diff --git a/examples/aws/values-aws.yaml b/examples/aws/values-aws.yaml index 0667114..2a9c164 100644 --- a/examples/aws/values-aws.yaml +++ b/examples/aws/values-aws.yaml @@ -4,7 +4,7 @@ cloudprovider: amazonec2 # cloud provider credentials (example: aws-creds) -cloudCredentialSecretName: aws-creds +# cloudCredentialSecretName: aws-creds # rancher manager url rancher: @@ -98,7 +98,7 @@ cluster: # node and nodepool(s) values nodepools: - name: control-plane-nodes - quantity: 3 + quantity: 1 etcd: true controlplane: true worker: false @@ -113,14 +113,14 @@ nodepools: ami: ami-079db87dc4c10ac91 # required (example: ami-123456789) # blockDurationMinutes: 0 deviceName: /dev/sda1 - encryptEbsVolume: false + encryptEbsVolume: true # kmsKey: '' endpoint: '' # httpEndpoint: '' # httpTokens: '' iamInstanceProfile: 'aws-rgs-mgmt-cluster-iam-profile-control' # required (example: rancher-iam-instance-profile) - https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon insecureTransport: false - instanceType: m5.2xlarge # required (example: m5.2xlarge) + instanceType: m5.xlarge # required (example: m5.2xlarge) region: us-east-1 # required (example: us-east-1) createSecurityGroup: false securityGroups: ['aws-rgs-mgmt-cluster-sg'] # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements @@ -130,7 +130,7 @@ nodepools: keypairName: '' securityGroupReadonly: false sshKeyContents: '' - subnetId: subnet-076aa666bf2adc2a8 # required (example: subnet-123456789) + subnetId: subnet-0cec89a880054891f # required (example: subnet-123456789) zone: a # required (example: a) monitoring: false usePrivateAddress: true @@ -139,10 +139,10 @@ nodepools: # spotPrice: '' tags: provisioner,rancher,KeepRunning,true retries: 5 - rootSize: 64 + rootSize: 128 sshUser: ec2-user volumeType: gp3 - vpcId: vpc-0934dc8778cdf65db # required (example: vpc-123456789) + vpcId: vpc-096766f7c7daaf581 # required (example: vpc-123456789) useEbsOptimizedInstance: false userData: | #cloud-config @@ -275,7 +275,7 @@ nodepools: - sudo mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/ - sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U - name: worker-nodes - quantity: 3 + quantity: 1 etcd: false controlplane: false worker: true @@ -289,11 +289,14 @@ nodepools: # sessionToken: # only needed if not using cloudCredentialSecretName ami: ami-079db87dc4c10ac91 # required (example: ami-123456789) deviceName: /dev/sda1 - encryptEbsVolume: false + encryptEbsVolume: true + kmsKey: '' endpoint: '' + # httpEndpoint: '' + # httpTokens: '' iamInstanceProfile: 'aws-rgs-mgmt-cluster-iam-profile-worker' # required (example: rancher-iam-instance-profile) insecureTransport: false - instanceType: m5.2xlarge # required (example: m5.2xlarge) + instanceType: m5.xlarge # required (example: m5.2xlarge) region: us-east-1 # required (example: us-east-1) createSecurityGroup: false securityGroups: ['aws-rgs-mgmt-cluster-sg'] # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements @@ -303,7 +306,7 @@ nodepools: keypairName: '' securityGroupReadonly: false sshKeyContents: '' - subnetId: subnet-076aa666bf2adc2a8 # required (example: subnet-123456789) + subnetId: subnet-0cec89a880054891f # required (example: subnet-123456789) zone: a # required (example: a) monitoring: false usePrivateAddress: true @@ -315,7 +318,7 @@ nodepools: rootSize: 128 sshUser: ec2-user volumeType: gp3 - vpcId: vpc-0934dc8778cdf65db # required (example: vpc-123456789) + vpcId: vpc-096766f7c7daaf581 # required (example: vpc-123456789) useEbsOptimizedInstance: false userData: | #cloud-config diff --git a/examples/digitalocean/values-digitalocean.yaml b/examples/digitalocean/values-digitalocean.yaml index 66918e8..c017862 100644 --- a/examples/digitalocean/values-digitalocean.yaml +++ b/examples/digitalocean/values-digitalocean.yaml @@ -181,6 +181,67 @@ nodepools: resources: - group: "" resources: ["*"] + - path: /etc/rancher/rke2/rancher-pss.yaml + owner: root + content: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + carbide-docs-system, + carbide-stigatron-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + fleet-local, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + rancher-alerting-drivers, + security-scan, + tigera-operator] runcmd: - sudo sysctl -p - sudo yum install -y https://github.com/rancher/rke2-selinux/releases/download/v0.17.stable.1/rke2-selinux-0.17-1.el9.noarch.rpm @@ -273,6 +334,67 @@ nodepools: resources: - group: "" resources: ["*"] + - path: /etc/rancher/rke2/rancher-pss.yaml + owner: root + content: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + carbide-docs-system, + carbide-stigatron-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + fleet-local, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + rancher-alerting-drivers, + security-scan, + tigera-operator] runcmd: - sudo sysctl -p - sudo yum install -y https://github.com/rancher/rke2-selinux/releases/download/v0.17.stable.1/rke2-selinux-0.17-1.el9.noarch.rpm