zackbradys

--- RKE2 SERVER NODES (CONTROL PLANE) ---
### Setup RKE2 Server
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis-1.23
selinux: true
secrets-encryption: true

zackbradys

### FIRST RKE2 SERVER NODE (CONTROL PLANE NODES)
### Set Variables
export DOMAIN=
export TOKEN=
export vRKE2=
export Registry=
export RegistryUsername=
export RegistryPassword=

### Apply System Settings

zackbradys

for imported clusters

export CLUSTERNAME=rke2-cluster-import

kubectl get clusterregistrationtokens.management.cattle.io -n $(kubectl get cluster -n fleet-default ${CLUSTERNAME} -o jsonpath='{.status.clusterName}') default-token -o json | jq -r '.status.command'

# insecure command
kubectl get clusterregistrationtokens.management.cattle.io -n $(kubectl get cluster -n fleet-default ${CLUSTERNAME} -o jsonpath='{.status.clusterName}') default-token -o json | jq -r '.status.insecureCommand'

zackbradys

#!/bin/bash

for app in rke2; do
  output=$(curl -ks "https://update.${app}.io/v1-release/channels" | jq --arg app "${app}" -r '.data[]|select(.id==("stable","latest","testing"))|[$app, .name, .latest]|@tsv')
  [ -n "$output" ] && echo "$output"
done && echo

for app in k3s; do
  output=$(curl -ks "https://update.${app}.io/v1-release/channels" | jq --arg app "${app}" -r '.data[]|select(.id==("stable","latest","testing"))|[$app, .name, .latest]|@tsv')
  [ -n "$output" ] && echo "$output"

zackbradys

Feature/Functionality	Provisioned Clusters	EKS, AKS, GKE, and OKE Clusters	Imported Clusters
Cluster Access with kubectl or kubeconfig	✓	✓	✓
Cluster Access Management (RBAC)	✓	✓	✓
Modifying Cluster Configuration	✓	✓
Upgrading Cluster Kubernetes Version	✓	✓
Node Management (Adding/Removing/Scaling)	✓	✓
Node Access with Shell (ssh)	✓	✓
Ability to Rotate Certificates	✓	✓
Ability to Rotate Encryption Keys	✓	✓

zackbradys

Create RKE2 Cluster using Rancher Cluster Templates and Assumed Roles

view the repo: https://github.com/rancherfederal/rancher-cluster-templates

Setup the Rancher Management Cluster

Step 1: Create the IAM Policy

aws iam create-policy --policy-name aws-rgs-rancher-mgmt-policy --policy-document '{
  "Version": "2012-10-17",
  "Statement": [

zackbradys

view the upstream gist by bgulla -> https://gist.github.com/bgulla/7a6a72bdc5df6febb1e22dbc32f0ca4f

additional docs from bcdurden -> https://github.com/bcdurden/rke2-kube-vip

cat << EOF >> /etc/sysctl.conf
### Modified System Settings
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10

zackbradys

# enable container-selinux
amazon-linux-extras enable selinux-ng

# create os release file
echo "2023" >> /etc/amazon-linux-release

# download and install rke2
curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.27 INSTALL_RKE2_TYPE=server sh -

# enable and start rke2

zackbradys

### Configure Rancher Pod Security Standards/Pod Security Admissions
cat << EOF >> /etc/rancher/rke2/rancher-psact.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
  - name: PodSecurity
    configuration:
      apiVersion: pod-security.admission.config.k8s.io/v1
      kind: PodSecurityConfiguration
      defaults:

zackbradys

### Add and Update the Helm Repository
helm repo add neuvector https://neuvector.github.io/neuvector-helm
helm repo update

### Create the NeuVector Namespace and Install NeuVector
kubectl create namespace cattle-neuvector-system

helm upgrade -i neuvector neuvector/core --namespace cattle-neuvector-system --set k3s.enabled=true --set k3s.runtimePath=/run/k3s/containerd/containerd.sock --set manager.ingress.enabled=true --set manager.svc.type=ClusterIP --set controller.pvc.enabled=true --set manager.ingress.host=neuvector.10.0.0.15.sslip.io --set global.cattle.url=https://rancher.10.0.0.15.sslip.io --set controller.ranchersso.enabled=true --set rbac=true

### Wait for the deployment/rollout