Skip to content

Rancher Install

  • OS: Ubuntu 22.04
  • RKE2 version: v1.30.13
  • Rancher version: v2.10.3

1. Prepare

1.1 Prepare

  • Allow iptables to check bridge traffic (every node)
cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF
modprobe br_netfilter
cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl --system

2. Install RKE2

2.1 RKE2 install (node1)

  • Config proxy (if need)

If you have applied for the internet access permission, please skip this step

export http_proxy="http://10.55.xx.xx:xx"
export https_proxy="http://10.55.xx.xx:xx"
  • Download RKE2 package
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=v1.30.9+rke2r1 sh -

Chinese mainland please use the link below to install

curl -sfL https://rancher-mirror.rancher.cn/rke2/install.sh | INSTALL_RKE2_MIRROR=cn INSTALL_RKE2_VERSION=v1.30.9+rke2r1 sh -

image-20250501010122856

  • Start RKE2 service
systemctl enable rke2-server.service
systemctl start rke2-server.service

If the service fail to start, please modify the registry

You can use command journalctl -fu rke2-server.service to view the service log and confirm the error information

image-20250501010227209

  • Change registry
vim /etc/rancher/rke2/registries.yaml

add below content

configs:
  “wzs-sat-poc-harbor.wistron.com”:
    tls:
      insecureSkipVerify: true
mirrors:
  docker.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.docker.io/$1
      ^[^/]+$: wzs-poc-rke2/proxy.docker.io/library/$1
  gcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.gcr.io/$1
  k8s.gcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.k8s.gcr.io/$1
  ghcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.ghcr.io/$1
  quay.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.quay.io/$1
  mcr.microsoft.com:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.microsoft.com/$1
  registry.k8s.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.registry.k8s.io/$1

image-20250501010339309

  • Restart RKE2 service
systemctl daemon-reload
systemctl restart rke2-server.service

image-20250501010804372

  • Config kubectl env. variables
cat >> /etc/profile <<EOF
export PATH=/var/lib/rancher/rke2/bin:$PATH
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml 
EOF
source /etc/profile

cat >> ~/.bashrc <<EOF
export PATH="$PATH:/usr/local/bin:/var/lib/rancher/rke2/bin"
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
EOF

mkdir -p ~/.kube && cd ~/.kube
ln -s /etc/rancher/rke2/rke2.yaml ~/.kube/config
ln -s /var/lib/rancher/rke2/agent/etc/crictl.yaml /etc/crictl.yaml
chmod 644 ~/.kube/config

Check kubectl and crictl command

kubectl get nodes
crictl ps

image-20250501011441195

  • Check token and copied
cat /var/lib/rancher/rke2/server/node-token

K10670xxxxxx

  • Create RKE2 config
vim /etc/rancher/rke2/config.yaml

add below content

server: https://10.xx.xx.xx:9345
token: K10670xxxxxx
node-name: "ZSRANCHD1"
tls-san:
  - ZSRANCHD1
  - ZSRANCHD2
  - ZSRANCHD3
node-label:
  - "node=Master"
  - "ZSRANCHD1=Master"
etcd-snapshot-retention: 10
etcd-snapshot-schedule-cron: '*/30 * * * *'
kubelet-arg:
  - "eviction-hard=nodefs.available<1%,memory.available<10Mi"
  - "eviction-soft-grace-period=nodefs.available=30s,imagefs.available=30s"
  - "eviction-soft=nodefs.available<5%,imagefs.available<1%"
  • snapshots file @/var/lib/rancher/rke2/server/db/snapshots

image-20250501012437667

  • Restart service and check
systemctl daemon-reload
systemctl restart rke2-server.service
kubectl get node
kubectl get pod -A

image-20250501013019145

2.2 Helm install (node1)

  • Download helm package
cd
wget https://get.helm.sh/helm-v3.16.0-linux-amd64.tar.gz
tar -xzvf helm-v3.16.0-linux-amd64.tar.gz
mv linux-amd64/helm /usr/local/bin/helm

image-20250501013208535

  • Add helm repository and check
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
helm repo update
helm repo list
helm search repo | grep rancher

image-20250501013325959

2.3 RKE2 install (node2)

  • Config proxy (if need)

If you have applied for the internet access permission, please skip this step

export http_proxy="http://10.55.xx.xx:xx"
export https_proxy="http://10.55.xx.xx:xx"
export no_proxy=127.0.0.1,localhost,wistron.com,wistron.com.cn
  • Download RKE2 package
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=v1.30.9+rke2r1 sh -

Chinese mainland please use the link below to install

curl -sfL https://rancher-mirror.rancher.cn/rke2/install.sh | INSTALL_RKE2_MIRROR=cn INSTALL_RKE2_VERSION=v1.30.9+rke2r1 sh -

image-20250501011125754

  • Change registry
mkdir -p /etc/rancher/rke2
vim /etc/rancher/rke2/registries.yaml

add below content

configs:
  “wzs-sat-poc-harbor.wistron.com”:
    tls:
      insecureSkipVerify: true
mirrors:
  docker.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.docker.io/$1
      ^[^/]+$: wzs-poc-rke2/proxy.docker.io/library/$1
  gcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.gcr.io/$1
  k8s.gcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.k8s.gcr.io/$1
  ghcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.ghcr.io/$1
  quay.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.quay.io/$1
  mcr.microsoft.com:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.microsoft.com/$1
  registry.k8s.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.registry.k8s.io/$1

image-20250501011014003

  • Create RKE2 config
vim /etc/rancher/rke2/config.yaml

add below content

server: https://10.xx.xx.xx:9345
token: K10670xxxxxx
node-name: "ZSRANCHD2"
tls-san:
  - ZSRANCHD1
  - ZSRANCHD2
  - ZSRANCHD3
node-label:
  - "node=Master"
  - "ZSRANCHD2=Master"
etcd-snapshot-retention: 10
etcd-snapshot-schedule-cron: '*/30 * * * *'
kubelet-arg:
  - "eviction-hard=nodefs.available<1%,memory.available<10Mi"
  - "eviction-soft-grace-period=nodefs.available=30s,imagefs.available=30s"
  - "eviction-soft=nodefs.available<5%,imagefs.available<1%"
  • snapshots file @/var/lib/rancher/rke2/server/db/snapshots

image-20250501014004385

  • Start service
systemctl daemon-reload
systemctl enable rke2-server.service
systemctl start rke2-server.service

image-20250501014706545

  • Config kubectl env. variables
cat >> /etc/profile <<EOF
export PATH=/var/lib/rancher/rke2/bin:$PATH
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml 
EOF
source /etc/profile

cat >> ~/.bashrc <<EOF
export PATH="$PATH:/usr/local/bin:/var/lib/rancher/rke2/bin"
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
EOF

mkdir -p ~/.kube && cd ~/.kube
ln -s /etc/rancher/rke2/rke2.yaml ~/.kube/config
ln -s /var/lib/rancher/rke2/agent/etc/crictl.yaml /etc/crictl.yaml
chmod 644 ~/.kube/config

Check node and pod

kubectl get node
kubectl get pod -A

image-20250501014912131

2.4 RKE2 install (node3)

  • Config proxy (if need)

If you have applied for the internet access permission, please skip this step

export http_proxy="http://10.55.xx.xx:xx"
export https_proxy="http://10.55.xx.xx:xx"
export no_proxy=127.0.0.1,localhost,wistron.com,wistron.com.cn
  • Download RKE2 package
curl -sfL https://get.rke2.io | INSTALL_RKE2_VERSION=v1.30.9+rke2r1 sh -

Chinese mainland please use the link below to install

curl -sfL https://rancher-mirror.rancher.cn/rke2/install.sh | INSTALL_RKE2_MIRROR=cn INSTALL_RKE2_VERSION=v1.30.9+rke2r1 sh -

image-20250501011208022

  • Change registry
mkdir -p /etc/rancher/rke2
vim /etc/rancher/rke2/registries.yaml

add below content

configs:
  “wzs-sat-poc-harbor.wistron.com”:
    tls:
      insecureSkipVerify: true
mirrors:
  docker.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.docker.io/$1
      ^[^/]+$: wzs-poc-rke2/proxy.docker.io/library/$1
  gcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.gcr.io/$1
  k8s.gcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.k8s.gcr.io/$1
  ghcr.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.ghcr.io/$1
  quay.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.quay.io/$1
  mcr.microsoft.com:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.microsoft.com/$1
  registry.k8s.io:
    endpoint:
      - https://wzs-sat-poc-harbor.wistron.com
    rewrite:
      ^(.*)$: wzs-poc-rke2/proxy.registry.k8s.io/$1

image-20250501011302127

  • Create RKE2 config
vim /etc/rancher/rke2/config.yaml

add below content

server: https://10.xx.xx.xx:9345
token: K10670xxxxxx
node-name: "ZSRANCHD3"
tls-san:
  - ZSRANCHD1
  - ZSRANCHD2
  - ZSRANCHD3
node-label:
  - "node=Master"
  - "ZSRANCHD3=Master"
etcd-snapshot-retention: 10
etcd-snapshot-schedule-cron: '*/30 * * * *'
kubelet-arg:
  - "eviction-hard=nodefs.available<1%,memory.available<10Mi"
  - "eviction-soft-grace-period=nodefs.available=30s,imagefs.available=30s"
  - "eviction-soft=nodefs.available<5%,imagefs.available<1%"
  • snapshots file @/var/lib/rancher/rke2/server/db/snapshots

image-20250501015414701

  • Start service
systemctl daemon-reload
systemctl enable rke2-server.service
systemctl start rke2-server.service

image-20250501020416498

  • Config kubectl env. variables
cat >> /etc/profile <<EOF
export PATH=/var/lib/rancher/rke2/bin:$PATH
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml 
EOF
source /etc/profile

cat >> ~/.bashrc <<EOF
export PATH="$PATH:/usr/local/bin:/var/lib/rancher/rke2/bin"
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
EOF

mkdir -p ~/.kube && cd ~/.kube
ln -s /etc/rancher/rke2/rke2.yaml ~/.kube/config
ln -s /var/lib/rancher/rke2/agent/etc/crictl.yaml /etc/crictl.yaml
chmod 644 ~/.kube/config

Check node and pod

kubectl get node
kubectl get pod -A

image-20250501020528949

4. Install rancher

only install node1

4.1 Certificate prepare

4.1.1 Create CSR file

mkdir ~/ssl_key && cd ~/ssl_key
openssl genrsa  -out  ~/ssl_key/tls.key
openssl req -new -key ~/ssl_key/tls.key -out ~/ssl_key/tls.csr

Common Name: rancher-wzspoc.wistron.com

image-20250501020916661

4.1.2 Create SSL certifate

4.1.2.1 open wistron ADCA, and click Request a certificate

image-20250303175128246

4.1.2.2 click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

image-20250303175228515

4.1.2.3 view and copy rancher CSR file content

cat tls.csr

image-20250501021224651

4.1.2.4 paste harbor CSR file content to Save Request, select Certificate Template to Wistron Client and Server Authentication, and entry Additional Attributes: san:dns=rancher-wzspoc.wistron.com, then click Submit

image-20250501021434597

4.1.2.5 download certificate, and rename to rancher-wzspoc.wistron.com.cer

image-20250303180238054

4.1.3 Download wistron CA certificate

4.1.3.1 login wistron ADCA, and click Download a CA certificate, certificate chain, or CRL

image-20250305164522374

4.1.3.2 select Base 64, and click Download CA certificate

save CA certificate with named: cacerts.pem

image-20250305164605637

  • Upload wistron CA & rancher domain certificate to rancher server

image-20250430234241064

4.2 Rancher install

  • Create CA secret to rancher cluster
cd ~/ssl_key
kubectl create namespace cattle-system
kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem
kubectl -n cattle-system create secret generic tls-ca-additional --from-file=cacerts.pem

image-20250501021856434

  • Create rancher secret
openssl x509 -in rancher-wzspoc.wistron.com.cer -noout -text
cp rancher-wzspoc.wistron.com.cer tls.crt
kubectl -n cattle-system create secret tls tls-rancher-ingress \
  --cert=tls.crt \
  --key=tls.key

image-20250501022056682

  • Install rancher
helm install rancher rancher-stable/rancher \
  --namespace cattle-system \
  --set hostname=rancher-wzspoc.wistron.com \
  --set replicas=3 \
  --set bootstrapPassword=admin \
  --set ingress.tls.source=secret \
  --set privateCA=true \
  --set additionalTrustedCAs=true \
  --set rancherImageTag=v2.10.3

image-20250501022317642

  • Waiting rancher ready

image-20250501022614995

5. Config rancher

5.1 LDAP config

  • Login rancher web UI

first login you can need setup new admin password

image-20250305172831459

  • Click Users & Authentication -> Auth Provider -> ActiveDirectory

image-20250307141957511

  • Input ldaps information
Hostname/IP: DNS Server FQDN (exp: cnzhsdc2.wzs.wistron)
Port: 3269
Certificate: rancher node server CSR file content (From step 4.1:~/ssl_key/tls.csr)
Service Account Distinguished Name: 
Service Account Password: 
User Search Base: dc=wistron
Group Search Base: dc=wistron

image-20250307142515297

Select Search direct and nested group memberships Test and Enable Authentication: please use AD account/password (exp: WZSCN\Z10120988)

image-20250307142744721

5.2 User config

  • 5.1 Add rancher admin

Select Allow members of clusters and projects, plus authorized users&groups Input admin account and click user/group name, then click Save

image-20250307143212430

  • 5.2 Add rancher cluster user

Click -> Cluster Management -> ,and click Edit Config

image-20250328172943116

Click Member Roles -> Add

image-20250328173103158

Input user/group name, and assign permissions

image-20250328173158680