse=1
	net.ipv4.tcp_fin_timeout=15
	net.core.somaxconn=4096
	net.core.netdev_max_backlog=4096
	net.core.rmem_max=16777216
	net.core.wmem_max=16777216
	net.ipv4.tcp_max_syn_backlog=20480
	net.ipv4.tcp_max_tw_buckets=400000
	net.ipv4.tcp_no_metrics_save=1
	net.ipv4.tcp_rmem=4096 87380 16777216
	net.ipv4.tcp_syn_retries=2
	net.ipv4.tcp_synack_retries=2
	net.ipv4.tcp_wmem=4096 65536 16777216
	net.ipv4.neigh.default.gc_thresh1=8096
	net.ipv4.neigh.default.gc_thresh2=12288
	net.ipv4.neigh.default.gc_thresh3=16384
	net.ipv4.tcp_keepalive_time=600
	net.ipv4.ip_forward=1
	net.ipv6.conf.all.disable_ipv6 = 1
	net.ipv6.conf.default.disable_ipv6 = 1
	fs.inotify.max_user_instances=8192
	fs.inotify.max_user_watches=1048576
	EOF
	sysctl -p > /dev/null 2>&1

	### Install Packages
	yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup
	yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq

	### Modify Settings
	echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
	systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
	echo -e "[keyfile]\nunmanaged-devices=interface-name:cali;interface-name:flannel" > /etc/NetworkManager/conf.d/rke2-canal.conf

	### Setup RKE2 Server
	mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
	useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

	### Configure RKE2 Config
	cat << EOF >> /etc/rancher/rke2/config.yaml
	profile: cis-1.23
	selinux: true
	secrets-encryption: true
	write-kubeconfig-mode: 0600
	use-service-account-credentials: true
	kube-controller-manager-arg:
	- bind-address=127.0.0.1
	- use-service-account-credentials=true
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	kube-scheduler-arg:
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	kube-apiserver-arg:
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	- authorization-mode=RBAC,Node
	- anonymous-auth=false
	- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
	- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
	- audit-log-mode=blocking-strict
	- audit-log-maxage=30
	kubelet-arg:
	- protect-kernel-defaults=true
	- read-only-port=0
	- authorization-mode=Webhook
	- streaming-connection-idle-timeout=5m
	server: https://$DOMAIN:9345
	token: $TOKEN
	tls-san:
	- $DOMAIN
	system-default-registry: $Registry
	EOF

	### Configure RKE2 Audit Policy
	cat << EOF >> /etc/rancher/rke2/audit-policy.yaml
	apiVersion: audit.k8s.io/v1
	kind: Policy
	metadata:
	name: rke2-audit-policy
	rules:
	- level: Metadata
	resources:
	- group: ""
	resources: ["secrets"]
	- level: RequestResponse
	resources:
	- group: ""
	resources: ["*"]
	EOF

	### Configure RKE2 Pod Security Standards
	cat << EOF >> /etc/rancher/rke2/rancher-pss.yaml
	apiVersion: apiserver.config.k8s.io/v1
	kind: AdmissionConfiguration
	plugins:
	- name: PodSecurity
	configuration:
	apiVersion: pod-security.admission.config.k8s.io/v1
	kind: PodSecurityConfiguration
	defaults:
	enforce: "restricted"
	enforce-version: "latest"
	audit: "restricted"
	audit-version: "latest"
	warn: "restricted"
	warn-version: "latest"
	exemptions:
	usernames: []
	runtimeClasses: []
	namespaces: [calico-apiserver,
	calico-system,
	carbide-docs-system,
	carbide-stigatron-system,
	cattle-alerting,
	cattle-csp-adapter-system,
	cattle-elemental-system,
	cattle-epinio-system,
	cattle-externalip-system,
	cattle-fleet-local-system,
	cattle-fleet-system,
	cattle-gatekeeper-system,
	cattle-global-data,
	cattle-global-nt,
	cattle-impersonation-system,
	cattle-istio,
	cattle-istio-system,
	cattle-logging,
	cattle-logging-system,
	cattle-monitoring-system,
	cattle-neuvector-system,
	cattle-prometheus,
	cattle-provisioning-capi-system,
	cattle-resources-system,
	cattle-sriov-system,
	cattle-system,
	cattle-ui-plugin-system,
	cattle-windows-gmsa-system,
	cert-manager,
	cis-operator-system,
	fleet-default,
	fleet-local,
	harbor-system,
	ingress-nginx,
	istio-system,
	kube-node-lease,
	kube-public,
	kube-system,
	longhorn-system,
	rancher-alerting-drivers,
	security-scan,
	tigera-operator]
	EOF

	### Setup Carbide Registry
	cat << EOF >> /etc/rancher/rke2/registries.yaml
	mirrors:
	docker.io:
	endpoint:
	- "https://$Registry"

	configs:
	"$Registry":
	auth:
	username: $RegistryUsername
	password: $RegistryPassword
	EOF

	### Download and Install RKE2 Server
	curl -sfL https://get.rke2.io \| INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=server sh -

	### Enable and Start RKE2 Server
	systemctl enable rke2-server.service && systemctl start rke2-server.service

	### RKE2 AGENT NODES (WORKER NODES)
	### Set Variables
	export DOMAIN=
	export TOKEN=
	export vRKE2=
	export Registry=
	export RegistryUsername=
	export RegistryPassword=

	### Apply System Settings
	cat << EOF >> /etc/sysctl.conf
	### Modified System Settings
	vm.swappiness=0
	vm.panic_on_oom=0
	vm.overcommit_memory=1
	kernel.panic=10
	kernel.panic_on_oops=1
	vm.max_map_count = 262144
	net.ipv4.ip_local_port_range=1024 65000
	net.core.somaxconn=10000
	net.ipv4.tcp_tw_reuse=1
	net.ipv4.tcp_fin_timeout=15
	net.core.somaxconn=4096
	net.core.netdev_max_backlog=4096
	net.core.rmem_max=16777216
	net.core.wmem_max=16777216
	net.ipv4.tcp_max_syn_backlog=20480
	net.ipv4.tcp_max_tw_buckets=400000
	net.ipv4.tcp_no_metrics_save=1
	net.ipv4.tcp_rmem=4096 87380 16777216
	net.ipv4.tcp_syn_retries=2
	net.ipv4.tcp_synack_retries=2
	net.ipv4.tcp_wmem=4096 65536 16777216
	net.ipv4.neigh.default.gc_thresh1=8096
	net.ipv4.neigh.default.gc_thresh2=12288
	net.ipv4.neigh.default.gc_thresh3=16384
	net.ipv4.tcp_keepalive_time=600
	net.ipv4.ip_forward=1
	net.ipv6.conf.all.disable_ipv6 = 1
	net.ipv6.conf.default.disable_ipv6 = 1
	fs.inotify.max_user_instances=8192
	fs.inotify.max_user_watches=1048576
	EOF
	sysctl -p > /dev/null 2>&1

	### Install Packages
	yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup
	yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq

	### Modify Settings
	echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
	systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
	echo -e "[keyfile]\nunmanaged-devices=interface-name:cali;interface-name:flannel" > /etc/NetworkManager/conf.d/rke2-canal.conf

	### Setup RKE2 Agent
	mkdir -p /etc/rancher/rke2/

	### Configure RKE2 Config
	cat << EOF >> /etc/rancher/rke2/config.yaml
	profile: cis-1.23
	selinux: true
	write-kubeconfig-mode: 0600
	kube-apiserver-arg:
	- authorization-mode=RBAC,Node
	kubelet-arg:
	- protect-kernel-defaults=true
	- read-only-port=0
	- authorization-mode=Webhook
	server: https://$DOMAIN:9345
	token: $TOKEN
	system-default-registry: $Registry
	EOF

	### Setup Carbide Registry
	cat << EOF >> /etc/rancher/rke2/registries.yaml
	mirrors:
	docker.io:
	endpoint:
	- "https://$Registry"

	configs:
	"$Registry":
	auth:
	username: $RegistryUsername
	password: $RegistryPassword
	EOF

	### Download and Install RKE2 Agent
	curl -sfL https://get.rke2.io \| INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=agent sh -

	### Enable and Start RKE2 Agent
	systemctl enable rke2-agent.service && systemctl start rke2-agent.service