Agent Configuration Reference

This is a reference to all parameters that can be used to configure the rke2 agent. Note that while this is a reference to the command line arguments, the best way to configure RKE2 is using the configuration file.

Common

Flag	Description	Default	Environment Variable
config	Path to config file	/etc/rancher/rke2/config.yaml	RKE2_CONFIG_FILE
debug	Turn on debug logs	false	RKE2_DEBUG
data-dir	Folder to hold state	"/var/lib/rancher/rke2"	RKE2_DATA_DIR

Flag

Description

Default

Environment Variable

config

Path to config file

/etc/rancher/rke2/config.yaml

RKE2_CONFIG_FILE

debug

Turn on debug logs

false

RKE2_DEBUG

data-dir

Folder to hold state

"/var/lib/rancher/rke2"

RKE2_DATA_DIR

Cluster

Flag	Description	Environment Variable
token	Token to use for authentication	RKE2_TOKEN
token-file	Token file to use for authentication	RKE2_TOKEN_FILE
server	Server to connect to	RKE2_URL

Flag

Description

Environment Variable

token

Token to use for authentication

RKE2_TOKEN

token-file

Token file to use for authentication

RKE2_TOKEN_FILE

server

Server to connect to

RKE2_URL

Listener

Flag	Description	Default
bind-address	rke2 bind address	0.0.0.0

Flag

Description

Default

bind-address

rke2 bind address

0.0.0.0

Image

Flag	Description	Environment Variable
kube-apiserver-image	Override image to use for kube-apiserver	RKE2_KUBE_APISERVER_IMAGE
kube-controller-manager-image	Override image to use for kube-controller-manager	RKE2_KUBE_CONTROLLER_MANAGER_IMAGE
cloud-controller-manager-image	Override image to use for cloud-controller-manager	RKE2_CLOUD_CONTROLLER_MANAGER_IMAGE
kube-proxy-image	Override image to use for kube-proxy	RKE2_KUBE_PROXY_IMAGE
kube-scheduler-image	Override image to use for kube-scheduler	RKE2_KUBE_SCHEDULER_IMAGE
pause-image	Override image to use for pause	RKE2_PAUSE_IMAGE
runtime-image	Override image to use for runtime binaries (containerd, kubectl, crictl, etc)	RKE2_RUNTIME_IMAGE
etcd-image	Override image to use for etcd	RKE2_ETCD_IMAGE

Flag

Description

Environment Variable

kube-apiserver-image

Override image to use for kube-apiserver

RKE2_KUBE_APISERVER_IMAGE

kube-controller-manager-image

Override image to use for kube-controller-manager

RKE2_KUBE_CONTROLLER_MANAGER_IMAGE

cloud-controller-manager-image

Override image to use for cloud-controller-manager

RKE2_CLOUD_CONTROLLER_MANAGER_IMAGE

kube-proxy-image

Override image to use for kube-proxy

RKE2_KUBE_PROXY_IMAGE

kube-scheduler-image

Override image to use for kube-scheduler

RKE2_KUBE_SCHEDULER_IMAGE

pause-image

Override image to use for pause

RKE2_PAUSE_IMAGE

runtime-image

Override image to use for runtime binaries (containerd, kubectl, crictl, etc)

RKE2_RUNTIME_IMAGE

etcd-image

Override image to use for etcd

RKE2_ETCD_IMAGE

Cloud Provider

Flag	Description	Default	Environment Variable
cloud-provider-name	Cloud provider name		RKE2_CLOUD_PROVIDER_NAME
cloud-provider-config	Cloud provider configuration file path		RKE2_CLOUD_PROVIDER_CONFIG
node-name-from-cloud-provider-metadata	Set node name from instance metadata service hostname	false	RKE2_NODE_NAME_FROM_CLOUD_PROVIDER_METADATA

Flag

Description

Default

Environment Variable

cloud-provider-name

Cloud provider name

RKE2_CLOUD_PROVIDER_NAME

cloud-provider-config

Cloud provider configuration file path

RKE2_CLOUD_PROVIDER_CONFIG

node-name-from-cloud-provider-metadata

Set node name from instance metadata service hostname

false

RKE2_NODE_NAME_FROM_CLOUD_PROVIDER_METADATA

Security

Flag	Description	Environment Variable
profile	Validate system configuration against the selected benchmark (valid items: cis, etcd)	RKE2_CIS_PROFILE
audit-policy-file	Path to the file that defines the audit policy configuration	RKE2_AUDIT_POLICY_FILE
pod-security-admission-config-file	Path to the file that defines Pod Security Admission configuration	RKE2_POD_SECURITY_ADMISSION_CONFIG_FILE

Flag

Description

Environment Variable

profile

Validate system configuration against the selected benchmark (valid items: cis, etcd)

RKE2_CIS_PROFILE

audit-policy-file

Path to the file that defines the audit policy configuration

RKE2_AUDIT_POLICY_FILE

pod-security-admission-config-file

Path to the file that defines Pod Security Admission configuration

RKE2_POD_SECURITY_ADMISSION_CONFIG_FILE

Components

Flag	Description	Environment Variable
control-plane-resource-requests	Control Plane resource requests	RKE2_CONTROL_PLANE_RESOURCE_REQUESTS
control-plane-resource-limits	Control Plane resource limits	RKE2_CONTROL_PLANE_RESOURCE_LIMITS
control-plane-probe-configuration	Control Plane Probe configuration	RKE2_CONTROL_PLANE_PROBE_CONFIGURATION
kube-apiserver-extra-mount	kube-apiserver extra volume mounts	RKE2_KUBE_APISERVER_EXTRA_MOUNT
kube-scheduler-extra-mount	kube-scheduler extra volume mounts	RKE2_KUBE_SCHEDULER_EXTRA_MOUNT
kube-controller-manager-extra-mount	kube-controller-manager extra volume mounts	RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_MOUNT
kube-proxy-extra-mount	kube-proxy extra volume mounts	RKE2_KUBE_PROXY_EXTRA_MOUNT
etcd-extra-mount	etcd extra volume mounts	RKE2_ETCD_EXTRA_MOUNT
cloud-controller-manager-extra-mount	cloud-controller-manager extra volume mounts	RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_MOUNT
kube-apiserver-extra-env	kube-apiserver extra environment variables	RKE2_KUBE_APISERVER_EXTRA_ENV
kube-scheduler-extra-env	kube-scheduler extra environment variables	RKE2_KUBE_SCHEDULER_EXTRA_ENV
kube-controller-manager-extra-env	kube-controller-manager extra environment variables	RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_ENV
kube-proxy-extra-env	kube-proxy extra environment variables	RKE2_KUBE_PROXY_EXTRA_ENV
etcd-extra-env	etcd extra environment variables	RKE2_ETCD_EXTRA_ENV
cloud-controller-manager-extra-env	cloud-controller-manager extra environment variables	RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV

Flag

Description

Environment Variable

control-plane-resource-requests

Control Plane resource requests

RKE2_CONTROL_PLANE_RESOURCE_REQUESTS

control-plane-resource-limits

Control Plane resource limits

RKE2_CONTROL_PLANE_RESOURCE_LIMITS

control-plane-probe-configuration

Control Plane Probe configuration

RKE2_CONTROL_PLANE_PROBE_CONFIGURATION

kube-apiserver-extra-mount

kube-apiserver extra volume mounts

RKE2_KUBE_APISERVER_EXTRA_MOUNT

kube-scheduler-extra-mount

kube-scheduler extra volume mounts

RKE2_KUBE_SCHEDULER_EXTRA_MOUNT

kube-controller-manager-extra-mount

kube-controller-manager extra volume mounts

RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_MOUNT

kube-proxy-extra-mount

kube-proxy extra volume mounts

RKE2_KUBE_PROXY_EXTRA_MOUNT

etcd-extra-mount

etcd extra volume mounts

RKE2_ETCD_EXTRA_MOUNT

cloud-controller-manager-extra-mount

cloud-controller-manager extra volume mounts

RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_MOUNT

kube-apiserver-extra-env

kube-apiserver extra environment variables

RKE2_KUBE_APISERVER_EXTRA_ENV

kube-scheduler-extra-env

kube-scheduler extra environment variables

RKE2_KUBE_SCHEDULER_EXTRA_ENV

kube-controller-manager-extra-env

kube-controller-manager extra environment variables

RKE2_KUBE_CONTROLLER_MANAGER_EXTRA_ENV

kube-proxy-extra-env

kube-proxy extra environment variables

RKE2_KUBE_PROXY_EXTRA_ENV

etcd-extra-env

etcd extra environment variables

RKE2_ETCD_EXTRA_ENV

cloud-controller-manager-extra-env

cloud-controller-manager extra environment variables

RKE2_CLOUD_CONTROLLER_MANAGER_EXTRA_ENV

Node

Flag	Description	Default	Environment Variable
node-name	Node name		RKE2_NODE_NAME
with-node-id	Append id to node name	false
node-label	Registering and starting kubelet with set of labels
node-taint	Registering kubelet with set of taints
image-credential-provider-bin-dir	The path to the directory where credential provider plugin binaries are located	"/var/lib/rancher/credentialprovider/bin"
image-credential-provider-config	The path to the credential provider plugin config file	"/var/lib/rancher/credentialprovider/config.yaml"
selinux	Enable SELinux in containerd	false	RKE2_SELINUX
lb-server-port	Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer.	6444	RKE2_LB_SERVER_PORT
protect-kernel-defaults	Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.	false

Flag

Description

Default

Environment Variable

node-name

Node name

RKE2_NODE_NAME

with-node-id

Append id to node name

false

node-label

Registering and starting kubelet with set of labels

node-taint

Registering kubelet with set of taints

image-credential-provider-bin-dir

The path to the directory where credential provider plugin binaries are located

"/var/lib/rancher/credentialprovider/bin"

image-credential-provider-config

The path to the credential provider plugin config file

"/var/lib/rancher/credentialprovider/config.yaml"

selinux

Enable SELinux in containerd

false

RKE2_SELINUX

lb-server-port

Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer.

6444

RKE2_LB_SERVER_PORT

protect-kernel-defaults

Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.

false

Runtime

Flag	Description	Default
container-runtime-endpoint	Disable embedded containerd and use the CRI socket at the given path
default-runtime	Set the default runtime in containerd
snapshotter	Override default containerd snapshotter	"overlayfs"
private-registry	Private registry configuration file	"/etc/rancher/rke2/registries.yaml"

Flag

Description

Default

container-runtime-endpoint

Disable embedded containerd and use the CRI socket at the given path

default-runtime

Set the default runtime in containerd

snapshotter

Override default containerd snapshotter

"overlayfs"

private-registry

Private registry configuration file

"/etc/rancher/rke2/registries.yaml"

Containerd

Flag	Description	Default
disable-default-registry-endpoint	Disables containerd’s fallback default registry endpoint when a mirror is configured for that registry	false
nonroot-devices	Allows non-root pods to access devices by setting device_ownership_from_security_context=true in the containerd CRI config	false

Flag

Description

Default

disable-default-registry-endpoint

Disables containerd’s fallback default registry endpoint when a mirror is configured for that registry

false

nonroot-devices

Allows non-root pods to access devices by setting device_ownership_from_security_context=true in the containerd CRI config

false

Networking

Flag	Description	Environment Variable
node-ip	IPv4/IPv6 addresses to advertise for node
node-external-ip	IPv4/IPv6 external IP addresses to advertise for node
node-internal-dns	internal DNS addresses to advertise for node
node-external-dns	external DNS addresses to advertise for node
resolv-conf	Kubelet resolv.conf file	RKE2_RESOLV_CONF

Flag

Description

Environment Variable

node-ip

IPv4/IPv6 addresses to advertise for node

node-external-ip

IPv4/IPv6 external IP addresses to advertise for node

node-internal-dns

internal DNS addresses to advertise for node

node-external-dns

external DNS addresses to advertise for node

resolv-conf

Kubelet resolv.conf file

RKE2_RESOLV_CONF

Flags

Flag	Description
kubelet-arg	Customized flag for kubelet process
kube-proxy-arg	Customized flag for kube-proxy process

Flag

Description

kubelet-arg

Customized flag for kubelet process

kube-proxy-arg

Customized flag for kube-proxy process

Experimental

Flag	Description	Default	Environment Variable
enable-pprof	Enable pprof endpoint on supervisor port	false
kubelet-path	Override kubelet binary path		RKE2_KUBELET_PATH

Flag

Description

Default

Environment Variable

enable-pprof

Enable pprof endpoint on supervisor port

false

kubelet-path

Override kubelet binary path

RKE2_KUBELET_PATH