Created
May 19, 2025 22:49
-
-
Save glennpratt/6272c94db3093127a948a37c5a378a0e to your computer and use it in GitHub Desktop.
RKE2 Server in a Pod
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: StatefulSet | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: rke2-server | |
| namespace: rke2-bootstrap-system | |
| spec: | |
| serviceName: "rke2-server" | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: rke2-server | |
| template: | |
| metadata: | |
| labels: | |
| app: rke2-server | |
| spec: | |
| shareProcessNamespace: true # for debugging | |
| securityContext: | |
| runAsNonRoot: false | |
| seccompProfile: | |
| type: RuntimeDefault | |
| volumes: | |
| - name: shared | |
| emptyDir: {} | |
| - name: rke2-files | |
| secret: | |
| secretName: rke2-files | |
| initContainers: | |
| - name: rke2-server-init | |
| image: kpp-private-registry.akamai-kpp.com/cns/kpp/rke2 | |
| command: | |
| - /bin/bash | |
| - -c | |
| # Run rke2 server until /var/lib/rancher/rke2/server/db/etcd/config exists | |
| - | | |
| /opt/bin/rke2 server \ | |
| --debug \ | |
| --cloud-provider-name=external \ | |
| --disable-cloud-controller \ | |
| --disable-controller-manager \ | |
| --disable-kube-proxy \ | |
| --disable-scheduler \ | |
| --disable=rke2-ingress-nginx \ | |
| --snapshotter=native \ | |
| & | |
| until [ -f /var/lib/rancher/rke2/server/db/etcd/config ]; do | |
| echo "Waiting for /var/lib/rancher/rke2/server/db/etcd/config to exist..." | |
| sleep 5 | |
| done | |
| volumeMounts: | |
| - mountPath: /etc/rancher/rke2 | |
| name: shared | |
| subPath: etc/rancher/rke2 | |
| - mountPath: /var/lib/rancher/rke2 | |
| name: shared | |
| subPath: var/lib/rancher/rke2 | |
| - mountPath: /etc/rancher/rke2/config.yaml | |
| name: rke2-files | |
| subPath: config.yaml | |
| readOnly: true | |
| containers: | |
| - name: rke2-server | |
| image: kpp-private-registry.akamai-kpp.com/cns/kpp/rke2 | |
| command: | |
| - /opt/bin/rke2 | |
| - server | |
| args: | |
| - --debug | |
| - --cloud-provider-name=external | |
| - --disable-agent | |
| - --disable-cloud-controller | |
| - --disable-controller-manager | |
| - --disable-etcd | |
| - --disable-kube-proxy | |
| - --disable-scheduler | |
| - --disable=rke2-ingress-nginx | |
| - --egress-selector-mode=cluster | |
| securityContext: | |
| privileged: true | |
| resources: {} | |
| volumeMounts: | |
| - mountPath: /etc/rancher/rke2 | |
| name: shared | |
| subPath: etc/rancher/rke2 | |
| - mountPath: /var/lib/rancher/rke2 | |
| name: shared | |
| subPath: var/lib/rancher/rke2 | |
| - mountPath: /etc/rancher/rke2/config.yaml | |
| name: rke2-files | |
| subPath: config.yaml | |
| readOnly: true | |
| - name: kube-apiserver | |
| args: | |
| - --allow-privileged=true | |
| - --anonymous-auth=false | |
| - --api-audiences=https://kubernetes.default.svc.cluster.local,rke2 | |
| - --authorization-mode=Node,RBAC | |
| - --cert-dir=/var/lib/rancher/rke2/server/tls/temporary-certs | |
| - --client-ca-file=/var/lib/rancher/rke2/server/tls/client-ca.crt | |
| - --egress-selector-config-file=/var/lib/rancher/rke2/server/etc/egress-selector-config.yaml | |
| - --enable-admission-plugins=NodeRestriction | |
| - --enable-aggregator-routing=true | |
| - --enable-bootstrap-token-auth=true | |
| - --encryption-provider-config=/var/lib/rancher/rke2/server/cred/encryption-config.json | |
| - --encryption-provider-config-automatic-reload=true | |
| - --etcd-cafile=/var/lib/rancher/rke2/server/tls/etcd/server-ca.crt | |
| - --etcd-certfile=/var/lib/rancher/rke2/server/tls/etcd/client.crt | |
| - --etcd-keyfile=/var/lib/rancher/rke2/server/tls/etcd/client.key | |
| - --etcd-servers=https://127.0.0.1:2379 | |
| - --kubelet-certificate-authority=/var/lib/rancher/rke2/server/tls/server-ca.crt | |
| - --kubelet-client-certificate=/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt | |
| - --kubelet-client-key=/var/lib/rancher/rke2/server/tls/client-kube-apiserver.key | |
| - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname | |
| - --profiling=false | |
| - --proxy-client-cert-file=/var/lib/rancher/rke2/server/tls/client-auth-proxy.crt | |
| - --proxy-client-key-file=/var/lib/rancher/rke2/server/tls/client-auth-proxy.key | |
| - --requestheader-allowed-names=system:auth-proxy | |
| - --requestheader-client-ca-file=/var/lib/rancher/rke2/server/tls/request-header-ca.crt | |
| - --requestheader-extra-headers-prefix=X-Remote-Extra- | |
| - --requestheader-group-headers=X-Remote-Group | |
| - --requestheader-username-headers=X-Remote-User | |
| - --secure-port=6443 | |
| - --service-account-issuer=https://kubernetes.default.svc.cluster.local | |
| - --service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key | |
| - --service-account-signing-key-file=/var/lib/rancher/rke2/server/tls/service.current.key | |
| - --service-cluster-ip-range=10.43.0.0/16,fd76:dead:beee::/108 | |
| - --service-node-port-range=30000-32767 | |
| - --storage-backend=etcd3 | |
| - --tls-cert-file=/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt | |
| - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | |
| - --tls-private-key-file=/var/lib/rancher/rke2/server/tls/serving-kube-apiserver.key | |
| command: | |
| - kube-apiserver | |
| env: | |
| - name: FILE_HASH | |
| value: 5771e367d9faa76371eca072fd815769bfbdb564a8db0ca2e9f449986d145690 | |
| - name: NO_PROXY | |
| value: .svc,.cluster.local,10.42.0.0/16,fd76:dead:beef::/48,10.43.0.0/16,fd76:dead:beee::/108 | |
| image: index.docker.io/rancher/hardened-kubernetes:v1.32.4-rke2r1-build20250423 | |
| imagePullPolicy: IfNotPresent | |
| resources: | |
| requests: | |
| cpu: 250m | |
| memory: 1Gi | |
| securityContext: | |
| privileged: false | |
| terminationMessagePath: /dev/termination-log | |
| terminationMessagePolicy: File | |
| volumeMounts: | |
| - mountPath: /etc/rancher/rke2 | |
| name: shared | |
| subPath: etc/rancher/rke2 | |
| - mountPath: /var/lib/rancher/rke2 | |
| name: shared | |
| subPath: var/lib/rancher/rke2 | |
| - mountPath: /socket | |
| name: shared | |
| subPath: var/lib/rancher/rke2/server/cred/socket | |
| - name: etcd | |
| args: | |
| - --config-file=/var/lib/rancher/rke2/server/db/etcd/config | |
| command: | |
| - etcd | |
| env: | |
| - name: FILE_HASH | |
| value: e7189243e1d669379989fec3747b7c1a62892ad1c049ce478b2a5a2fa9f6bc27 | |
| - name: NO_PROXY | |
| value: .svc,.cluster.local,10.42.0.0/16,fd76:dead:beef::/48,10.43.0.0/16,fd76:dead:beee::/108 | |
| image: index.docker.io/rancher/hardened-etcd:v3.5.21-k3s1-build20250411 | |
| imagePullPolicy: IfNotPresent | |
| resources: | |
| requests: | |
| cpu: 200m | |
| memory: 512Mi | |
| securityContext: | |
| privileged: false | |
| volumeMounts: | |
| - mountPath: /etc/rancher/rke2 | |
| name: shared | |
| subPath: etc/rancher/rke2 | |
| - mountPath: /var/lib/rancher/rke2 | |
| name: shared | |
| subPath: var/lib/rancher/rke2 | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: rke2-files | |
| namespace: rke2-bootstrap-system | |
| stringData: | |
| config.yaml: | | |
| tls-san: | |
| - 127.0.0.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment