UNCLASSIFIED - NO CUI

Recommended Approach For Using Ironbank RKE2 Images with RKE2 Binaries

What is the recommended approach for using the Ironbank RKE2 images with the RKE2 binaries (rke2-linux-amd64.tar.gz)? I was able to get the RKE2 server running with the Ironbank images using the following process:

  1. Identified the version of the rke2-runtime image available on Ironbank. As of 9/3/2021, the latest available is v1.21.3-rke2r1.
  2. Downloaded the corresponding rke2.linux-amd64.tar.gz file from github.com.
  3. Downloaded the corresponding rke2-images.linux-amd64.txt file from github.com.
  4. Pulled each Ironbank image associated with the RKE2 release.
    In some cases, the Ironbank image name was not prefixed with "hardened-". For example, “hardened-etcd:v3.4.13-k3s1-build20210223” listed in the rke2-images.linux-amd64.txt file but Ironbank contains: "etcd:v3.4.13-k3s1-build20210223" Note: Unable locate the following RKE2 images on Ironbank: mirrored-jettech-kube-webhook-certgen:v1.5.1, nginx-ingress-controller:nginx-0.47.0-hardened1, rke2-cloud-provider:v0.0.1-build20210629. For now, will get the missing images from the RKE2 github.com release.
  5. Tagged all local Ironbank images to match the tags expected by RKE2 binaries. For example, the etcd image is tagged "docker.io/rancher/hardened-etcd:v3.4.13-k3s1-build20210223"
  6. Created a new rke2-images.linux-amd64.tar.gz by running docker save command with all of the newly tagged RKE2 images from Ironbank and then gzipped the resulting tar.
  7. Finally, installed the RKE2 server per Air-gap Install/Tarball Method instructions. Additionally, created the etcd user and set the "profile: cis-1.6" config.yaml property.

I do see several RKE2 server/agent config overrides for image tags (ex: kube-apiserver-image, etcd-image). Unfortunately the list of overrides only covers a subset of the images. Did not find config parameters to override image tags for the following: hardened-coredns, hardened-k8s-metrics-server, hardened-calico, hardened-flannel, rke2-cloud-provider, nginx-ingress-controller, mirrored-jettech-kube-webhook-certgen, klipper-helm and pause. Will those overrides be added in a future RKE2 release?

Thank you in advance for any guidance or recommendations that you can provide. Mark

Edited by Mark Kloepping
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI