thatfunkymunki/gist:68b4d9b18483a58ef999dc35f225a970

## gistfile1.txt
#cloud-config

manage_etc_hosts: true
preserve_hostname: false


users:
  - name: munki
    groups: [ adm, systemd-journal, wheel ]
    sudo: [ "ALL=(ALL) NOPASSWD:ALL" ]
    ssh_authorized_keys:
      - sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBP7ldkl/FpXtPBwvNMR/yxFaTjY7U3W32zWhvFFSlzWaiCrya3xmu2ts3gxvC5wXZoALuK6piF8HuqJKxYM4SoAAAAAEc3NoOg==

ssh_pwauth: false

kernel_modules:
  - overlay
  - br_netfilter

package_upgrade: true

yum_repos:
  kubernetes:
    name: Kubernetes
    baseurl: https://pkgs.k8s.io/core:/stable:/v1.35/rpm/
    enabled: 1
    gpgcheck: 1
    gpgkey: https://pkgs.k8s.io/core:/stable:/v1.35/rpm/repodata/repomd.xml.key
  epel:
    name: Extra Packages for Enterprise Linux 10 - $basearch
    metalink: https://mirrors.fedoraproject.org/metalink?repo=epel-10&arch=$basearch&infra=$infra&content=$contentdir
    enabled: 1
    gpgcheck: 1
    gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-10

packages:
  - epel-release
  - kubelet
  - kubeadm
  - kubectl
  - containerd
  - tar
  - git
  - ipset
  - jq
  - conntrack-tools
  - iproute-tc

write_files:
  - path: /etc/sysctl.d/99-k8s-cri.conf
    permissions: '0644'
    content: |
      net.bridge.bridge-nf-call-iptables  = 1
      net.bridge.bridge-nf-call-ip6tables = 1
      net.ipv4.ip_forward                 = 1
      net.ipv6.conf.all.forwarding        = 1
      net.ipv6.conf.default.forwarding    = 1
  - path: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-10
    permissions: '0644'
    content: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      mQINBGV4X6kBEAC3eQxgiWuo08uc3mHo4ELux++uqTnYz/tJzEf9Ou3h36WnhumA
      Nvs+Ts5h8PBx879Y9/aIX1Z20p1kf6tBCinZnEJu59n+TAAsph0+XQlV1l5YkleK
      Z2ff/Fg65k8QcLXWaIGykA/FaKznRiSurGuD6tRGhJw7DawEwBJr8QZSkRUpnH1L
      URW97Q/iKrRPiE5VEayE0y8eAL28jIIiFvR+4oJMzvCsRRB/2wYZ2MlJOW91hcYf
      mbUoXKOBD5UzsJylu7kj25K/ge8rEJ7KicOOwcdYddxsU3DxGSSfwF8AMagENcm2
      XROeXknjm84A8sNlUkFZBJwfuc7eRTiZGJrnQQVYLrkKj8Mxpq9Ts7hU51TqAWNI
      uvGDlJdYNE3D2RMqjMEsZ8ej08Thrib6xslu4NzTBkt+6QNnXL4E3hEgYtoyio60
      GswSz2ulogKg7X4JrNdJYE8/qNowyF3hoVgj5TG1/wQRq+5HlMMOLjgGu9wzLUix
      fnVfEUnzaofbrUf4/GabCaeY8xRe4tFQrvzigQ4g+kgwKKnfAeqBmPov0yljkw9z
      BYJWR5zvaw0ffg9Ing00KUSaXBXA5jSlgk1603Y+LefY1SlXsTyqohiRvGH6FI77
      HNMo72DwoJfFcYjncZUzKgXWJECR4nhVsdj6pKoOjcQ4aSuyVxtsR86ASQARAQAB
      tChGZWRvcmEgKGVwZWwxMCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQJOBBMB
      CAA4FiEEfY0Vy/xOYmiFkfsmM9mFF+N+0VgFAmV4X6kCGw8FCwkIBwIGFQoJCAsC
      BBYCAwECHgECF4AACgkQM9mFF+N+0Vhv/A/+PlhPLSctGRCUEahE+cN4764Acc3p
      l40ZYzXRhqR0/Tc1/cSDjlA3qVTc8SPohi5OJXwCyr9EiMqKoyoDN097euqbYpyp
      yN/Pj0lBjsXwcpdDtZ21WGeQU0Khb04N68bMtJbDaxeBciTvDDQravZuPPh0m4Rg
      Z6myEoa6Aa6EK0hI1Qwi1qIWeRiuEkVT671IaKVETBW5XiUpNBXDAB/L+6DzUF9u
      scBzfsUDiPO6NrpYDtV3jwq22y6gWluIct/Ka8brwPbqK2sBfFzrHboRhfqlTGjs
      7F9qUGwIQZn/A8iozXZYQ0+JG1bhQyvjA8eN1GOcRpT+O7H7JXN49o6IG2As4+iK
      F04+qjqAu2sVfpD8mzM2VubFNllcKKiyCzRYHhSbObRCPzsudDL9GPiXeGGaCuWg
      sDkiA1MESvf2tLETAGBs/TziO4GwmXUtlKbRiq1FYm90mVq9mBxPZ/Idn+yZusNB
      0O5SXIbI8lYZw5n4XTK4b+byHRBYsOTHiTsGvjTF2Y7oSwW2CVUmL6RZ23mI4qoY
      1p5kzRS+GjT1acnTei/FTsOlIKCsjfeHx7uxCkX6xpAD8P3UtLQqfsgH0CL4vSZt
      TGO6L1InQlp4ZG3OYIomTKbD3/R0wod3U3dTqdulQMXL895u6OLTY3spY2m2MO2k
      p9Dfd2pKuxK9Mys=
      =mhQZ
      -----END PGP PUBLIC KEY BLOCK-----

runcmd:
  # 1. Disable swap dynamically and persistently
  - swapoff -a
  - sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
  - systemctl mask zram-generator || true

  # 2. Configure SELinux to permissive dynamically and persistently
  - setenforce 0 || true
  - sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

  # 3. Apply sysctl parameters
  - sysctl --system

  # 4. Generate containerd config and set the systemd cgroup driver
  - mkdir -p /etc/containerd
  - containerd config default > /etc/containerd/config.toml
  - sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml

  # 5. Disable firewalld
  - systemctl stop firewalld
  - systemctl disable firewalld

  # 6. Enable and start containerd and kubelet
  - systemctl enable --now containerd
  - systemctl enable --now kubelet
	#cloud-config

	manage_etc_hosts: true
	preserve_hostname: false


	users:
	- name: munki
	groups: [ adm, systemd-journal, wheel ]
	sudo: [ "ALL=(ALL) NOPASSWD:ALL" ]
	ssh_authorized_keys:
	- sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBP7ldkl/FpXtPBwvNMR/yxFaTjY7U3W32zWhvFFSlzWaiCrya3xmu2ts3gxvC5wXZoALuK6piF8HuqJKxYM4SoAAAAAEc3NoOg==

	ssh_pwauth: false

	kernel_modules:
	- overlay
	- br_netfilter

	package_upgrade: true

	yum_repos:
	kubernetes:
	name: Kubernetes
	baseurl: https://pkgs.k8s.io/core:/stable:/v1.35/rpm/
	enabled: 1
	gpgcheck: 1
	gpgkey: https://pkgs.k8s.io/core:/stable:/v1.35/rpm/repodata/repomd.xml.key
	epel:
	name: Extra Packages for Enterprise Linux 10 - $basearch
	metalink: https://mirrors.fedoraproject.org/metalink?repo=epel-10&arch=$basearch&infra=$infra&content=$contentdir
	enabled: 1
	gpgcheck: 1
	gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-10

	packages:
	- epel-release
	- kubelet
	- kubeadm
	- kubectl
	- containerd
	- tar
	- git
	- ipset
	- jq
	- conntrack-tools
	- iproute-tc

	write_files:
	- path: /etc/sysctl.d/99-k8s-cri.conf
	permissions: '0644'
	content: \|
	net.bridge.bridge-nf-call-iptables = 1
	net.bridge.bridge-nf-call-ip6tables = 1
	net.ipv4.ip_forward = 1
	net.ipv6.conf.all.forwarding = 1
	net.ipv6.conf.default.forwarding = 1
	- path: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-10
	permissions: '0644'
	content: \|
	-----BEGIN PGP PUBLIC KEY BLOCK-----
	mQINBGV4X6kBEAC3eQxgiWuo08uc3mHo4ELux++uqTnYz/tJzEf9Ou3h36WnhumA
	Nvs+Ts5h8PBx879Y9/aIX1Z20p1kf6tBCinZnEJu59n+TAAsph0+XQlV1l5YkleK
	Z2ff/Fg65k8QcLXWaIGykA/FaKznRiSurGuD6tRGhJw7DawEwBJr8QZSkRUpnH1L
	URW97Q/iKrRPiE5VEayE0y8eAL28jIIiFvR+4oJMzvCsRRB/2wYZ2MlJOW91hcYf
	mbUoXKOBD5UzsJylu7kj25K/ge8rEJ7KicOOwcdYddxsU3DxGSSfwF8AMagENcm2
	XROeXknjm84A8sNlUkFZBJwfuc7eRTiZGJrnQQVYLrkKj8Mxpq9Ts7hU51TqAWNI
	uvGDlJdYNE3D2RMqjMEsZ8ej08Thrib6xslu4NzTBkt+6QNnXL4E3hEgYtoyio60
	GswSz2ulogKg7X4JrNdJYE8/qNowyF3hoVgj5TG1/wQRq+5HlMMOLjgGu9wzLUix
	fnVfEUnzaofbrUf4/GabCaeY8xRe4tFQrvzigQ4g+kgwKKnfAeqBmPov0yljkw9z
	BYJWR5zvaw0ffg9Ing00KUSaXBXA5jSlgk1603Y+LefY1SlXsTyqohiRvGH6FI77
	HNMo72DwoJfFcYjncZUzKgXWJECR4nhVsdj6pKoOjcQ4aSuyVxtsR86ASQARAQAB
	tChGZWRvcmEgKGVwZWwxMCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQJOBBMB
	CAA4FiEEfY0Vy/xOYmiFkfsmM9mFF+N+0VgFAmV4X6kCGw8FCwkIBwIGFQoJCAsC
	BBYCAwECHgECF4AACgkQM9mFF+N+0Vhv/A/+PlhPLSctGRCUEahE+cN4764Acc3p
	l40ZYzXRhqR0/Tc1/cSDjlA3qVTc8SPohi5OJXwCyr9EiMqKoyoDN097euqbYpyp
	yN/Pj0lBjsXwcpdDtZ21WGeQU0Khb04N68bMtJbDaxeBciTvDDQravZuPPh0m4Rg
	Z6myEoa6Aa6EK0hI1Qwi1qIWeRiuEkVT671IaKVETBW5XiUpNBXDAB/L+6DzUF9u
	scBzfsUDiPO6NrpYDtV3jwq22y6gWluIct/Ka8brwPbqK2sBfFzrHboRhfqlTGjs
	7F9qUGwIQZn/A8iozXZYQ0+JG1bhQyvjA8eN1GOcRpT+O7H7JXN49o6IG2As4+iK
	F04+qjqAu2sVfpD8mzM2VubFNllcKKiyCzRYHhSbObRCPzsudDL9GPiXeGGaCuWg
	sDkiA1MESvf2tLETAGBs/TziO4GwmXUtlKbRiq1FYm90mVq9mBxPZ/Idn+yZusNB
	0O5SXIbI8lYZw5n4XTK4b+byHRBYsOTHiTsGvjTF2Y7oSwW2CVUmL6RZ23mI4qoY
	1p5kzRS+GjT1acnTei/FTsOlIKCsjfeHx7uxCkX6xpAD8P3UtLQqfsgH0CL4vSZt
	TGO6L1InQlp4ZG3OYIomTKbD3/R0wod3U3dTqdulQMXL895u6OLTY3spY2m2MO2k
	p9Dfd2pKuxK9Mys=
	=mhQZ
	-----END PGP PUBLIC KEY BLOCK-----

	runcmd:
	# 1. Disable swap dynamically and persistently
	- swapoff -a
	- sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
	- systemctl mask zram-generator \|\| true

	# 2. Configure SELinux to permissive dynamically and persistently
	- setenforce 0 \|\| true
	- sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

	# 3. Apply sysctl parameters
	- sysctl --system

	# 4. Generate containerd config and set the systemd cgroup driver
	- mkdir -p /etc/containerd
	- containerd config default > /etc/containerd/config.toml
	- sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml

	# 5. Disable firewalld
	- systemctl stop firewalld
	- systemctl disable firewalld

	# 6. Enable and start containerd and kubelet
	- systemctl enable --now containerd
	- systemctl enable --now kubelet
No results found