Recommended Approach For Using Ironbank RKE2 Images with RKE2 Binaries
What is the recommended approach for using the Ironbank RKE2 images with the RKE2 binaries (rke2-linux-amd64.tar.gz)? I was able to get the RKE2 server running with the Ironbank images using the following process:
- Identified the version of the rke2-runtime image available on Ironbank. As of 9/3/2021, the latest available is v1.21.3-rke2r1.
- Downloaded the corresponding rke2.linux-amd64.tar.gz file from github.com.
- Downloaded the corresponding rke2-images.linux-amd64.txt file from github.com.
- Pulled each Ironbank image associated with the RKE2 release.
In some cases, the Ironbank image name was not prefixed with "hardened-". For example, “hardened-etcd:v3.4.13-k3s1-build20210223” listed in the rke2-images.linux-amd64.txt file but Ironbank contains: "etcd:v3.4.13-k3s1-build20210223" Note: Unable locate the following RKE2 images on Ironbank: mirrored-jettech-kube-webhook-certgen:v1.5.1, nginx-ingress-controller:nginx-0.47.0-hardened1, rke2-cloud-provider:v0.0.1-build20210629. For now, will get the missing images from the RKE2 github.com release. - Tagged all local Ironbank images to match the tags expected by RKE2 binaries. For example, the etcd image is tagged "docker.io/rancher/hardened-etcd:v3.4.13-k3s1-build20210223"
- Created a new rke2-images.linux-amd64.tar.gz by running docker save command with all of the newly tagged RKE2 images from Ironbank and then gzipped the resulting tar.
- Finally, installed the RKE2 server per Air-gap Install/Tarball Method instructions. Additionally, created the etcd user and set the "profile: cis-1.6" config.yaml property.
I do see several RKE2 server/agent config overrides for image tags (ex: kube-apiserver-image, etcd-image). Unfortunately the list of overrides only covers a subset of the images. Did not find config parameters to override image tags for the following: hardened-coredns, hardened-k8s-metrics-server, hardened-calico, hardened-flannel, rke2-cloud-provider, nginx-ingress-controller, mirrored-jettech-kube-webhook-certgen, klipper-helm and pause. Will those overrides be added in a future RKE2 release?
Thank you in advance for any guidance or recommendations that you can provide. Mark