small updates to example values

rancherfederal · Dec 30, 2023 · f82b0cf · f82b0cf
1 parent c927ab9
commit f82b0cf
Show file tree

Hide file tree

Showing 2 changed files with 136 additions and 11 deletions.
diff --git a/examples/aws/values-aws.yaml b/examples/aws/values-aws.yaml
@@ -98,7 +98,7 @@ cluster:
 # node and nodepool(s) values
 nodepools:
   - name: control-plane-nodes
-    quantity: 3
+    quantity: 1
     etcd: true
     controlplane: true
     worker: false
@@ -113,14 +113,14 @@ nodepools:
     ami: ami-079db87dc4c10ac91 # required (example: ami-123456789)
     # blockDurationMinutes: 0
     deviceName: /dev/sda1
-    encryptEbsVolume: false
+    encryptEbsVolume: true
     # kmsKey: ''
     endpoint: ''
     # httpEndpoint: ''
     # httpTokens: ''
     iamInstanceProfile: 'aws-rgs-mgmt-cluster-iam-profile-control' # required (example: rancher-iam-instance-profile) - https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers/amazon
     insecureTransport: false
-    instanceType: m5.2xlarge # required (example: m5.2xlarge)
+    instanceType: m5.xlarge # required (example: m5.2xlarge)
     region: us-east-1 # required (example: us-east-1)
     createSecurityGroup: false
     securityGroups: ['aws-rgs-mgmt-cluster-sg'] # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements
@@ -130,7 +130,7 @@ nodepools:
     keypairName: ''
     securityGroupReadonly: false
     sshKeyContents: ''
-    subnetId: subnet-076aa666bf2adc2a8 # required (example: subnet-123456789)
+    subnetId: subnet-0cec89a880054891f # required (example: subnet-123456789)
     zone: a # required (example: a)
     monitoring: false
     usePrivateAddress: true
@@ -139,10 +139,10 @@ nodepools:
     # spotPrice: ''
     tags: provisioner,rancher,KeepRunning,true
     retries: 5
-    rootSize: 64
+    rootSize: 128
     sshUser: ec2-user
     volumeType: gp3
-    vpcId: vpc-0934dc8778cdf65db # required (example: vpc-123456789)
+    vpcId: vpc-096766f7c7daaf581 # required (example: vpc-123456789)
     useEbsOptimizedInstance: false
     userData: |
       #cloud-config
@@ -275,7 +275,7 @@ nodepools:
       - sudo mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
       - sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
   - name: worker-nodes
-    quantity: 3
+    quantity: 1
     etcd: false
     controlplane: false
     worker: true
@@ -289,11 +289,14 @@ nodepools:
     # sessionToken: # only needed if not using cloudCredentialSecretName
     ami: ami-079db87dc4c10ac91 # required (example: ami-123456789)
     deviceName: /dev/sda1
-    encryptEbsVolume: false
+    encryptEbsVolume: true
+    # kmsKey: ''
     endpoint: ''
+    # httpEndpoint: ''
+    # httpTokens: ''
     iamInstanceProfile: 'aws-rgs-mgmt-cluster-iam-profile-worker' # required (example: rancher-iam-instance-profile)
     insecureTransport: false
-    instanceType: m5.2xlarge # required (example: m5.2xlarge)
+    instanceType: m5.xlarge # required (example: m5.2xlarge)
     region: us-east-1 # required (example: us-east-1)
     createSecurityGroup: false
     securityGroups: ['aws-rgs-mgmt-cluster-sg'] # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-requirements/port-requirements
@@ -303,7 +306,7 @@ nodepools:
     keypairName: ''
     securityGroupReadonly: false
     sshKeyContents: ''
-    subnetId: subnet-076aa666bf2adc2a8 # required (example: subnet-123456789)
+    subnetId: subnet-0cec89a880054891f # required (example: subnet-123456789)
     zone: a # required (example: a)
     monitoring: false
     usePrivateAddress: true
@@ -315,7 +318,7 @@ nodepools:
     rootSize: 128
     sshUser: ec2-user
     volumeType: gp3
-    vpcId: vpc-0934dc8778cdf65db # required (example: vpc-123456789)
+    vpcId: vpc-096766f7c7daaf581 # required (example: vpc-123456789)
     useEbsOptimizedInstance: false
     userData: |
       #cloud-config

diff --git a/examples/digitalocean/values-digitalocean.yaml b/examples/digitalocean/values-digitalocean.yaml
@@ -181,6 +181,67 @@ nodepools:
               resources:
               - group: ""
                 resources: ["*"]
+      - path: /etc/rancher/rke2/rancher-pss.yaml
+        owner: root
+        content: |
+          apiVersion: apiserver.config.k8s.io/v1
+          kind: AdmissionConfiguration
+          plugins:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1
+                kind: PodSecurityConfiguration
+                defaults:
+                  enforce: "restricted"
+                  enforce-version: "latest"
+                  audit: "restricted"
+                  audit-version: "latest"
+                  warn: "restricted"
+                  warn-version: "latest"
+                exemptions:
+                  usernames: []
+                  runtimeClasses: []
+                  namespaces: [calico-apiserver,
+                              calico-system,
+                              carbide-docs-system,
+                              carbide-stigatron-system,
+                              cattle-alerting,
+                              cattle-csp-adapter-system,
+                              cattle-elemental-system,
+                              cattle-epinio-system,
+                              cattle-externalip-system,
+                              cattle-fleet-local-system,
+                              cattle-fleet-system,
+                              cattle-gatekeeper-system,
+                              cattle-global-data,
+                              cattle-global-nt,
+                              cattle-impersonation-system,
+                              cattle-istio,
+                              cattle-istio-system,
+                              cattle-logging,
+                              cattle-logging-system,
+                              cattle-monitoring-system,
+                              cattle-neuvector-system,
+                              cattle-prometheus,
+                              cattle-provisioning-capi-system,
+                              cattle-resources-system,
+                              cattle-sriov-system,
+                              cattle-system,
+                              cattle-ui-plugin-system,
+                              cattle-windows-gmsa-system,
+                              cert-manager,
+                              cis-operator-system,
+                              fleet-default,
+                              fleet-local,
+                              ingress-nginx,
+                              istio-system,
+                              kube-node-lease,
+                              kube-public,
+                              kube-system,
+                              longhorn-system,
+                              rancher-alerting-drivers,
+                              security-scan,
+                              tigera-operator]
       runcmd:
       - sudo sysctl -p
       - sudo yum install -y https://github.com/rancher/rke2-selinux/releases/download/v0.17.stable.1/rke2-selinux-0.17-1.el9.noarch.rpm
@@ -273,6 +334,67 @@ nodepools:
               resources:
               - group: ""
                 resources: ["*"]
+      - path: /etc/rancher/rke2/rancher-pss.yaml
+        owner: root
+        content: |
+          apiVersion: apiserver.config.k8s.io/v1
+          kind: AdmissionConfiguration
+          plugins:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1
+                kind: PodSecurityConfiguration
+                defaults:
+                  enforce: "restricted"
+                  enforce-version: "latest"
+                  audit: "restricted"
+                  audit-version: "latest"
+                  warn: "restricted"
+                  warn-version: "latest"
+                exemptions:
+                  usernames: []
+                  runtimeClasses: []
+                  namespaces: [calico-apiserver,
+                              calico-system,
+                              carbide-docs-system,
+                              carbide-stigatron-system,
+                              cattle-alerting,
+                              cattle-csp-adapter-system,
+                              cattle-elemental-system,
+                              cattle-epinio-system,
+                              cattle-externalip-system,
+                              cattle-fleet-local-system,
+                              cattle-fleet-system,
+                              cattle-gatekeeper-system,
+                              cattle-global-data,
+                              cattle-global-nt,
+                              cattle-impersonation-system,
+                              cattle-istio,
+                              cattle-istio-system,
+                              cattle-logging,
+                              cattle-logging-system,
+                              cattle-monitoring-system,
+                              cattle-neuvector-system,
+                              cattle-prometheus,
+                              cattle-provisioning-capi-system,
+                              cattle-resources-system,
+                              cattle-sriov-system,
+                              cattle-system,
+                              cattle-ui-plugin-system,
+                              cattle-windows-gmsa-system,
+                              cert-manager,
+                              cis-operator-system,
+                              fleet-default,
+                              fleet-local,
+                              ingress-nginx,
+                              istio-system,
+                              kube-node-lease,
+                              kube-public,
+                              kube-system,
+                              longhorn-system,
+                              rancher-alerting-drivers,
+                              security-scan,
+                              tigera-operator]
       runcmd:
       - sudo sysctl -p
       - sudo yum install -y https://github.com/rancher/rke2-selinux/releases/download/v0.17.stable.1/rke2-selinux-0.17-1.el9.noarch.rpm