🚀 RKE2 + Rancher on AWS EC2: Secure, Scalable Kubernetes Management

BalajiBalaji
6 min read

Table of contents

Deploying Kubernetes securely across multiple EC2 instances can feel daunting—but with RKE2 and Rancher, it's simpler than you think. In this post, we’ll walk through setting up RKE2 (Rancher Kubernetes Engine v2) and Rancher on 3 Amazon EC2 instances, focusing on security, scalability, and ease of management.

  • RKE2 - Security focused Kubernetes

  • Rancher - Multi-Cluster Kubernetes Management

🛠️ What We’ll Set Up

  • RKE2: A security-hardened Kubernetes distribution built by Rancher.

  • Rancher: A powerful UI and API for managing Kubernetes clusters.

  • 3 EC2 Instances: One server (control plane) and two agents (workers).

  • Self-signed TLS with cert-manager

  • Access Rancher via a public domain using sslip.io

Prerequisites

The prerequisites are straightforward. We need 3 Amazon EC2 instances running a Linux-based OS (e.g., Ubuntu 22.04 or CentOS 7/8), each with:

  • Instance Type: t3.medium (2 vCPUs, 4 GiB RAM)

  • Public IP: Enabled for each instance

  • Security Group: Allow inbound access on required ports (e.g., SSH 22, HTTP/HTTPS 80/443, Kubernetes ports as needed)

  • Key Pair: For SSH access

RKE2 Install

⚙️ Step 1: Install RKE2 on rancher-01 (Server Node)

Now that we have all the nodes up to date, let's focus on rancher-01. While this might seem controversial, curl | bash does work nicely. The install script will use the tarball install for Ubuntu and the RPM install for Rocky/Centos. Please be patient, the start command can take a minute. Here are the rke2 docs and install options for reference.

# On rancher-01
curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE=server sh - 

# we can set the token - create config dir/file
mkdir -p /etc/rancher/rke2/ 
echo "token: bootstrapAllTheThings" > /etc/rancher/rke2/config.yaml

# start and enable for restarts - 
systemctl enable --now rke2-server.service

Here is what the Ubuntu version should look like:

Let's validate everything worked as expected. Run a systemctl status rke2-server and make sure it is active.

Perfect! Now we can start talking Kubernetes. We need to symlink the kubectl cli on rancher-01 that gets installed from RKE2.

🔗 Configure kubectl

# symlink all the things - kubectl
ln -s $(find /var/lib/rancher/rke2/data/ -name kubectl) /usr/local/bin/kubectl

# add kubectl conf with persistence, as per Duane
echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/usr/local/bin/:/var/lib/rancher/rke2/bin/" >> ~/.bashrc
source ~/.bashrc

# check node status
kubectl get node

💡 Copy /etc/rancher/rke2/rke2.yaml to your local workstation to use kubectl remotely. Update the server IP inside the config file.

Hopefully everything looks good! Here is an example.

For those that are not TOO familiar with k8s, the config file is what kubectl uses to authenticate to the api service. If you want to use a workstation, jump box, or any other machine you will want to copy /etc/rancher/rke2/rke2.yaml. You will want to modify the file to change the ip address.

⚙️ Step 2: Install RKE2 Agents (rancher-02, rancher-03)

The agent install is VERY similar to the server install. Except that we need an agent config file before starting. We will start with rancher-02. We need to install the agent and setup the configuration file.

# we can export the rancher-01 Private IP from the first server.
export RANCHER1_IP=10.0.0.42   # <-- change this private ip of rancher 01 !

# we add INSTALL_RKE2_TYPE=agent
curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE=agent sh -  

# create config dir/file
mkdir -p /etc/rancher/rke2/ 

# change the ip to reflect your rancher-01 ip
cat << EOF >> /etc/rancher/rke2/config.yaml
server: https://$RANCHER1_IP:9345
token: bootstrapAllTheThings
EOF

# enable and start
systemctl enable --now rke2-agent.service

What should this look like:

Rinse and repeat. Run the same install commands on rancher-03. Next we can validate all the nodes are playing nice by running kubectl get node -o wide on rancher-01.

Huzzah! RKE2 is fully installed. From here on out we will only need to talk to the kubernetes api. Meaning we will only need to remain ssh'ed into rancher-01.

Now let's install Rancher.

Rancher

For more information about the Rancher versions, please refer to the Support Matrix. We are going to use the latest version. For additional reading take a look at the Rancher docs.

Step 3: Install Rancher using Helm

🪖 Install Helm on rancher-01

For Rancher we will need Helm. We are going to live on the edge! Here are the install docs for reference.

# on the server rancher-01
# add helm
curl -L https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# add needed helm charts
helm repo add rancher-latest https://releases.rancher.com/server-charts/latest --force-update
helm repo add jetstack https://charts.jetstack.io --force-update

Quick note about Rancher. Rancher needs jetstack/cert-manager to create the self signed TLS certificates. We need to install it with the Custom Resource Definition (CRD). Please pay attention to the helm install for Rancher. The URLrancher.180.08.09.0.sslip.io will need to be changed to for your IP. Also notice I am setting the bootstrapPassword and replicas. This allows us to skip a step later. :D

🔐 Install cert-manager & 🚀 Install Rancher

# still on rancher-01

# helm install jetstack
helm upgrade -i cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set crds.enabled=true

# helm install rancher
# CHANGE the IP to the one for rancher-01
export RANCHER1_IP= 180.08.09.0 #public ip of the rancher01
helm upgrade -i rancher rancher-latest/rancher --create-namespace --namespace cattle-system --set hostname=rancher.$RANCHER1_IP.sslip.io --set bootstrapPassword=bootStrapAllTheThings --set replicas=1

Now we can validate everything installed with a helm list -A or kubectl get pod -A. Keep in mind it may take a minute or so for all the pods to come up. GUI time...

🖥️ Step 4: Access Rancher Dashboard

Open your browser and go to:

https://rancher.<YOUR_PUBLIC_IP>.sslip.io

We should now able to get to the GUI at https://rancher.13.60.248.117.sslip.io The good news is that be default rke2 installs with the nginx ingress controller. Keep in mind that the browser may show an error for the self signed certificate.

Expect a warning due to the self-signed certificate—accept it and proceed.

  • 🗝️ Login with password: bootStrapAllTheThings

  • ✅ Set the server URL and accept terms.

  • 🎨 Switch to light or dark mode as preferred.

We need to validate the Server URL and accept the terms and conditions.

AND we are in! Switching to light mode.

🧩 Rancher Architecture Overview

Rancher supports both single-cluster and multi-cluster (hub-and-spoke) models. For simplicity and reliability, we’re using a single-cluster setup, where Rancher runs in the same Kubernetes cluster it manages. This avoids dependency on network links to external clusters and improves control.

✅ Summary

You now have a secure Kubernetes cluster with Rancher’s intuitive UI up and running:

  • RKE2 for hardened Kubernetes

  • Rancher for full lifecycle cluster management

  • SSL with cert-manager

  • Access via domain using sslip.io

🔗 References

5
Subscribe to my newsletter

Read articles from Balaji directly inside your inbox. Subscribe to the newsletter, and don't miss out.

rke2AWSrancherKubernetesk8snetworkingec2suse

Written by

Balaji
Balaji

👋 Hi there! I'm Balaji S, a passionate technologist with a focus on AWS, Linux, DevOps, and Kubernetes. 💼 As an experienced DevOps engineer, I specialize in designing, implementing, and optimizing cloud infrastructure on AWS. I have a deep understanding of various AWS services like EC2, S3, RDS, Lambda, and more, and I leverage my expertise to architect scalable and secure solutions. 🐧 With a strong background in Linux systems administration, I'm well-versed in managing and troubleshooting Linux-based environments. I enjoy working with open-source technologies and have a knack for maximizing performance and stability in Linux systems. ⚙️ DevOps is my passion, and I thrive in bridging the gap between development and operations teams. I automate processes, streamline CI/CD pipelines, and implement robust monitoring and logging solutions to ensure continuous delivery and high availability of applications. ☸️ Kubernetes is a key part of my toolkit, and I have hands-on experience in deploying and managing containerized applications in Kubernetes clusters. I'm skilled in creating Helm charts, optimizing resource utilization, and implementing effective scaling strategies for microservices architectures. 📝 On Hashnode, I share my insights, best practices, and tutorials on topics related to AWS, Linux, DevOps, and Kubernetes. Join me on my journey as we explore the latest trends and advancements in cloud-native technologies. ✨ Let's connect and dive into the world of AWS, Linux, DevOps, and Kubernetes together!