Created
April 14, 2022 09:04
-
-
Save kaxing/80efafe8b28787944693d27ad843928c to your computer and use it in GitHub Desktop.
Almost one-click script to install harden rke2 on centos with selinux and make it a cluster
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # NOTICE: This is terribly written and only tested on EC2 | |
| # Make sure the firewall and network-related policies are properly set between the hosts | |
| # Comments and feedback are welcome :) | |
| # Verified with following version combo: | |
| # rke2-selinux-0.9-1.el8.noarch | |
| # libselinux-2.9-5.el8.x86_64 | |
| # selinux-policy-3.14.3-68.el8.noarch | |
| # container-selinux-2.170.0-1.module_el8.6.0+954+963caf36.noarch | |
| # rke2-common-1.22.8~rke2r1-0.el8.x86_64 | |
| # rke2-server-1.22.8~rke2r1-0.el8.x86_64 | |
| #!/usr/bin/env bash | |
| [ ! $(command -v pdsh) ] && echo "pdsh is required" && exit 1 | |
| # <<< IP addresses must fill in here and separate by comma >>> | |
| # e.g: CP= 11.11.1.1; WK= 11.11.1.2,11.11.1.3,11.11.1.3 | |
| CP= | |
| WK= | |
| [ -z CP ] && echo "CP is empty" && exit 1 | |
| [ -z WK ] && echo "WK is empty" && exit 1 | |
| export PDSH_SSH_ARGS_APPEND="-o LogLevel=ERROR -i $HOME/Downloads/NodeKeys/Shared/yshen-se2-shared.pem" | |
| User=centos | |
| remote-exec() { | |
| local list=$LIST | |
| if [ -z "$list" ]; then | |
| echo "Something wrong with target list. \$list: $list" | |
| exit 1 | |
| fi | |
| command="$@" | |
| sudoCommand="sudo su - root -c \"$command\"" | |
| pdsh -w $list -l $User $sudoCommand | |
| } | |
| print_a_divider() { for i in {1..80}; do echo -n "$@"; done; echo -e "\n\n"; } | |
| # Understand the logic of these two line for tweaking the command block: | |
| # echo ' - $SERVER_IP' | |
| # echo "echo ' - $SERVER_IP'" | |
| # Therefore echo twice will print out the local-script variable | |
| # Uninstall everything first, if things goes awry you can just reset entire cluster | |
| LIST=$CP,$WK | |
| remote-exec "/usr/bin/rke2-uninstall.sh" | |
| # Following commands are taiilor for Centos Stream 8 | |
| # FIX THE REPO PROBLEM | |
| LIST=$CP,$WK | |
| remote-exec "sed -i 's/^#mirrorlist/mirrorlist/g' /etc/yum.repos.d/CentOS-*" | |
| remote-exec "useradd -r -c 'etcd user' -s /sbin/nologin -M etcd -U" | |
| # Kickoff the control/etcd node | |
| LIST=$CP | |
| SERVER_IP=$CP | |
| SERVER_IIP=$(remote-exec "hostname -I|cut -d' ' -f1"|cut -d' ' -f2) | |
| SERVER_HOSTNAME=$(remote-exec "hostname"|cut -d' ' -f2) | |
| Prepare_rke2_server=" | |
| curl -sfL https://get.rke2.io | sh - | |
| rm -rfv /etc/rancher/rke2/config.yaml | |
| touch /etc/rancher/rke2/config.yaml | |
| echo 'write-kubeconfig-mode: 0644' >> /etc/rancher/rke2/config.yaml | |
| echo 'token: NOT_A_TOKEN' >> /etc/rancher/rke2/config.yaml | |
| echo 'tls-san:' >> /etc/rancher/rke2/config.yaml | |
| echo ' - $SERVER_IP' >> /etc/rancher/rke2/config.yaml | |
| echo ' - $SERVER_IIP' >> /etc/rancher/rke2/config.yaml | |
| echo ' - $SERVER_HOSTNAME' >> /etc/rancher/rke2/config.yaml | |
| echo 'profile: cis-1.6' >> /etc/rancher/rke2/config.yaml | |
| echo 'selinux: true' >> /etc/rancher/rke2/config.yaml | |
| echo 'protect-kernel-defaults: true' >> /etc/rancher/rke2/config.yaml | |
| cp -fv /usr/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf | |
| systemctl restart systemd-sysctl | |
| systemctl enable rke2-server.service | |
| systemctl start rke2-server.service | |
| ls /etc/rancher/rke2/rke2.yaml || sleep 3 | |
| timeout 180s bash -c 'while [ ! -f /var/lib/rancher/rke2/server/token ]; do sleep 1; done' | |
| cat /var/lib/rancher/rke2/server/token | |
| " | |
| echo "$Prepare_rke2_server" |\ | |
| while read line ; do | |
| [ -z "$line" ] && continue | |
| print_a_divider "-" | |
| echo "$line" | |
| remote-exec "$line" | |
| done | |
| print_a_divider "=" | |
| # Adding worker nodes to the cluster | |
| LIST=$WK | |
| TOKEN=$(echo $(LIST=$CP; remote-exec "cat /var/lib/rancher/rke2/server/token")|cut -d' ' -f2) | |
| Prepare_rke2_agents=" | |
| curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE='agent' sh - | |
| rm -rfv /etc/rancher/rke2/config.yaml | |
| touch /etc/rancher/rke2/config.yaml | |
| echo 'server: https://$SERVER_IIP:9345' >> /etc/rancher/rke2/config.yaml | |
| echo 'token: $TOKEN' >> /etc/rancher/rke2/config.yaml | |
| echo 'selinux: true' >> /etc/rancher/rke2/config.yaml | |
| echo 'protect-kernel-defaults: true' >> /etc/rancher/rke2/config.yaml | |
| cp -fv /usr/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf | |
| systemctl restart systemd-sysctl | |
| systemctl enable rke2-agent.service | |
| systemctl start rke2-agent.service | |
| " | |
| echo "$Prepare_rke2_agents" |\ | |
| while read line ; do | |
| [ -z "$line" ] && continue | |
| print_a_divider "-" | |
| echo "$line" | |
| remote-exec "$line" | |
| done | |
| print_a_divider "=" | |
| # Get the KUBECONFIG file | |
| LIST=$CP | |
| # SERVER_IP = CP | |
| remote-exec "cat /etc/rancher/rke2/rke2.yaml" |\ | |
| sed -e "s/^$SERVER_IP: //g" -e "s/127.0.0.1/$SERVER_IP/g" |\ | |
| cat > rke2.yaml | |
| echo export KUBECONFIG=`pwd`/rke2.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment