Skip to main content


RKE2 is very lightweight, but has some minimum requirements as outlined below.


Two rke2 nodes cannot have the same node name. By default, the node name is taken from the machine's hostname.

If two or more of your machines have the same hostname, you must do one of the following:

  • Update the hostname to a unique value
  • Set the node-name parameter in the config file to a unique value
  • Set the with-node-id parameter in the config file to true to append a randomly generated ID number to the hostname.
Version Gate

The with-node-id parameter is available starting with the 2023-05 releases (v1.27.2+rke2r1, v1.26.5+rke2r1, v1.25.10+rke2r1, v1.24.14+rke2r1).

Operating Systems


See the RKE2 Support Matrix for all the OS versions that have been validated with RKE2. In general, RKE2 should work on any Linux distribution that uses systemd and iptables.



Windows Support requires choosing Calico or Flannel as the CNI for the RKE2 cluster

The RKE2 Windows Node (Worker) agent has been tested and validated on the following operating systems, and their subsequent non-major releases:

  • Windows Server 2019 LTSC (amd64) (OS Build 17763.2061)
  • Windows Server 2022 LTSC (amd64) (OS Build 20348.169)

Note The Windows Server Containers feature needs to be enabled for the RKE2 Windows agent to work.

Open a new Powershell window with Administrator privileges

powershell -Command "Start-Process PowerShell -Verb RunAs"

In the new Powershell window, run the following command.

Enable-WindowsOptionalFeature -Online -FeatureName Containers –All

This will require a reboot for the Containers feature to properly function.


Hardware requirements scale based on the size of your deployments. Minimum recommendations are outlined here.


  • RAM: 4GB Minimum (we recommend at least 8GB)
  • CPU: 2 Minimum (we recommend at least 4CPU)

VM Sizing Guide

When limited on CPU and RAM on the control-plane + etcd nodes, there could be limitations for the amount of agent nodes that can be joined under standard workload conditions.

Server CPUServer RAMNumber of Agents
24 GB0-225
48 GB226-450
816 GB451-1300
16+32 GB1300+

It is recommended to join agent nodes in batches of 50 or less to allow the CPU to free up space, as there is a spike on node join. Remember to modify the default cluster-cidr if desiring more than 255 nodes!

This data was retrieved under specific test conditions. It will vary depending upon environment and workloads. The steps below give an overview of the test that was run to retrieve this. It was last performed on v1.27.4+rke2r1. All of the machines were provisioned in AWS with standard 20 GiB gp3 volumes.

  1. Monitor resources on grafana using prometheus data source.
  2. Deploy workloads in such a way to simulate continuous cluster activity:
    • A basic workload that scales up and down continuously
    • A workload that is deleted and recreated in a loop
    • A constant workload that contains multiple other resources including CRDs.
  3. Join agent nodes in batches of 30-50 at a time.


RKE2 performance depends on the performance of the database, and since RKE2 runs etcd embeddedly and it stores the data dir on disk, we recommend using an SSD when possible to ensure optimal performance.



If your node has NetworkManager installed and enabled, ensure that it is configured to ignore CNI-managed interfaces.. If your node has Wicked installed and enabled, ensure that the forwarding sysctl config is enabled

The RKE2 server needs port 6443 and 9345 to be accessible by other nodes in the cluster.

All nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used.

If you wish to utilize the metrics server, you will need to open port 10250 on each node.

Important: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472.

Inbound Network Rules

TCP9345RKE2 agent nodesRKE2 server nodesRKE2 supervisor API
TCP6443RKE2 agent nodesRKE2 server nodesKubernetes API
UDP8472All RKE2 nodesAll RKE2 nodesRequired only for Flannel VXLAN
TCP10250All RKE2 nodesAll RKE2 nodeskubelet metrics
TCP2379RKE2 server nodesRKE2 server nodesetcd client port
TCP2380RKE2 server nodesRKE2 server nodesetcd peer port
TCP2381RKE2 server nodesRKE2 server nodesetcd metrics port
TCP30000-32767All RKE2 nodesAll RKE2 nodesNodePort port range
UDP8472All RKE2 nodesAll RKE2 nodesCilium CNI VXLAN
TCP4240All RKE2 nodesAll RKE2 nodesCilium CNI health checks
ICMP8/0All RKE2 nodesAll RKE2 nodesCilium CNI health checks
TCP179All RKE2 nodesAll RKE2 nodesCalico CNI with BGP
UDP4789All RKE2 nodesAll RKE2 nodesCalico CNI with VXLAN
TCP5473All RKE2 nodesAll RKE2 nodesCalico CNI with Typha
TCP9098All RKE2 nodesAll RKE2 nodesCalico Typha health checks
TCP9099All RKE2 nodesAll RKE2 nodesCalico health checks
UDP8472All RKE2 nodesAll RKE2 nodesCanal CNI with VXLAN
TCP9099All RKE2 nodesAll RKE2 nodesCanal CNI health checks
UDP51820All RKE2 nodesAll RKE2 nodesCanal CNI with WireGuard IPv4
UDP51821All RKE2 nodesAll RKE2 nodesCanal CNI with WireGuard IPv6/dual-stack
UDP4789All RKE2 nodesAll RKE2 nodesFlannel CNI with VXLAN

Windows Specific Inbound Network Rules

UDP4789All RKE2 nodesAll RKE2 nodesRequired for Calico and Flannel VXLAN
TCP179All RKE2 nodesAll RKE2 nodesCalico CNI with BGP

Typically, all outbound traffic will be allowed.