Last active
February 1, 2024 21:06
-
-
Save zackbradys/8d512ac9e36cf47ed662164cb6d5fcee to your computer and use it in GitHub Desktop.
Rancher Kubernetes (RKE2) - Installation of Fully Hardened Configuration Options
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### FIRST RKE2 SERVER NODE (CONTROL PLANE NODES) | |
### Set Variables | |
export DOMAIN= | |
export TOKEN= | |
export vRKE2= | |
export Registry= | |
export RegistryUsername= | |
export RegistryPassword= | |
### Apply System Settings | |
cat << EOF >> /etc/sysctl.conf | |
### Modified System Settings | |
vm.swappiness=0 | |
vm.panic_on_oom=0 | |
vm.overcommit_memory=1 | |
kernel.panic=10 | |
kernel.panic_on_oops=1 | |
vm.max_map_count = 262144 | |
net.ipv4.ip_local_port_range=1024 65000 | |
net.core.somaxconn=10000 | |
net.ipv4.tcp_tw_reuse=1 | |
net.ipv4.tcp_fin_timeout=15 | |
net.core.somaxconn=4096 | |
net.core.netdev_max_backlog=4096 | |
net.core.rmem_max=16777216 | |
net.core.wmem_max=16777216 | |
net.ipv4.tcp_max_syn_backlog=20480 | |
net.ipv4.tcp_max_tw_buckets=400000 | |
net.ipv4.tcp_no_metrics_save=1 | |
net.ipv4.tcp_rmem=4096 87380 16777216 | |
net.ipv4.tcp_syn_retries=2 | |
net.ipv4.tcp_synack_retries=2 | |
net.ipv4.tcp_wmem=4096 65536 16777216 | |
net.ipv4.neigh.default.gc_thresh1=8096 | |
net.ipv4.neigh.default.gc_thresh2=12288 | |
net.ipv4.neigh.default.gc_thresh3=16384 | |
net.ipv4.tcp_keepalive_time=600 | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
fs.inotify.max_user_instances=8192 | |
fs.inotify.max_user_watches=1048576 | |
EOF | |
sysctl -p > /dev/null 2>&1 | |
### Install Packages | |
yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup | |
yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq | |
### Modify Settings | |
echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid | |
systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer | |
echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf | |
### Setup RKE2 Server | |
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/ | |
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U | |
### Configure RKE2 Config | |
cat << EOF >> /etc/rancher/rke2/config.yaml | |
profile: cis-1.23 | |
selinux: true | |
secrets-encryption: true | |
write-kubeconfig-mode: 0600 | |
use-service-account-credentials: true | |
kube-controller-manager-arg: | |
- bind-address=127.0.0.1 | |
- use-service-account-credentials=true | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
kube-scheduler-arg: | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
kube-apiserver-arg: | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
- authorization-mode=RBAC,Node | |
- anonymous-auth=false | |
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml | |
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml | |
- audit-log-mode=blocking-strict | |
- audit-log-maxage=30 | |
kubelet-arg: | |
- protect-kernel-defaults=true | |
- read-only-port=0 | |
- authorization-mode=Webhook | |
- streaming-connection-idle-timeout=5m | |
token: $TOKEN | |
tls-san: | |
- $DOMAIN | |
system-default-registry: $Registry | |
EOF | |
### Configure RKE2 Audit Policy | |
cat << EOF >> /etc/rancher/rke2/audit-policy.yaml | |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
metadata: | |
name: rke2-audit-policy | |
rules: | |
- level: Metadata | |
resources: | |
- group: "" | |
resources: ["secrets"] | |
- level: RequestResponse | |
resources: | |
- group: "" | |
resources: ["*"] | |
EOF | |
### Configure RKE2 Pod Security Standards | |
cat << EOF >> /etc/rancher/rke2/rancher-pss.yaml | |
apiVersion: apiserver.config.k8s.io/v1 | |
kind: AdmissionConfiguration | |
plugins: | |
- name: PodSecurity | |
configuration: | |
apiVersion: pod-security.admission.config.k8s.io/v1 | |
kind: PodSecurityConfiguration | |
defaults: | |
enforce: "restricted" | |
enforce-version: "latest" | |
audit: "restricted" | |
audit-version: "latest" | |
warn: "restricted" | |
warn-version: "latest" | |
exemptions: | |
usernames: [] | |
runtimeClasses: [] | |
namespaces: [calico-apiserver, | |
calico-system, | |
carbide-docs-system, | |
carbide-stigatron-system, | |
cattle-alerting, | |
cattle-csp-adapter-system, | |
cattle-elemental-system, | |
cattle-epinio-system, | |
cattle-externalip-system, | |
cattle-fleet-local-system, | |
cattle-fleet-system, | |
cattle-gatekeeper-system, | |
cattle-global-data, | |
cattle-global-nt, | |
cattle-impersonation-system, | |
cattle-istio, | |
cattle-istio-system, | |
cattle-logging, | |
cattle-logging-system, | |
cattle-monitoring-system, | |
cattle-neuvector-system, | |
cattle-prometheus, | |
cattle-provisioning-capi-system, | |
cattle-resources-system, | |
cattle-sriov-system, | |
cattle-system, | |
cattle-ui-plugin-system, | |
cattle-windows-gmsa-system, | |
cert-manager, | |
cis-operator-system, | |
fleet-default, | |
fleet-local, | |
harbor-system, | |
ingress-nginx, | |
istio-system, | |
kube-node-lease, | |
kube-public, | |
kube-system, | |
longhorn-system, | |
rancher-alerting-drivers, | |
security-scan, | |
tigera-operator] | |
EOF | |
### Setup Carbide Registry | |
cat << EOF >> /etc/rancher/rke2/registries.yaml | |
mirrors: | |
docker.io: | |
endpoint: | |
- "https://$Registry" | |
configs: | |
"$Registry": | |
auth: | |
username: $RegistryUsername | |
password: $RegistryPassword | |
EOF | |
### Download and Install RKE2 Server | |
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=server sh - | |
### Enable and Start RKE2 Server | |
systemctl enable rke2-server.service && systemctl start rke2-server.service | |
### Symlink kubectl and containerd | |
sudo ln -s /var/lib/rancher/rke2/data/v1*/bin/kubectl /usr/bin/kubectl | |
sudo ln -s /var/run/k3s/containerd/containerd.sock /var/run/containerd/containerd.sock | |
### Update and Source BASHRC | |
cat << EOF >> ~/.bashrc | |
export PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin/ | |
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml | |
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml | |
export DOMAIN=${DOMAIN} | |
export TOKEN=${TOKEN} | |
export vRKE2=${vRKE2} | |
export Registry=${Registry} | |
export RegistryUsername=${RegistryUsername} | |
export RegistryPassword=${RegistryPassword} | |
alias k=kubectl | |
EOF | |
### ADDITIONAL RKE2 SERVER NODES (CONTROL PLANE NODES) | |
### Set Variables | |
export DOMAIN= | |
export TOKEN= | |
export vRKE2= | |
export Registry= | |
export RegistryUsername= | |
export RegistryPassword= | |
### Apply System Settings | |
cat << EOF >> /etc/sysctl.conf | |
### Modified System Settings | |
vm.swappiness=0 | |
vm.panic_on_oom=0 | |
vm.overcommit_memory=1 | |
kernel.panic=10 | |
kernel.panic_on_oops=1 | |
vm.max_map_count = 262144 | |
net.ipv4.ip_local_port_range=1024 65000 | |
net.core.somaxconn=10000 | |
net.ipv4.tcp_tw_reuse=1 | |
net.ipv4.tcp_fin_timeout=15 | |
net.core.somaxconn=4096 | |
net.core.netdev_max_backlog=4096 | |
net.core.rmem_max=16777216 | |
net.core.wmem_max=16777216 | |
net.ipv4.tcp_max_syn_backlog=20480 | |
net.ipv4.tcp_max_tw_buckets=400000 | |
net.ipv4.tcp_no_metrics_save=1 | |
net.ipv4.tcp_rmem=4096 87380 16777216 | |
net.ipv4.tcp_syn_retries=2 | |
net.ipv4.tcp_synack_retries=2 | |
net.ipv4.tcp_wmem=4096 65536 16777216 | |
net.ipv4.neigh.default.gc_thresh1=8096 | |
net.ipv4.neigh.default.gc_thresh2=12288 | |
net.ipv4.neigh.default.gc_thresh3=16384 | |
net.ipv4.tcp_keepalive_time=600 | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
fs.inotify.max_user_instances=8192 | |
fs.inotify.max_user_watches=1048576 | |
EOF | |
sysctl -p > /dev/null 2>&1 | |
### Install Packages | |
yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup | |
yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq | |
### Modify Settings | |
echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid | |
systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer | |
echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf | |
### Setup RKE2 Server | |
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/ | |
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U | |
### Configure RKE2 Config | |
cat << EOF >> /etc/rancher/rke2/config.yaml | |
profile: cis-1.23 | |
selinux: true | |
secrets-encryption: true | |
write-kubeconfig-mode: 0600 | |
use-service-account-credentials: true | |
kube-controller-manager-arg: | |
- bind-address=127.0.0.1 | |
- use-service-account-credentials=true | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
kube-scheduler-arg: | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
kube-apiserver-arg: | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
- authorization-mode=RBAC,Node | |
- anonymous-auth=false | |
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml | |
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml | |
- audit-log-mode=blocking-strict | |
- audit-log-maxage=30 | |
kubelet-arg: | |
- protect-kernel-defaults=true | |
- read-only-port=0 | |
- authorization-mode=Webhook | |
- streaming-connection-idle-timeout=5m | |
server: https://$DOMAIN:9345 | |
token: $TOKEN | |
tls-san: | |
- $DOMAIN | |
system-default-registry: $Registry | |
EOF | |
### Configure RKE2 Audit Policy | |
cat << EOF >> /etc/rancher/rke2/audit-policy.yaml | |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
metadata: | |
name: rke2-audit-policy | |
rules: | |
- level: Metadata | |
resources: | |
- group: "" | |
resources: ["secrets"] | |
- level: RequestResponse | |
resources: | |
- group: "" | |
resources: ["*"] | |
EOF | |
### Configure RKE2 Pod Security Standards | |
cat << EOF >> /etc/rancher/rke2/rancher-pss.yaml | |
apiVersion: apiserver.config.k8s.io/v1 | |
kind: AdmissionConfiguration | |
plugins: | |
- name: PodSecurity | |
configuration: | |
apiVersion: pod-security.admission.config.k8s.io/v1 | |
kind: PodSecurityConfiguration | |
defaults: | |
enforce: "restricted" | |
enforce-version: "latest" | |
audit: "restricted" | |
audit-version: "latest" | |
warn: "restricted" | |
warn-version: "latest" | |
exemptions: | |
usernames: [] | |
runtimeClasses: [] | |
namespaces: [calico-apiserver, | |
calico-system, | |
carbide-docs-system, | |
carbide-stigatron-system, | |
cattle-alerting, | |
cattle-csp-adapter-system, | |
cattle-elemental-system, | |
cattle-epinio-system, | |
cattle-externalip-system, | |
cattle-fleet-local-system, | |
cattle-fleet-system, | |
cattle-gatekeeper-system, | |
cattle-global-data, | |
cattle-global-nt, | |
cattle-impersonation-system, | |
cattle-istio, | |
cattle-istio-system, | |
cattle-logging, | |
cattle-logging-system, | |
cattle-monitoring-system, | |
cattle-neuvector-system, | |
cattle-prometheus, | |
cattle-provisioning-capi-system, | |
cattle-resources-system, | |
cattle-sriov-system, | |
cattle-system, | |
cattle-ui-plugin-system, | |
cattle-windows-gmsa-system, | |
cert-manager, | |
cis-operator-system, | |
fleet-default, | |
fleet-local, | |
harbor-system, | |
ingress-nginx, | |
istio-system, | |
kube-node-lease, | |
kube-public, | |
kube-system, | |
longhorn-system, | |
rancher-alerting-drivers, | |
security-scan, | |
tigera-operator] | |
EOF | |
### Setup Carbide Registry | |
cat << EOF >> /etc/rancher/rke2/registries.yaml | |
mirrors: | |
docker.io: | |
endpoint: | |
- "https://$Registry" | |
configs: | |
"$Registry": | |
auth: | |
username: $RegistryUsername | |
password: $RegistryPassword | |
EOF | |
### Download and Install RKE2 Server | |
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=server sh - | |
### Enable and Start RKE2 Server | |
systemctl enable rke2-server.service && systemctl start rke2-server.service | |
### RKE2 AGENT NODES (WORKER NODES) | |
### Set Variables | |
export DOMAIN= | |
export TOKEN= | |
export vRKE2= | |
export Registry= | |
export RegistryUsername= | |
export RegistryPassword= | |
### Apply System Settings | |
cat << EOF >> /etc/sysctl.conf | |
### Modified System Settings | |
vm.swappiness=0 | |
vm.panic_on_oom=0 | |
vm.overcommit_memory=1 | |
kernel.panic=10 | |
kernel.panic_on_oops=1 | |
vm.max_map_count = 262144 | |
net.ipv4.ip_local_port_range=1024 65000 | |
net.core.somaxconn=10000 | |
net.ipv4.tcp_tw_reuse=1 | |
net.ipv4.tcp_fin_timeout=15 | |
net.core.somaxconn=4096 | |
net.core.netdev_max_backlog=4096 | |
net.core.rmem_max=16777216 | |
net.core.wmem_max=16777216 | |
net.ipv4.tcp_max_syn_backlog=20480 | |
net.ipv4.tcp_max_tw_buckets=400000 | |
net.ipv4.tcp_no_metrics_save=1 | |
net.ipv4.tcp_rmem=4096 87380 16777216 | |
net.ipv4.tcp_syn_retries=2 | |
net.ipv4.tcp_synack_retries=2 | |
net.ipv4.tcp_wmem=4096 65536 16777216 | |
net.ipv4.neigh.default.gc_thresh1=8096 | |
net.ipv4.neigh.default.gc_thresh2=12288 | |
net.ipv4.neigh.default.gc_thresh3=16384 | |
net.ipv4.tcp_keepalive_time=600 | |
net.ipv4.ip_forward=1 | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
fs.inotify.max_user_instances=8192 | |
fs.inotify.max_user_watches=1048576 | |
EOF | |
sysctl -p > /dev/null 2>&1 | |
### Install Packages | |
yum install -y iptables container-selinux libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup | |
yum install -y nfs-utils iscsi-initiator-utils; yum install -y zip zstd tree jq | |
### Modify Settings | |
echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid | |
systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer | |
echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf | |
### Setup RKE2 Agent | |
mkdir -p /etc/rancher/rke2/ | |
### Configure RKE2 Config | |
cat << EOF >> /etc/rancher/rke2/config.yaml | |
profile: cis-1.23 | |
selinux: true | |
write-kubeconfig-mode: 0600 | |
kube-apiserver-arg: | |
- authorization-mode=RBAC,Node | |
kubelet-arg: | |
- protect-kernel-defaults=true | |
- read-only-port=0 | |
- authorization-mode=Webhook | |
server: https://$DOMAIN:9345 | |
token: $TOKEN | |
system-default-registry: $Registry | |
EOF | |
### Setup Carbide Registry | |
cat << EOF >> /etc/rancher/rke2/registries.yaml | |
mirrors: | |
docker.io: | |
endpoint: | |
- "https://$Registry" | |
configs: | |
"$Registry": | |
auth: | |
username: $RegistryUsername | |
password: $RegistryPassword | |
EOF | |
### Download and Install RKE2 Agent | |
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=$vRKE2 INSTALL_RKE2_TYPE=agent sh - | |
### Enable and Start RKE2 Agent | |
systemctl enable rke2-agent.service && systemctl start rke2-agent.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment