Add installation guide for Rancher RKE2#3
Conversation
Added detailed installation instructions for Rancher RKE2, including environment configuration, cluster deployment, and security hardening steps.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| ```bash | ||
| #!/bin/bash | ||
| PROXY_URL="[http://10.14.46.197:3128](http://10.14.46.197:3128)" | ||
| NO_PROXY_LIST="localhost,127.0.0.1,0.0.0.0,10.42.0.0/16,10.43.0.0/16,.svc,.cluster.local" |
There was a problem hiding this comment.
NO_PROXY mismatch will route cluster traffic through proxy
The NO_PROXY_LIST in Phase 2's systemd proxy configuration only includes 10.42.0.0/16 and 10.43.0.0/16, but the load balancer IP 10.49.71.135 falls outside these ranges. When additional masters attempt to join the cluster by connecting to https://${LB_IP}:9345, the RKE2 systemd service will route this traffic through the proxy, likely causing connection failures. Phase 1 correctly uses 10.0.0.0/8 which covers the LB IP, but Phase 2 doesn't, creating an inconsistency that breaks cluster join operations in proxied environments.
| add_header X-Frame-Options "deny" always; | ||
| add_header X-Content-Type-Options "nosniff" always; | ||
| add_header Referrer-Policy "no-referrer-when-downgrade" always; | ||
| add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; worker-src-blob 'self'; style-src 'unsafe-inline 'self'; frame-ancestors 'self'" always; |
There was a problem hiding this comment.
Malformed Content-Security-Policy header has syntax errors
The Content-Security-Policy header contains syntax errors that will cause it to be ignored or behave incorrectly. The directive worker-src-blob is invalid—it appears intended to be worker-src blob: (using blob: as a scheme source). Additionally, 'unsafe-inline 'self' in the style-src directive is missing a closing quote—it needs to be 'unsafe-inline' 'self'. These errors may cause browsers to reject or misinterpret the CSP policy.
| cat <<EOF > /etc/rancher/rke2/config.yaml | ||
| tls-san: | ||
| - ${LB_IP} | ||
| - lb.igate-rke2.cluster |
There was a problem hiding this comment.
Hardcoded internal hostname in TLS configuration example
Medium Severity
The TLS SAN configuration includes lb.igate-rke2.cluster, which appears to be an internal hostname specific to someone's environment rather than a placeholder for users to customize. While ${LB_IP} is properly parameterized, this hardcoded hostname would be incorrectly added to users' Kubernetes TLS certificates, potentially causing certificate validation issues or confusion.
1 participant
Added detailed installation instructions for Rancher RKE2, including environment configuration, cluster deployment, and security hardening steps.
Note
Introduces comprehensive documentation for deploying an HA RKE2 cluster with Rancher and tightens ingress security guidance.
infra/rancher/install-rancher-rke2.mddetailing environment prep (proxy, SELinux/firewalld), required ports, systemd proxy config forrke2-{server,agent}, master init/join steps, Helm + cert-manager install, Rancher Helm deployment (3 replicas), and Nginx ingress security headers viaHelmChartConfig.infra/README.md: renames toRancher Kubernetes Engine, adds Kubernetes/Rancher learning links, and includes a new "Database (PostgreSQL, MySQL, NoSQL)" entry.Written by Cursor Bugbot for commit 2a0e4e4. This will update automatically on new commits. Configure here.