🚀 Knowledge Base Beta
Preview our redesigned Knowledge Base. Click here to try it and give us your feedback! Your input helps us improve

How to set cipher-suites for etcd in RKE2

This document (000021373) is provided subject to the disclaimer at the end of this document.

Environment

Rancher v2.7+
A standalone or Rancher-provisioned RKE2 cluster

Situation

This article details how to customise the TLS cipher suites used by etcd in an RKE2 cluster

Resolution

Rancher-provisioned RKE2 clusters:

Navigate to Cluster Management within the Rancher UI
Click Edit Config for the relevant RKE2 cluster
Click Edit as YAML at the bottom of the page

Add a machineSelectorConfig block to set the desired cipher-suites via the etcd-arg field on etcd nodes, per the following example:

spec:
  [...]
  rkeConfig:
    [...]
    machineSelectorConfig
      - config:
          etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
        matchLabels:
          rke.cattle.io/etcd-role: 'true'
[...]

Click Save to apply the change

Standalone RKE2 clusters:

Repeat the following process on each server node in the RKE2 cluster:

Add the etcd-arg with the desired cipher-suites to the RKE2 configuration file at /etc/rancher/rke2/config.yaml file and save it, per the following example:
```
etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
```
Restart the rke2-server service to apply the change:
```
systemctl restart rke2-server
```

Verify the change. The new configuration will be populated in the etcd configuration file.

root@susenode01:~# cat /var/lib/rancher/rke2/server/db/etcd/config
advertise-client-urls: (redacted)
cipher-suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client-transport-security:
  cert-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.crt
  client-cert-auth: true
  key-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.key
  trusted-ca-file: /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt
data-dir: /var/lib/rancher/rke2/server/db/etcd
...(omitted)

Additional Information

RKE2 Server Configuration Reference

Flags: https://docs.rke2.io/reference/server_config#flags

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021373
Creation Date: 27-Feb-2024
Modified Date:25-Mar-2025
- SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Report a Software Vulnerability

Go to Customer Center

SUSE Support

Here When You Need Us

🚀 Knowledge Base Beta Preview our redesigned Knowledge Base. Click here to try it and give us your feedback! Your input helps us improve