#!/bin/bash# Checkifuserisrootif [ "$UID"-ne0 ]; thenecho"You are not the root user."exit1fiecho"You are the root user."# Checkifk3s-killall.shexistsin/usr/local/binif [ -f"/usr/local/bin/k3s-killall.sh" ]; thenecho"Executing k3s-killall.sh..."/usr/local/bin/k3s-killall.shelseecho"k3s-killall.sh does not exist in /usr/local/bin."fi# Checkifk3s-uninstall.shexistsin/usr/local/binif [ -f"/usr/local/bin/k3s-uninstall.sh" ]; thenecho"Executing k3s-uninstall.sh..."/usr/local/bin/k3s-uninstall.shelseecho"k3s-uninstall.sh does not exist in /usr/local/bin."fiaptinstalliptablesiptables-save|awk'/^[*]/ { print $1 } /COMMIT/ { print $0; }'|sudoiptables-restoreiptables-Siptables-Fupdate-alternatives--setiptables/usr/sbin/iptables-legacyupdate-alternatives--setip6tables/usr/sbin/ip6tables-legacyreboot
#!/bin/bash# Checkifuserisrootif [ "$UID"-ne0 ]; thenecho"You are not the root user."exit1fiecho"You are the root user."# Checkifk3s-killall.shexistsin/usr/local/binif [ -f"/usr/local/bin/k3s-killall.sh" ]; thenecho"Executing k3s-killall.sh..."/usr/local/bin/k3s-killall.shelseecho"k3s-killall.sh does not exist in /usr/local/bin."fi# Checkifk3s-agent-uninstall.shexistsin/usr/local/binif [ -f"/usr/local/bin/k3s-agent-uninstall.sh" ]; thenecho"Executing k3s-agent-uninstall.sh..."/usr/local/bin/k3s-agent-uninstall.shelseecho"k3s-agent-uninstall.sh does not exist in /usr/local/bin."fiaptinstalliptablesiptables-save|awk'/^[*]/ { print $1 } /COMMIT/ { print $0; }'|sudoiptables-restoreiptables-Siptables-Fupdate-alternatives--setiptables/usr/sbin/iptables-legacyupdate-alternatives--setip6tables/usr/sbin/ip6tables-legacyreboot
#!/bin/bash# Checkifuserisrootif [ "$UID"-ne0 ]; thenecho"You are not the root user."exit1fiecho"You are the root user."# Checkifrancherd-killall.shexistsin/usr/local/binif [ -f"/usr/local/bin/rancherd-killall.sh" ]; thenecho"Executing rancherd-killall.sh..."/usr/local/bin/rancherd-killall.shelseecho"rancherd-killall.sh does not exist in /usr/local/bin."fi# Checkifrancherd-uninstall.shexistsin/usr/local/binif [ -f"/usr/local/bin/rancherd-uninstall.sh" ]; thenecho"Executing rancherd-uninstall.sh..."/usr/local/bin/rancherd-uninstall.shelseecho"rancherd-uninstall.sh does not exist in /usr/local/bin."fiaptinstalliptablesiptables-save|awk'/^[*]/ { print $1 } /COMMIT/ { print $0; }'|sudoiptables-restoreiptables-Siptables-Fupdate-alternatives--setiptables/usr/sbin/iptables-legacyupdate-alternatives--setip6tables/usr/sbin/ip6tables-legacyreboot
Add cgroup entries into the cmdline.txt on each nodes that is running on ARM processor.
1
sudo vim /boot/cmdline.txt
Add at the end of the line that starts with console= the below entries:
1
cgroup_memory=1cgroup_enable=memory
Save the file and exit.
Reboot the server
1
sudo reboot
Install k3s v1.26.9+k3s1 securely without the traefik on a master node
1
curl -sfL https://get.k3s.io |INSTALL_K3S_VERSION="v1.26.9+k3s1"INSTALL_K3S_EXEC="--disable traefik"K3S_KUBECONFIG_MODE="644" sh -s -
source is a Bash shell built-in command that executes the content of the file passed as an argument in the current shell. It has a synonym in . (period).
cat > values.yaml <<EOF
# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false
antiAffinity: preferred
topologyKey: kubernetes.io/hostname
# Audit Logs https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
# The audit log is piped to the console of the rancher-audit-log container in the rancher pod.
# https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
# destination stream to sidecar container console or hostPath volume
# level: Verbosity of logs, 0 to 3. 0 is off 3 is a lot.
auditLog:
destination: sidecar
hostPath: /var/log/rancher/audit/
level: 0
maxAge: 1
maxBackup: 1
maxSize: 100
# Image for collecting rancher audit logs.
# Important: update pkg/image/export/resolve.go when this default image is changed, so that it's reflected accordingly in rancher-images.txt generated for air-gapped setups.
image:
repository: "rancher/mirrored-bci-micro"
tag: 15.4.14.3
# Override imagePullPolicy image
# options: Always, Never, IfNotPresent
pullPolicy: "IfNotPresent"
# As of Rancher v2.5.0 this flag is deprecated and must be set to 'true' in order for Rancher to start
addLocal: "true"
# Add debug flag to Rancher server
debug: false
# When starting Rancher for the first time, bootstrap the admin as restricted-admin
restrictedAdmin: false
# Extra environment variables passed to the rancher pods.
# extraEnv:
# - name: CATTLE_TLS_MIN_VERSION
# value: "1.0"
# Fully qualified name to reach your Rancher server
hostname: rancher.local
## Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: secretName
### ingress ###
# Readme for details and instruction on adding tls secrets.
ingress:
# If set to false, ingress will not be created
# Defaults to true
# options: true, false
enabled: true
includeDefaultExtraAnnotations: true
extraAnnotations: {}
ingressClassName: "nginx"
# backend port number
servicePort: 80
# configurationSnippet - Add additional Nginx configuration. This example statically sets a header on the ingress.
# configurationSnippet: |
# more_set_input_headers "X-Forwarded-Host: {{ .Values.hostname }}";
tls:
# options: rancher, letsEncrypt, secret
source: secret
secretName: tls-rancher-ingress
### service ###
# Override to use NodePort or LoadBalancer service type - default is ClusterIP
service:
type: ""
annotations: {}
### LetsEncrypt config ###
# ProTip: The production environment only allows you to register a name 5 times a week.
# Use staging until you have your config right.
letsEncrypt:
# email: none@example.com
environment: production
ingress:
# options: traefik, nginx
class: "nginx"
# If you are using certs signed by a private CA set to 'true' and set the 'tls-ca'
# in the 'rancher-system' namespace. See the README.md for details
privateCA: false
# http[s] proxy server passed into rancher server.
# proxy: http://example.local:1080
# comma separated list of domains or ip addresses that will not use the proxy
noProxy: 127.0.0.0/8,10.42.0.0/16,10.43.0.0/16,192.168.0.1/24,10.10.0.0/24,rancher.local
# Override rancher image location for Air Gap installs
rancherImage: rancher/rancher
# rancher/rancher image tag. https://hub.docker.com/r/rancher/rancher/tags/
# Defaults to .Chart.appVersion
# rancherImageTag: v2.0.7
# Override imagePullPolicy for rancher server images
# options: Always, Never, IfNotPresent
# Defaults to IfNotPresent
# rancherImagePullPolicy: <pullPolicy>
# Number of Rancher server replicas. Setting to negative number will dynamically between 0 and the abs(replicas) based on available nodes.
# of available nodes in the cluster
replicas: 3
# Set priorityClassName to avoid eviction
priorityClassName: rancher-critical
# Set pod resource requests/limits for Rancher.
resources: {}
#
# tls
# Where to offload the TLS/SSL encryption
# - ingress (default)
# - external
tls: ingress
systemDefaultRegistry: ""
# Set to use the packaged system charts
useBundledSystemChart: false
# Certmanager version compatibility
certmanager:
version: ""
# Rancher custom logos persistence
customLogos:
enabled: false
volumeSubpaths:
emberUi: "ember"
vueUi: "vue"
## Volume kind to use for persistence: persistentVolumeClaim, configMap
volumeKind: persistentVolumeClaim
## Use an existing volume. Custom logos should be copied to the volume by the user
# volumeName: custom-logos
## Just for volumeKind: persistentVolumeClaim
## To disables dynamic provisioning, set storageClass: "" or storageClass: "-"
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
# Rancher post-delete hook
postDelete:
enabled: true
image:
repository: rancher/shell
tag: v0.1.20
namespaceList:
- cattle-fleet-system
- cattle-system
- rancher-operator-system
# Number of seconds to wait for an app to be uninstalled
timeout: 120
# by default, the job will fail if it fail to uninstall any of the apps
ignoreTimeoutError: false
# Set a bootstrap password. If leave empty, a random password will be generated.
bootstrapPassword: "test1234"
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 30
global:
cattle:
psp:
# will default to true on 1.24 and below, and false for 1.25 and above
# can be changed manually to true or false to bypass version checks and force that option
enabled: ""
EOF
Export k3s configuration
1
exportKUBECONFIG=/etc/rancher/k3s/k3s.yaml
Export is a built-in command of the Bash shell. It is used to mark variables and functions to be passed to child processes. Basically, a variable will be included in child process environments without affecting other environments.
