diff --git a/docs/reference/linux_agent_config.md b/docs/reference/linux_agent_config.md index 9fb8f050..e5692fe4 100644 --- a/docs/reference/linux_agent_config.md +++ b/docs/reference/linux_agent_config.md @@ -4,68 +4,90 @@ title: Agent Configuration Reference This is a reference to all parameters that can be used to configure the rke2 agent. Note that while this is a reference to the command line arguments, the best way to configure RKE2 is using the [configuration file](../install/configuration.md#configuration-file). -### RKE2 Agent CLI Help - -> If an option appears in brackets below, for example `[$RKE2_URL]`, it means that the option can be passed in as an environment variable of that name. - -```console -NAME: - rke2 agent - Run node agent - -USAGE: - rke2 agent command [command options] [arguments...] - -COMMANDS: - - -OPTIONS: - --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/rke2/config.yaml") [$RKE2_CONFIG_FILE] - --debug (logging) Turn on debug logs [$RKE2_DEBUG] - --token value, -t value (cluster) Token to use for authentication [$RKE2_TOKEN] - --token-file value (cluster) Token file to use for authentication [$RKE2_TOKEN_FILE] - --server value, -s value (cluster) Server to connect to [$RKE2_URL] - --data-dir value, -d value (data) Folder to hold state (default: "/var/lib/rancher/rke2") - --node-name value (agent/node) Node name [$RKE2_NODE_NAME] - --node-label value (agent/node) Registering and starting kubelet with set of labels - --node-taint value (agent/node) Registering kubelet with set of taints - --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin") - --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml") - --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation - --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs") - --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/rke2/registries.yaml") - --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node - --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node - --resolv-conf value (agent/networking) Kubelet resolv.conf file [$RKE2_RESOLV_CONF] - --kubelet-arg value (agent/flags) Customized flag for kubelet process - --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process - --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. - --selinux (agent/node) Enable SELinux in containerd [$RKE2_SELINUX] - --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$RKE2_LB_SERVER_PORT] - --kube-apiserver-image value (image) Override image to use for kube-apiserver [$RKE2_KUBE_APISERVER_IMAGE] - --kube-controller-manager-image value (image) Override image to use for kube-controller-manager [$RKE2_KUBE_CONTROLLER_MANAGER_IMAGE] - --kube-proxy-image value (image) Override image to use for kube-proxy [$RKE2_KUBE_PROXY_IMAGE] - --kube-scheduler-image value (image) Override image to use for kube-scheduler [$RKE2_KUBE_SCHEDULER_IMAGE] - --pause-image value (image) Override image to use for pause [$RKE2_PAUSE_IMAGE] - --runtime-image value (image) Override image to use for runtime binaries (containerd, kubectl, crictl, etc) [$RKE2_RUNTIME_IMAGE] - --etcd-image value (image) Override image to use for etcd [$RKE2_ETCD_IMAGE] - --kubelet-path value (experimental/agent) Override kubelet binary path [$RKE2_KUBELET_PATH] - --cloud-provider-name value (cloud provider) Cloud provider name [$RKE2_CLOUD_PROVIDER_NAME] - --cloud-provider-config value (cloud provider) Cloud provider configuration file path [$RKE2_CLOUD_PROVIDER_CONFIG] - --profile value (security) Validate system configuration against the selected benchmark (valid items: cis-1.6, cis-1.23 ) [$RKE2_CIS_PROFILE] - --audit-policy-file value (security) Path to the file that defines the audit policy configuration [$RKE2_AUDIT_POLICY_FILE] - --control-plane-resource-requests value (components) Control Plane resource requests [$RKE2_CONTROL_PLANE_RESOURCE_REQUESTS] - --control-plane-resource-limits value (components) Control Plane resource limits [$RKE2_CONTROL_PLANE_RESOURCE_LIMITS] - --kube-apiserver-extra-mount value (components) kube-apiserver extra volume mounts [$RKE2_KUBE_APISERVER_EXTRA_MOUNT] - --kube-scheduler-extra-mount value (components) kube-scheduler extra volume mounts [$RKE2_KUBE_SCHEDULER_EXTRA_MOUNT] - --kube-controller-manager-extra-mount value (components) kube-controller-manager extra volume mounts [$RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_MOUNT] - --kube-proxy-extra-mount value (components) kube-proxy extra volume mounts [$RKE2_KUBE_PROXY_EXTRA_MOUNT] - --etcd-extra-mount value (components) etcd extra volume mounts [$RKE2_ETCD_EXTRA_MOUNT] - --cloud-controller-manager-extra-mount value (components) cloud-controller-manager extra volume mounts [$RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_MOUNT] - --kube-apiserver-extra-env value (components) kube-apiserver extra environment variables [$RKE2_KUBE_APISERVER_EXTRA_ENV] - --kube-scheduler-extra-env value (components) kube-scheduler extra environment variables [$RKE2_KUBE_SCHEDULER_EXTRA_ENV] - --kube-controller-manager-extra-env value (components) kube-controller-manager extra environment variables [$RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_ENV] - --kube-proxy-extra-env value (components) kube-proxy extra environment variables [$RKE2_KUBE_PROXY_EXTRA_ENV] - --etcd-extra-env value (components) etcd extra environment variables [$RKE2_ETCD_EXTRA_ENV] - --cloud-controller-manager-extra-env value (components) cloud-controller-manager extra environment variables [$RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV] - --help, -h show help -``` +### Common +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| config | Path to config file | /etc/rancher/rke2/config.yaml | RKE2_CONFIG_FILE | +| debug | Turn on debug logs | | RKE2_DEBUG | +| data-dir | Folder to hold state | "/var/lib/rancher/rke2" | | +### Cluster +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| token | Token to use for authentication | RKE2_TOKEN | +| token-file | Token file to use for authentication | RKE2_TOKEN_FILE | +| server | Server to connect to | RKE2_URL | +### Node +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| node-name | Node name | | RKE2_NODE_NAME | +| with-node-id | Append id to node name | | | +| node-label | Registering and starting kubelet with set of labels | | | +| node-taint | Registering kubelet with set of taints | | | +| image-credential-provider-bin-dir | The path to the directory where credential provider plugin binaries are located | "/var/lib/rancher/credentialprovider/bin" | | +| image-credential-provider-config | The path to the credential provider plugin config file | "/var/lib/rancher/credentialprovider/config.yaml" | | +| selinux | Enable SELinux in containerd | | RKE2_SELINUX | +| lb-server-port | Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. | 6444 | RKE2_LB_SERVER_PORT | +| protect-kernel-defaults | Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. | | | +### Runtime +| Flag | Description | Default | +| --- | --- | --- | +| container-runtime-endpoint | Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path | | +| default-runtime | Set the default runtime in containerd | | +| snapshotter | Override default containerd snapshotter | "overlayfs" | +| private-registry | Private registry configuration file | "/etc/rancher/rke2/registries.yaml" | +### Containerd +| Flag | Description | +| --- | --- | +| disable-default-registry-endpoint | Disables containerd's fallback default registry endpoint when a mirror is configured for that registry | +### Networking +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| node-ip | IPv4/IPv6 addresses to advertise for node | | +| node-external-ip | IPv4/IPv6 external IP addresses to advertise for node | | +| resolv-conf | Kubelet resolv.conf file | RKE2_RESOLV_CONF | +### Components +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| kubelet-arg | Customized flag for kubelet process | | +| kube-proxy-arg | Customized flag for kube-proxy process | | +| control-plane-resource-requests | Control Plane resource requests | RKE2_CONTROL_PLANE_RESOURCE_REQUESTS | +| control-plane-resource-limits | Control Plane resource limits | RKE2_CONTROL_PLANE_RESOURCE_LIMITS | +| control-plane-probe-configuration | Control Plane Probe configuration | RKE2_CONTROL_PLANE_PROBE_CONFIGURATION | +| kube-apiserver-extra-mount | kube-apiserver extra volume mounts | RKE2_KUBE_APISERVER_EXTRA_MOUNT | +| kube-scheduler-extra-mount | kube-scheduler extra volume mounts | RKE2_KUBE_SCHEDULER_EXTRA_MOUNT | +| kube-controller-manager-extra-mount | kube-controller-manager extra volume mounts | RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_MOUNT | +| kube-proxy-extra-mount | kube-proxy extra volume mounts | RKE2_KUBE_PROXY_EXTRA_MOUNT | +| etcd-extra-mount | etcd extra volume mounts | RKE2_ETCD_EXTRA_MOUNT | +| cloud-controller-manager-extra-mount | cloud-controller-manager extra volume mounts | RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_MOUNT | +| kube-apiserver-extra-env | kube-apiserver extra environment variables | RKE2_KUBE_APISERVER_EXTRA_ENV | +| kube-scheduler-extra-env | kube-scheduler extra environment variables | RKE2_KUBE_SCHEDULER_EXTRA_ENV | +| kube-controller-manager-extra-env | kube-controller-manager extra environment variables | RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_ENV | +| kube-proxy-extra-env | kube-proxy extra environment variables | RKE2_KUBE_PROXY_EXTRA_ENV | +| etcd-extra-env | etcd extra environment variables | RKE2_ETCD_EXTRA_ENV | +| cloud-controller-manager-extra-env | cloud-controller-manager extra environment variables | RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV | +### Image +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| kube-apiserver-image | Override image to use for kube-apiserver | RKE2_KUBE_APISERVER_IMAGE | +| kube-controller-manager-image | Override image to use for kube-controller-manager | RKE2_KUBE_CONTROLLER_MANAGER_IMAGE | +| cloud-controller-manager-image | Override image to use for cloud-controller-manager | RKE2_CLOUD_CONTROLLER_MANAGER_IMAGE | +| kube-proxy-image | Override image to use for kube-proxy | RKE2_KUBE_PROXY_IMAGE | +| kube-scheduler-image | Override image to use for kube-scheduler | RKE2_KUBE_SCHEDULER_IMAGE | +| pause-image | Override image to use for pause | RKE2_PAUSE_IMAGE | +| runtime-image | Override image to use for runtime binaries (containerd, kubectl, crictl, etc) | RKE2_RUNTIME_IMAGE | +| etcd-image | Override image to use for etcd | RKE2_ETCD_IMAGE | +### Cloud Provider +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| cloud-provider-name | Cloud provider name | RKE2_CLOUD_PROVIDER_NAME | +| cloud-provider-config | Cloud provider configuration file path | RKE2_CLOUD_PROVIDER_CONFIG | +### Security +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| profile | Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated)) | RKE2_CIS_PROFILE | +| audit-policy-file | Path to the file that defines the audit policy configuration | RKE2_AUDIT_POLICY_FILE | +| pod-security-admission-config-file | Path to the file that defines Pod Security Admission configuration | RKE2_POD_SECURITY_ADMISSION_CONFIG_FILE | +### Experimental +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| kubelet-path | Override kubelet binary path | RKE2_KUBELET_PATH | diff --git a/docs/reference/server_config.md b/docs/reference/server_config.md index 8c48eae8..27bb08c7 100644 --- a/docs/reference/server_config.md +++ b/docs/reference/server_config.md @@ -4,117 +4,175 @@ title: Server Configuration Reference This is a reference to all parameters that can be used to configure the rke2 server. Note that while this is a reference to the command line arguments, the best way to configure RKE2 is using the [configuration file](../install/configuration.md#configuration-file). -### RKE2 Server CLI Help - -> If an option appears in brackets below, for example `[$RKE2_TOKEN]`, it means that the option can be passed in as an environment variable of that name. - -```console -NAME: - rke2 server - Run management server - -USAGE: - rke2 server [OPTIONS] - -OPTIONS: - --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/rke2/config.yaml") [$RKE2_CONFIG_FILE] - --debug (logging) Turn on debug logs [$RKE2_DEBUG] - --bind-address value (listener) rke2 bind address (default: 0.0.0.0) - --advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip) - --tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert - --data-dir value, -d value (data) Folder to hold state (default: "/var/lib/rancher/rke2") - --cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16) - --service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16) - --service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767") - --cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10) - --cluster-domain value (networking) Cluster Domain (default: "cluster.local") - --token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$RKE2_TOKEN] - --token-file value (cluster) File containing the cluster-secret/token [$RKE2_TOKEN_FILE] - --write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$RKE2_KUBECONFIG_OUTPUT] - --write-kubeconfig-mode value (client) Write kubeconfig with this mode [$RKE2_KUBECONFIG_MODE] - --kube-apiserver-arg value (flags) Customized flag for kube-apiserver process - --etcd-arg value (flags) Customized flag for etcd process - --kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process - --kube-scheduler-arg value (flags) Customized flag for kube-scheduler process - --etcd-expose-metrics (db) Expose etcd metrics to client interface. (Default false) - --etcd-disable-snapshots (db) Disable automatic etcd snapshots - --etcd-snapshot-name value (db) Set the base name of etcd snapshots. Default: etcd-snapshot- (default: "etcd-snapshot") - --etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours '0 */5 * * *' (default: "0 */12 * * *") - --etcd-snapshot-retention value (db) Number of snapshots to retain Default: 5 (default: 5) - --etcd-snapshot-dir value (db) Directory to save db snapshots. (Default location: ${data-dir}/db/snapshots) - --etcd-s3 (db) Enable backup to S3 - --etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com") - --etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint - --etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation - --etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID] - --etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY] - --etcd-s3-bucket value (db) S3 bucket name - --etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1") - --etcd-s3-folder value (db) S3 folder - --disable value (components) Do not deploy packaged components and delete any deployed components (valid items: rke2-coredns, rke2-ingress-nginx, rke2-metrics-server) - --disable-scheduler (components) Disable Kubernetes default scheduler - --disable-cloud-controller (components) Disable rke2 default cloud controller manager - --disable-kube-proxy (components) Disable running kube-proxy - --node-name value (agent/node) Node name [$RKE2_NODE_NAME] - --node-label value (agent/node) Registering and starting kubelet with set of labels - --node-taint value (agent/node) Registering kubelet with set of taints - --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin") - --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml") - --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation - --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs") - --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/rke2/registries.yaml") - --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node - --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node - --resolv-conf value (agent/networking) Kubelet resolv.conf file [$RKE2_RESOLV_CONF] - --kubelet-arg value (agent/flags) Customized flag for kubelet process - --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process - --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. - --agent-token value (experimental/cluster) Shared secret used to join agents to the cluster, but not servers [$RKE2_AGENT_TOKEN] - --agent-token-file value (experimental/cluster) File containing the agent secret [$RKE2_AGENT_TOKEN_FILE] - --server value, -s value (experimental/cluster) Server to connect to, used to join a cluster [$RKE2_URL] - --cluster-reset (experimental/cluster) Forget all peers and become sole member of a new cluster [$RKE2_CLUSTER_RESET] - --cluster-reset-restore-path value (db) Path to snapshot file to be restored - --system-default-registry value (image) Private registry to be used for all system images [$RKE2_SYSTEM_DEFAULT_REGISTRY] - --selinux (agent/node) Enable SELinux in containerd [$RKE2_SELINUX] - --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$RKE2_LB_SERVER_PORT] - --cni value (networking) CNI Plugins to deploy, one of none, calico, canal, cilium; optionally with multus as the first value to enable the multus meta-plugin (default: canal) [$RKE2_CNI] - --kube-apiserver-image value (image) Override image to use for kube-apiserver [$RKE2_KUBE_APISERVER_IMAGE] - --kube-controller-manager-image value (image) Override image to use for kube-controller-manager [$RKE2_KUBE_CONTROLLER_MANAGER_IMAGE] - --kube-proxy-image value (image) Override image to use for kube-proxy [$RKE2_KUBE_PROXY_IMAGE] - --kube-scheduler-image value (image) Override image to use for kube-scheduler [$RKE2_KUBE_SCHEDULER_IMAGE] - --pause-image value (image) Override image to use for pause [$RKE2_PAUSE_IMAGE] - --runtime-image value (image) Override image to use for runtime binaries (containerd, kubectl, crictl, etc) [$RKE2_RUNTIME_IMAGE] - --etcd-image value (image) Override image to use for etcd [$RKE2_ETCD_IMAGE] - --kubelet-path value (experimental/agent) Override kubelet binary path [$RKE2_KUBELET_PATH] - --cloud-provider-name value (cloud provider) Cloud provider name [$RKE2_CLOUD_PROVIDER_NAME] - --cloud-provider-config value (cloud provider) Cloud provider configuration file path [$RKE2_CLOUD_PROVIDER_CONFIG] - --profile value (security) Validate system configuration against the selected benchmark (valid items: cis-1.6, cis-1.23 ) [$RKE2_CIS_PROFILE] - --pod-security-admission-config-file value (security) Path to the file that defines the pod security admission configuration - --audit-policy-file value (security) Path to the file that defines the audit policy configuration [$RKE2_AUDIT_POLICY_FILE] - --control-plane-resource-requests value (components) Control Plane resource requests [$RKE2_CONTROL_PLANE_RESOURCE_REQUESTS] - --control-plane-resource-limits value (components) Control Plane resource limits [$RKE2_CONTROL_PLANE_RESOURCE_LIMITS] - --kube-apiserver-extra-mount value (components) kube-apiserver extra volume mounts [$RKE2_KUBE_APISERVER_EXTRA_MOUNT] - --kube-scheduler-extra-mount value (components) kube-scheduler extra volume mounts [$RKE2_KUBE_SCHEDULER_EXTRA_MOUNT] - --kube-controller-manager-extra-mount value (components) kube-controller-manager extra volume mounts [$RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_MOUNT] - --kube-proxy-extra-mount value (components) kube-proxy extra volume mounts [$RKE2_KUBE_PROXY_EXTRA_MOUNT] - --etcd-extra-mount value (components) etcd extra volume mounts [$RKE2_ETCD_EXTRA_MOUNT] - --cloud-controller-manager-extra-mount value (components) cloud-controller-manager extra volume mounts [$RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_MOUNT] - --kube-apiserver-extra-env value (components) kube-apiserver extra environment variables [$RKE2_KUBE_APISERVER_EXTRA_ENV] - --kube-scheduler-extra-env value (components) kube-scheduler extra environment variables [$RKE2_KUBE_SCHEDULER_EXTRA_ENV] - --kube-controller-manager-extra-env value (components) kube-controller-manager extra environment variables [$RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_ENV] - --kube-proxy-extra-env value (components) kube-proxy extra environment variables [$RKE2_KUBE_PROXY_EXTRA_ENV] - --etcd-extra-env value (components) etcd extra environment variables [$RKE2_ETCD_EXTRA_ENV] - --cloud-controller-manager-extra-env value (components) cloud-controller-manager extra environment variables [$RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV]``` -``` - ## Critical Configuration Values The following options must be set to the same value on all servers in the cluster. Failure to do so will cause new servers to fail to join the cluster. -* `--agent-token` -* `--cluster-cidr` -* `--cluster-dns` -* `--cluster-domain` -* `--disable-cloud-controller` -* `--disable-kube-proxy` -* `--egress-selector-mode` -* `--service-cidr` +* `agent-token` +* `cluster-cidr` +* `cluster-dns` +* `cluster-domain` +* `disable-cloud-controller` +* `disable-kube-proxy` +* `egress-selector-mode` +* `service-cidr` + + +### Common +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| config | Path to config file | /etc/rancher/rke2/config.yaml | RKE2_CONFIG_FILE | +| debug | Turn on debug logs | | RKE2_DEBUG | +| data-dir | Folder to hold state | "/var/lib/rancher/rke2" | | +### Listener +| Flag | Description | Default | +| --- | --- | --- | +| bind-address | rke2 bind address | 0.0.0.0 | +| advertise-address | IPv4/IPv6 address that apiserver uses to advertise to members of the cluster | node-external-ip/node-ip | +| tls-san | Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert | | +| tls-san-security | Protect the server TLS cert by refusing to add Subject Alternative Names not associated with the kubernetes apiserver service, server nodes, or values of the tls-san option | true | +### Networking +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| cluster-cidr | IPv4/IPv6 network CIDRs to use for pod IPs | 10.42.0.0/16 | | +| service-cidr | IPv4/IPv6 network CIDRs to use for service IPs | 10.43.0.0/16 | | +| service-node-port-range | Port range to reserve for services with NodePort visibility | "30000-32767" | | +| cluster-dns | IPv4 Cluster IP for coredns service. Should be in your service-cidr range | 10.43.0.10 | | +| cluster-domain | Cluster Domain | "cluster.local" | | +| egress-selector-mode | One of 'agent', 'cluster', 'pod', 'disabled' | "agent" | | +| servicelb-namespace | Namespace of the pods for the servicelb component | "kube-system" | | +| cni | CNI Plugins to deploy, one of none, calico, canal, cilium; optionally with multus as the first value to enable the multus meta-plugin | canal | RKE2_CNI | +### Client +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| write-kubeconfig | Write kubeconfig for admin client to this file | RKE2_KUBECONFIG_OUTPUT | +| write-kubeconfig-mode | Write kubeconfig with this mode | RKE2_KUBECONFIG_MODE | +### Helm +| Flag | Description | +| --- | --- | +| helm-job-image | Default image to use for helm jobs | +### Cluster +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| token | Shared secret used to join a server or agent to a cluster | RKE2_TOKEN | +| token-file | File containing the token | RKE2_TOKEN_FILE | +| agent-token | Shared secret used to join agents to the cluster, but not servers | RKE2_AGENT_TOKEN | +| agent-token-file | File containing the agent secret | RKE2_AGENT_TOKEN_FILE | +| server | Server to connect to, used to join a cluster | RKE2_URL | +| cluster-reset | Forget all peers and become sole member of a new cluster | RKE2_CLUSTER_RESET | +### Database +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| cluster-reset-restore-path | Path to snapshot file to be restored | | | +| etcd-expose-metrics | Expose etcd metrics to client interface. | false | | +| etcd-disable-snapshots | Disable automatic etcd snapshots | | | +| etcd-snapshot-name | Set the base name of etcd snapshots | etcd-snapshot-<unix-timestamp>) | | +| etcd-snapshot-schedule-cron | Snapshot interval time in cron spec. eg. every 5 hours '0 */5 * * *' | "0 */12 * * *" | | +| etcd-snapshot-retention | Number of snapshots to retain | 5 | | +| etcd-snapshot-dir | Directory to save db snapshots. | ${data-dir}/db/snapshots | | +| etcd-snapshot-compress | Compress etcd snapshot | | | +| etcd-s3 | Enable backup to S3 | | | +| etcd-s3-endpoint | S3 endpoint url | "s3.amazonaws.com" | | +| etcd-s3-endpoint-ca | S3 custom CA cert to connect to S3 endpoint | | | +| etcd-s3-skip-ssl-verify | Disables S3 SSL certificate validation | | | +| etcd-s3-access-key | S3 access key | | AWS_ACCESS_KEY_ID | +| etcd-s3-secret-key | S3 secret key | | AWS_SECRET_ACCESS_KEY | +| etcd-s3-bucket | S3 bucket name | | | +| etcd-s3-region | S3 region / bucket location (optional) | "us-east-1" | | +| etcd-s3-folder | S3 folder | | | +| etcd-s3-insecure | Disables S3 over HTTPS | | | +| etcd-s3-timeout | S3 timeout | 5m0s | | +### Flags +| Flag | Description | +| --- | --- | +| kube-apiserver-arg | Customized flag for kube-apiserver process | +| etcd-arg | Customized flag for etcd process | +| kube-controller-manager-arg | Customized flag for kube-controller-manager process | +| kube-scheduler-arg | Customized flag for kube-scheduler process | +| kube-cloud-controller-manager-arg | Customized flag for kube-cloud-controller-manager process | +### Components +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| disable | Do not deploy packaged components and delete any deployed components (valid items: rke2-coredns, rke2-ingress-nginx, rke2-metrics-server) | | +| disable-scheduler | Disable Kubernetes default scheduler | | +| disable-cloud-controller | Disable rke2 default cloud controller manager | | +| disable-kube-proxy | Disable running kube-proxy | | +| enable-servicelb | Enable rke2 default cloud controller manager's service controller | RKE2_ENABLE_SERVICELB | +| control-plane-resource-requests | Control Plane resource requests | RKE2_CONTROL_PLANE_RESOURCE_REQUESTS | +| control-plane-resource-limits | Control Plane resource limits | RKE2_CONTROL_PLANE_RESOURCE_LIMITS | +| control-plane-probe-configuration | Control Plane Probe configuration | RKE2_CONTROL_PLANE_PROBE_CONFIGURATION | +| kube-apiserver-extra-mount | kube-apiserver extra volume mounts | RKE2_KUBE_APISERVER_EXTRA_MOUNT | +| kube-scheduler-extra-mount | kube-scheduler extra volume mounts | RKE2_KUBE_SCHEDULER_EXTRA_MOUNT | +| kube-controller-manager-extra-mount | kube-controller-manager extra volume mounts | RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_MOUNT | +| kube-proxy-extra-mount | kube-proxy extra volume mounts | RKE2_KUBE_PROXY_EXTRA_MOUNT | +| etcd-extra-mount | etcd extra volume mounts | RKE2_ETCD_EXTRA_MOUNT | +| cloud-controller-manager-extra-mount | cloud-controller-manager extra volume mounts | RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_MOUNT | +| kube-apiserver-extra-env | kube-apiserver extra environment variables | RKE2_KUBE_APISERVER_EXTRA_ENV | +| kube-scheduler-extra-env | kube-scheduler extra environment variables | RKE2_KUBE_SCHEDULER_EXTRA_ENV | +| kube-controller-manager-extra-env | kube-controller-manager extra environment variables | RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_ENV | +| kube-proxy-extra-env | kube-proxy extra environment variables | RKE2_KUBE_PROXY_EXTRA_ENV | +| etcd-extra-env | etcd extra environment variables | RKE2_ETCD_EXTRA_ENV | +| cloud-controller-manager-extra-env | cloud-controller-manager extra environment variables | RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV | +### Image +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| kube-apiserver-image | Override image to use for kube-apiserver | RKE2_KUBE_APISERVER_IMAGE | +| kube-controller-manager-image | Override image to use for kube-controller-manager | RKE2_KUBE_CONTROLLER_MANAGER_IMAGE | +| cloud-controller-manager-image | Override image to use for cloud-controller-manager | RKE2_CLOUD_CONTROLLER_MANAGER_IMAGE | +| kube-proxy-image | Override image to use for kube-proxy | RKE2_KUBE_PROXY_IMAGE | +| kube-scheduler-image | Override image to use for kube-scheduler | RKE2_KUBE_SCHEDULER_IMAGE | +| pause-image | Override image to use for pause | RKE2_PAUSE_IMAGE | +| runtime-image | Override image to use for runtime binaries (containerd, kubectl, crictl, etc) | RKE2_RUNTIME_IMAGE | +| etcd-image | Override image to use for etcd | RKE2_ETCD_IMAGE | +### Cloud Provider +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| cloud-provider-name | Cloud provider name | RKE2_CLOUD_PROVIDER_NAME | +| cloud-provider-config | Cloud provider configuration file path | RKE2_CLOUD_PROVIDER_CONFIG | +### Security +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| profile | Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated)) | RKE2_CIS_PROFILE | +| audit-policy-file | Path to the file that defines the audit policy configuration | RKE2_AUDIT_POLICY_FILE | +| pod-security-admission-config-file | Path to the file that defines Pod Security Admission configuration | RKE2_POD_SECURITY_ADMISSION_CONFIG_FILE | +### Experimental +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| embedded-registry | Enable embedded distributed container registry; requires use of embedded containerd | | +| enable-pprof | Enable pprof endpoint on supervisor port | | +| kubelet-path | Override kubelet binary path | RKE2_KUBELET_PATH | +### Agent/Node +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| node-name | Node name | | RKE2_NODE_NAME | +| with-node-id | Append id to node name | | | +| node-label | Registering and starting kubelet with set of labels | | | +| node-taint | Registering kubelet with set of taints | | | +| image-credential-provider-bin-dir | The path to the directory where credential provider plugin binaries are located | "/var/lib/rancher/credentialprovider/bin" | | +| image-credential-provider-config | The path to the credential provider plugin config file | "/var/lib/rancher/credentialprovider/config.yaml" | | +| protect-kernel-defaults | Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults. | | | +| selinux | Enable SELinux in containerd | | RKE2_SELINUX | +| lb-server-port | Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. | 6444 | RKE2_LB_SERVER_PORT | +### Agent/Runtime +| Flag | Description | Default | Enviroment Variable | +| --- | --- | --- | --- | +| container-runtime-endpoint | Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path | | | +| default-runtime | Set the default runtime in containerd | | | +| snapshotter | Override default containerd snapshotter | "overlayfs" | | +| private-registry | Private registry configuration file | "/etc/rancher/rke2/registries.yaml" | | +| system-default-registry | Private registry to be used for all system images | | RKE2_SYSTEM_DEFAULT_REGISTRY | +### Agent/Containerd +| Flag | Description | +| --- | --- | +| disable-default-registry-endpoint | Disables containerd's fallback default registry endpoint when a mirror is configured for that registry | +### Agent/Networking +| Flag | Description | Enviroment Variable | +| --- | --- | --- | +| node-ip | IPv4/IPv6 addresses to advertise for node | | +| node-external-ip | IPv4/IPv6 external IP addresses to advertise for node | | +| resolv-conf | Kubelet resolv.conf file | RKE2_RESOLV_CONF | +### Agent/Flags +| Flag | Description | +| --- | --- | +| kubelet-arg | Customized flag for kubelet process | +| kube-proxy-arg | Customized flag for kube-proxy process | diff --git a/scripts/help_to_markdown.py b/scripts/help_to_markdown.py new file mode 100644 index 00000000..dcb492fa --- /dev/null +++ b/scripts/help_to_markdown.py @@ -0,0 +1,149 @@ +# This script takes the output of `rke2 server -h` and converts it to markdown tables +# Example: rke2 server -h | python3 help_to_markdown.py /dev/stdin > help.md + +import sys +import re + +filename = sys.argv[1] +is_agent = False +if len(sys.argv) == 3: + is_agent = sys.argv[2] == "agent" + + +with open(filename, 'r') as file: + lines = file.readlines() + + +def weirdGroups(group): + if group == "db": + group = "database" + if group.startswith("experimental"): + group = "experimental" + if is_agent and group.startswith("agent/"): + group = group.split("agent/")[1] + if is_agent and group.startswith("flags"): + group = "components" + return group + + +def docusaurusFormat(string): + if "<" in string: + string = string.replace("<", "<") + if ">" in string: + string = string.replace(">", ">") + + if "{" in string: + string = string.replace("{", "{") + if "}" in string: + string = string.replace("}", "}") + + return string + +def constructHeader(value): + has_env_var = any(env_var != "" for _, _, _, env_var in value) + has_default = any(default != "" for _, _, default, _ in value) + header = "| Flag | Description |" + columns = "| --- | --- |" + if has_default: + header += " Default |" + columns += " --- |" + if has_env_var: + header += " Enviroment Variable |" + columns += " --- |" + return header + "\n" + columns, has_default, has_env_var + +found_options = False +# Dictionary of groups, each group has a list of tuples (key, description, default) +options_dict = {} +# Hardcode config flag because its got FILE, not value plus default and env var +options_dict["common"] = [("config", "Path to config file", "/etc/rancher/rke2/config.yaml", "RKE2_CONFIG_FILE")] + +for line in lines: + if not found_options: + if "OPTIONS" in line: + found_options = True + continue + + if found_options: + # This match handles flags with defaults and/or env vars + match = re.search(r'--([\w\d-]+)\s(?:value|\s).*?\((.*?)\)\s+(.*?)(?:\(default: |\[)(.*)(?:\)|\])', line) + if match: + key = match.group(1) + group = weirdGroups(match.group(2)) + description = match.group(3) + # We don't want to catch ${data-dir}, so check second letter + if match.group(4).startswith("$") and match.group(4)[1].isalpha(): + env_var = match.group(4).strip("$") + default = "" + # Case for default capture including an env var + elif ") [$" in match.group(4): + sections = match.group(4).split(") [$") + default = sections[0] + env_var = sections[1].strip("]") + else: + env_var = "" + default = match.group(4) + + if key == "data-dir" or key == "debug": + group = "common" + + # Docusaurus doesn't like < or > + default = docusaurusFormat(default) + + if group in options_dict: + options_dict[group].append((key, description, default, env_var)) + else: + options_dict[group] = [(key, description, default, env_var)] + else: + # This match handles flags with no defaults or env vars + match = re.search(r'--([\w\d-]+)\s(?:value|\s).*?\((.*?)\)\s+(.*)$', line) + if match: + key = match.group(1) + group = weirdGroups(match.group(2)) + description = match.group(3) + default = "" + env_var = "" + + if group in options_dict: + options_dict[group].append((key, description, "", "")) + else: + options_dict[group] = [(key, description, "", "")] + + +agent_dict = {} + +for group, value in options_dict.items(): + + if group.startswith("agent") or group.startswith("experimental"): + agent_dict[group] = options_dict[group] + continue + + print(f"### {group.title()}") + header, has_default, has_env = constructHeader(value) + print(header) + + for key, description, default, env_var in value: + if has_default and has_env: + print(f"| {key} | {description} | {default} | {env_var} |") + elif has_default: + print(f"| {key} | {description} | {default} |") + elif has_env: + print(f"| {key} | {description} | {env_var} |") + else: + print(f"| {key} | {description} |") + +for group, value in agent_dict.items(): + + print(f"### {group.title()}") + header, has_default, has_env = constructHeader(value) + print(header) + + for key, description, default, env_var in value: + if has_default and has_env: + print(f"| {key} | {description} | {default} | {env_var} |") + elif has_default: + print(f"| {key} | {description} | {default} |") + elif has_env: + print(f"| {key} | {description} | {env_var} |") + else: + print(f"| {key} | {description} |") \ No newline at end of file