Go.Rig-Operator/deploy/harvester/cloud-config-templates/rke2-ubuntu-22.04-cloudinit-cp.yaml

apiVersion: v1
data:
  cloudInit: |
    #cloud-config
    package_update: false
    package_upgrade: false
    snap:
      commands:
        00: snap refresh --hold=forever
    package_reboot_if_required: true
    packages:
      - qemu-guest-agent
      - yq
      - jq

    runcmd:
      - sysctl -w net.ipv6.conf.all.disable_ipv6=1
      - systemctl enable --now qemu-guest-agent.service
      - [sh, '/root/updates.sh']

    disable_root: true
    ssh_pwauth: false
    groups:
      - etcd
    users:
      - name: rancher
        gecos: Rancher service account
        hashed_passwd: $6$Jn9gljJAbr9tjxD2$4D4O5YokrpYvYd5lznvtuWRPWWcREo325pEhn5r5vzfIU/1fX6werOG4LlXxNNBOkmbKaabekQ9NQL32IZOiH1
        lock_passwd: false
        shell: /bin/bash
        groups: [users, sudo, docker]
        sudo: ALL=(ALL:ALL) ALL
        ssh_authorized_keys:
        - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwWnnOTAu0LlAZRczQ0Z0KvNlUdPhGQhpZie+nF1O3s'
      - name: etcd
        gecos: ETCD service account
        lock_passwd: true
        shell: /sbin/nologin
        groups: [etcd]


    write_files:
      - path: /root/updates.sh
        permissions: '0550'
        content: |
          #!/bin/bash
          export DEBIAN_FRONTEND=noninteractive
          apt-mark hold linux-headers-generic
          apt-mark hold linux-headers-virtual
          apt-mark hold linux-image-virtual
          apt-mark hold linux-virtual
          apt-get update
          apt-get upgrade -y
          apt-get autoremove -y
      - path: /var/lib/rancher/rke2/server/manifests/disable-sa-automount.yaml
        permissions: '0600'
        owner: root:root
        content: |
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: disable-automount-sa
            namespace: kube-system
          ---
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            name: disable-automount-clusterrole
          rules:
            - apiGroups: [""]
              resources: ["namespaces"]
              verbs: ["get", "list"]
            - apiGroups: [""]
              resources: ["serviceaccounts"]
              verbs: ["get", "patch"]
          ---
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            name: disable-automount-binding
          subjects:
            - kind: ServiceAccount
              name: disable-automount-sa
              namespace: kube-system
          roleRef:
            kind: ClusterRole
            name: disable-automount-clusterrole
            apiGroup: rbac.authorization.k8s.io
          ---
          apiVersion: batch/v1
          kind: CronJob
          metadata:
            name: disable-default-sa-automount
            namespace: kube-system
          spec:
            schedule: "0 0 * * *"
            concurrencyPolicy: Forbid
            jobTemplate:
              spec:
                template:
                  spec:
                    serviceAccountName: disable-automount-sa
                    containers:
                    - name: kubectl-patcher
                      image: alpine/kubectl:1.35.0
                      command:
                      - /bin/sh
                      - -c
                      - |
                        for n in $(kubectl get namespaces -o=jsonpath="{.items[*]['metadata.name']}"); do
                          echo "Patching default SA in namespace: $n"
                          kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}' -n $n
                        done
                    restartPolicy: OnFailure
kind: ConfigMap
metadata:
  labels:
    harvesterhci.io/cloud-init-template: user
  name: rke2-ubuntu-22.04-cloudinit-cp
  namespace: vanderlande
Drop initial code 2026-01-15 09:58:01 +00:00			`apiVersion: v1`
			`data:`
			`cloudInit: \|`
			`#cloud-config`
			`package_update: false`
			`package_upgrade: false`
			`snap:`
			`commands:`
			`00: snap refresh --hold=forever`
			`package_reboot_if_required: true`
			`packages:`
			`- qemu-guest-agent`
			`- yq`
			`- jq`

			`runcmd:`
			`- sysctl -w net.ipv6.conf.all.disable_ipv6=1`
			`- systemctl enable --now qemu-guest-agent.service`
			`- [sh, '/root/updates.sh']`

			`disable_root: true`
			`ssh_pwauth: false`
			`groups:`
			`- etcd`
			`users:`
			`- name: rancher`
			`gecos: Rancher service account`
			`hashed_passwd: $6$Jn9gljJAbr9tjxD2$4D4O5YokrpYvYd5lznvtuWRPWWcREo325pEhn5r5vzfIU/1fX6werOG4LlXxNNBOkmbKaabekQ9NQL32IZOiH1`
			`lock_passwd: false`
			`shell: /bin/bash`
			`groups: [users, sudo, docker]`
			`sudo: ALL=(ALL:ALL) ALL`
			`ssh_authorized_keys:`
			`- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwWnnOTAu0LlAZRczQ0Z0KvNlUdPhGQhpZie+nF1O3s'`
			`- name: etcd`
			`gecos: ETCD service account`
			`lock_passwd: true`
			`shell: /sbin/nologin`
			`groups: [etcd]`


			`write_files:`
			`- path: /root/updates.sh`
			`permissions: '0550'`
			`content: \|`
			`#!/bin/bash`
			`export DEBIAN_FRONTEND=noninteractive`
			`apt-mark hold linux-headers-generic`
			`apt-mark hold linux-headers-virtual`
			`apt-mark hold linux-image-virtual`
			`apt-mark hold linux-virtual`
			`apt-get update`
			`apt-get upgrade -y`
			`apt-get autoremove -y`
			`- path: /var/lib/rancher/rke2/server/manifests/disable-sa-automount.yaml`
			`permissions: '0600'`
			`owner: root:root`
			`content: \|`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: disable-automount-sa`
			`namespace: kube-system`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: disable-automount-clusterrole`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["namespaces"]`
			`verbs: ["get", "list"]`
			`- apiGroups: [""]`
			`resources: ["serviceaccounts"]`
			`verbs: ["get", "patch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: disable-automount-binding`
			`subjects:`
			`- kind: ServiceAccount`
			`name: disable-automount-sa`
			`namespace: kube-system`
			`roleRef:`
			`kind: ClusterRole`
			`name: disable-automount-clusterrole`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: batch/v1`
			`kind: CronJob`
			`metadata:`
			`name: disable-default-sa-automount`
			`namespace: kube-system`
			`spec:`
			`schedule: "0 0 * * *"`
			`concurrencyPolicy: Forbid`
			`jobTemplate:`
			`spec:`
			`template:`
			`spec:`
			`serviceAccountName: disable-automount-sa`
			`containers:`
			`- name: kubectl-patcher`
			`image: alpine/kubectl:1.35.0`
			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`for n in $(kubectl get namespaces -o=jsonpath="{.items[*]['metadata.name']}"); do`
			`echo "Patching default SA in namespace: $n"`
			`kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}' -n $n`
			`done`
			`restartPolicy: OnFailure`
			`kind: ConfigMap`
			`metadata:`
			`labels:`
			`harvesterhci.io/cloud-init-template: user`
			`name: rke2-ubuntu-22.04-cloudinit-cp`
			`namespace: vanderlande`