In this tutorial, we’ll walk through a simple example of preparing a host from scratch and deploying RKE Government configured to use only internally available dependencies without needing an internet connection.
This tutorial targets Centos or RHEL 7. You will need two hosts in total. One host that has an active internet collection that is used to gather the dependencies, and one you are targeting for your offline installation. The host with an internet connection needs to have Docker installed.
We will be focusing on launching a single node cluster with both agent and server roles creating a fully functional Kubernetes cluster. However, this cluster can easily be expanded.
Be sure to read more about requirements in the RKE requirements documentation.
Note: The dependencies are available for download on GitHub but we have included the manual steps below.
The only difference between doing this installation in an environment with an internet connection and doing it in an air-gapped environment is we need to gather a few dependencies first and extract them into their designated locations on your offline host. This consists of the RKE2 RPMs and their dependencies, container images, and some SELinux RPMs.
We have written a simple bash script that collects all the dependencies and zips them into a single file.
Make an empty folder to mount into your container.
mkdir RKE_DependenciesRun this docker command on your online host and it will grab and zip up everything for you (change the image to centos:7 if you’re planning on running on RHEL/CentOS 7).
docker run --rm \
-v $(pwd)/RKE_Dependencies:/mnt \
-w /mnt centos:8 \
/bin/bash -c \
"curl -sfL https://gist.githubusercontent.com/mddamato/45efeb226b5109fb72a7a7289a943bf3/raw/offline_rke2_tutorial_dep_collection.sh | bash -"If you’re feeling responsible, run
docker run -it --rm -v $(pwd)/RKE_Dependencies:/mnt -w /mnt centos:8 /bin/bash
first. Then inside the container runcurl -sfL https://gist.githubusercontent.com/mddamato/45efeb226b5109fb72a7a7289a943bf3/raw/offline_rke2_tutorial_dep_collection.sh -o offline_rke2_tutorial_dep_collection.sh
so you can review the script contents before youchmod +x offline_rke2_tutorial_dep_collection.shandbash ./offline_rke2_tutorial_dep_collection.sh
All this script does is download the dependencies RKE might need and places them into a tar file so that we can later expand them to build up our RKE Government cluster.
The main components are:
RKE is container-based so we need to ensure all images are available without needing to dial out to a registry. We will need to gather all the container images so that later we can place them on the filesystem of your offline host. These images are already packaged up by Rancher, we just need to download them from the releases page on Github. Our script does this for us, but you can download these from RKE2 releases page on github. In this tutorial, we are going to place the tar file on the offline host directly. There is also an option to use an internal private registry instead, which would enable more simplicity in standing up multiple nodes.
The script installs the yum repo configuration needed to download the RKEGov RPMs plus related dependencies. This roughly comes from the RPM Installation Method in the RKE Documentation. With an online host, we can install these repos, download the packages along with their dependencies, then generate an offline repo so that we can install them later. We will generate this and place that in our tar file with everything else.
On CentOS and RHEL machines SELinux is set to enforcing by default in most cases. Rancher builds RPM packages that install SELinux policies for RKE to work as anticipated with SELinux in enforcing mode. These are also included in the yum repo we talked about earlier. We need to gather the RPM for RKE Government SELinux policies, as well as the other SELinux policies required like container_selinux. Luckily with the repo configuration we already added, these will get gathered along with everything else by the script.
Now that you have your tar file, we are ready to Install RKE onto your offline host. Follow these steps to install RKE.
tar xzvf rke-government-deps-*.tar.gz mkdir -p /var/lib/rancher/rke2/agent/images/
cp rke2-images-canal.linux-amd64.tar.zst /var/lib/rancher/rke2/agent/images/
cp rke2-images-core.linux-amd64.tar.zst /var/lib/rancher/rke2/agent/images/ mkdir -p /var/lib/rancher/yum_repos
tar xzf rke_rpm_deps.tar.gz -C /var/lib/rancher/yum_repos
cat > /etc/yum.repos.d/rke_rpm_deps.repo <<EOF
[rke_rpm_deps]
name=rke_rpm_deps
baseurl=file:///var/lib/rancher/yum_repos/rke_rpm_deps
enabled=0
gpgcheck=0
EOF yum install --disablerepo=* --enablerepo="rke_rpm_deps" rke2-serverRKE Government is now installed but before we launch we need to make sure we add our desired configuration. To launch we just need to start the systemd unit and enable it for automatic starting when the machine reboots. All actions in this section need to be done as the root user.
mkdir -p /etc/rancher/rke2/etc/rancher/rke2/config.yaml. More configuration options are available on the server config section of the docs. For this example, we’re just adding some basic options. cat > /etc/rancher/rke2/config.yaml <<EOF
selinux: true
write-kubeconfig-mode: "0644"
node-label:
- "exampleNodeLabel=true"
EOFrke2-server.service systemd unit so that it starts up with every reboot. systemctl enable rke2-server systemctl start rke2-server journalctl -u rke2-server -f /var/lib/rancher/rke2/bin/ctr -a /run/k3s/containerd/containerd.sock -n k8s.io c lsReady status. Note that you also have a kubeconfig located at /etc/rancher/rke2/rke2.yaml. This contains your initial administrator credentials, be sure to protect this file./var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get noYou can add
/var/lib/rancher/rke2/binand/usr/local/bin/to your path so that you don’t need to specify the entire path every time. Additionally, setKUBECONFIG=/etc/rancher/rke2/rke2.yaml.
You now have a fully functioning RKEGovernment Kubernetes cluster.
A token for adding more nodes to your cluster has been created at /var/lib/rancher/rke2/server/node-token. Use this to register new nodes by providing these RKE configuration keys:
server: https://<kubernetes_controlplane_host>:9345
token: my-shared-secret
tls-san:
- <kubernetes_controlplane_host>.<domain>You could follow this exact procedure for adding more nodes, yum install rke2-agent will allow you to install the agents.
Your Kubernetes cluster is ready! Begin deploying your cloud-native applications or follow some other tutorials including how to configure your air-gap container registries.
RKE Government is a fully conformant Kubernetes distribution that focuses on security and compliance for the U.S. Federal Government. It is tailored specifically for Government use cases, which frequently include Air-Gapped installations. As we’ve seen from this tutorial, anyone can take advantage of the simplicity of RKE Government. Be sure to look at other Rancher resources and tutorials to get the most out of Rancher.
“This publication was prepared or accomplished by the author in a personal capacity. All opinions expressed by the author of this publication are solely their current opinions and do not reflect the opinions of Rancher Federal, Inc., respective parent companies, or affiliates with which the author is affiliated. The author's opinions are based upon information they consider reliable, but neither Rancher Federal, Inc., nor its affiliates, nor the companies with which the author is affiliated, warrant its completeness or accuracy, and it should not be relied upon as such.”