Important: If your node has NetworkManager installed and enabled, ensure that it is configured to ignore CNI-managed interfaces.
RKE2 can be installed in an air-gapped environment with two different methods.
You can either deploy via the
rke2-airgap-images tarball release artifact, or by using a private registry.
All files mentioned in the steps can be obtained from the assets of the desired released rke2 version here.
If running on an SELinux enforcing air-gapped node, you must first install the necessary SELinux policy RPM before performing these steps. See our RPM Documentation to determine what you need.
- Download the airgap images tarballs from the RKE release artifacts list for the version and platform of RKE2 you are using.
rke2-images.linux-amd64.tar.gzfor releases prior to v1.20. Zstandard offers better compression ratios and faster decompression speeds compared to gzip.
- If using the default Canal CNI (
--cni=canal), you can use either the
rke2-imagelegacy archive as described above, or
- If using the alternative Cilium CNI (
--cni=cilium), you must download the
- If using your own CNI (
--cni=none), you can download only the
- If enabling the vSphere CPI/CSI charts (
--cloud-provider-name=vsphere), you must also download the
- Ensure that the
/var/lib/rancher/rke2/agent/images/directory exists on the node.
- Copy the compressed archive to
/var/lib/rancher/rke2/agent/images/on the node, ensuring that the file extension is retained.
- Install RKE2
Private Registry Method¶
As of RKE2 v1.20, private registry support honors all settings from the containerd registry configuration. This includes endpoint override and transport protocol (HTTP/HTTPS), authentication, certificate verification, etc.
Prior to RKE2 v1.20, private registries must use TLS, with a cert trusted by the host CA bundle. If the registry is using a self-signed cert, you can add the cert to the host CA bundle with
update-ca-certificates. The registry must also allow anonymous (unauthenticated) access.
- Add all the required system images to your private registry. A list of images can be obtained from the
.txtfile corresponding to each tarball referenced above, or you may
docker loadthe airgap image tarballs, then tag and push the loaded images.
- If using a private or self-signed certificate on the registry, add the registry's CA cert to the containerd registry configuration, or operating system's trusted certs for releases prior to v1.20.
- Install RKE2 using the
system-default-registryparameter, or use the containerd registry configuration to use your registry as a mirror for docker.io.
- Obtain the rke2 binary file
- Ensure the binary is named
rke2and place it in
/usr/local/bin. Ensure it is executable.
- Run the binary with the desired parameters. For example, if using the Private Registry Method, your config file would have the following:
system-default-registry parameter must specify only valid RFC 3986 URI authorities, i.e. a host and optional port.