RKE2 Deserves Some Love: Why It's My On-Prem Kubernetes Pick
Most of the Kubernetes conversation in 2026 happens around managed services — EKS, GKE, AKS — and most of the rest happens around K3s for edge and homelab. Somewhere in the middle, on the hardware that lives in a rack in a datacenter you can drive to, there’s a Kubernetes story that nobody talks about loudly enough.
That story is RKE2 — the Rancher Kubernetes Engine 2, SUSE’s hardened, security-focused, single-binary distribution designed for on-premises production. I’ve been running it for two years across two different employers and one home lab, and it’s the rare piece of infrastructure that gets more impressive the longer you live with it.
This is the post arguing it deserves more attention than it gets.
What RKE2 is, exactly
RKE2 is a fully CNCF-conformant Kubernetes distribution maintained by SUSE (the people who acquired Rancher Labs and the original maker of K3s). It’s the successor to the original RKE — which has been end-of-life’d — and it’s the production-hardened sibling of K3s.
Same parent project, different design philosophy:
- K3s is the lightweight distribution. Single binary <100 MB, SQLite datastore by default, intended for edge, IoT, ARM boxes, homelab, dev clusters. Removes the in-tree storage drivers and cloud providers to save space.
- RKE2 is the security-hardened distribution. Single binary, embedded etcd (not SQLite), containerd with SELinux awareness, CIS-benchmark profile shipped in the box, FIPS 140-2 compliance available out of the box, designed for datacenter and air-gap deployments where the threat model is real.
They share a CLI shape and a configuration story, but you’re expected to pick the right one. RKE2 is what you reach for when the cluster needs to survive a real security audit.
The architecture, in one paragraph
RKE2 ships as a single Go binary. The control plane components —
kube-apiserver, kube-controller-manager, kube-scheduler,
etcd — run as static pods managed by the kubelet, not as
systemd services. The container runtime is containerd, period
(no Docker fallback, no opinion). The default CNI is Canal
(Flannel + Calico for network policy), with first-class support for
Cilium, Calico, Multus, and Flannel as alternatives. Cluster state
lives in embedded etcd, automatically HA-clustered the moment you
add a second server node. Helm chart support is built in via
HelmChart and HelmChartConfig CRDs.
The whole install on a fresh Linux box is genuinely:
curl -sfL https://get.rke2.io | sh -
systemctl enable --now rke2-server.service
Ninety seconds later you have a working single-node cluster.
/var/lib/rancher/rke2/bin/kubectl is the included kubectl. Add
more nodes by pointing them at the first one with a shared token,
and the embedded etcd clusters itself.
What makes it different — security, by default
This is the part of RKE2 that I want more people to understand, because it’s where the product actually earns its place.
CIS Kubernetes Benchmark compliance. RKE2 ships with a hardening
profile (profile: cis-1.10 in the config) that, when enabled, makes
the cluster pass the CIS benchmark for the corresponding Kubernetes
version. Not “with some tweaks.” Pass. SUSE publishes the
self-assessment guides next to each release so you can hand them to
an auditor.
FIPS 140-2 compliance. RKE2 and all the components it deploys (with the lone exception of the legacy NGINX ingress) are compiled against the FIPS 140-2 validated BoringCrypto module. For government, defense, and financial workloads in regulated jurisdictions this is the difference between “can be deployed” and “cannot.” Almost no other Kubernetes distribution can claim this.
SELinux awareness in containerd. RKE2 extends SELinux support all
the way down through containerd, so workloads run under SELinux
enforcement mode without surprise denials. If you’re on RHEL, Rocky,
Alma, or any other SELinux-default distro and you’ve ever fought
audit2allow against your Kubernetes nodes, this matters.
Air-gap installations as a first-class workflow. RKE2 publishes
image tarballs (rke2-images.linux-amd64.tar.zst) and a registries.yaml
mirror configuration so you can stand up the cluster in a network
that never touches the public internet. The Rancher Government
Solutions team uses this in actual classified environments.
Control plane components run as static pods — owned by kubelet,
observable via kubectl get pods -n kube-system, sandboxed inside
containers rather than running as host processes. The blast radius
when something misbehaves is meaningfully smaller than the
kubeadm baseline where these are bare host services.
RKE2 vs the rest, honestly
| Property | kubeadm | K3s | RKE2 | Talos Linux |
|---|---|---|---|---|
| Single-binary install | No | Yes (<100 MB) | Yes | OS is the install |
| Default datastore | etcd (DIY) | SQLite | Embedded etcd | etcd |
| Container runtime | DIY | containerd | containerd (SELinux-aware) | containerd |
| Hardening profile out of box | No | No | CIS, FIPS, STIG-ready | Hardened by design |
| FIPS 140-2 compliance | No | No | Yes | Yes |
| Air-gap install | DIY | Yes | Yes, documented & supported | Yes |
| Control plane | Host services | Host services | Static pods | Static pods |
| Resource footprint vs kubeadm | 1× (baseline) | ~0.5× (lightweight) | ~2× (hardening overhead) | ~1.2× |
| OS | Any Linux | Any Linux | Any Linux | Talos OS only |
| Best for | Learning, DIY | Edge, IoT, dev, homelab | On-prem prod, regulated | Immutable infra purists |
The honest summary:
- kubeadm is the right pick if you want to learn Kubernetes the hard way or if you have very specific requirements that none of the distributions match.
- K3s is the right pick for edge, dev, homelab, anything where resource efficiency matters more than hardening defaults.
- RKE2 is the right pick for on-prem production — datacenter, regulated industries, government, air-gapped sites, anywhere “passes the CIS benchmark out of the box” is a real requirement.
- Talos Linux is the right pick if you’re willing to commit your whole OS stack to the Kubernetes-only worldview. Beautiful product, different ergonomic deal.
What RKE2 costs you
The honest gap: RKE2 uses roughly 2× the resources of a kubeadm baseline. Memory ~150% higher, CPU ~230% higher, disk I/O ~260% higher on idle clusters. That’s the bill for hardening overhead — the static-pod control plane, the SELinux enforcement, the audit logging, the security-conscious defaults across every component.
For a production on-prem cluster running on real server hardware this is invisible. For a four-node homelab on Raspberry Pis it’s absolutely not the right pick. K3s is.
The 2026 wrinkle: Traefik replacing NGINX
Worth flagging because it’s affecting fresh installs right now. The default ingress controller in RKE2 has historically been ingress-nginx. The upstream ingress-nginx project is going end-of-life in March 2026 — Kubernetes SIG-Network is moving on.
SUSE’s response, announced at KubeCon EU 2026:
- RKE2 v1.36 — Traefik ships as the default ingress for new clusters. ingress-nginx still available as an option.
- RKE2 v1.37 — ingress-nginx removed entirely.
If you already have NGINX-flavored Ingress objects, you’ve got a migration window. If you’re standing up a new cluster today, Traefik is the path forward. The good news is that for standard HTTP/HTTPS routing the spec compatibility is high — most ingress definitions port over unchanged.
Where I run it, and on what
- A 3-node bare-metal cluster in a colocation rack, running internal-facing workloads — CI runners, Gitea, a Harbor registry, the in-house IDP. Three small servers, each 16 cores / 64 GB, CIS-hardened profile, embedded etcd, behind a NetBird mesh for admin access. Has been running for 18 months without a node restart that wasn’t a planned upgrade.
- A 2-node lab cluster in the home lab — one mini PC and one refurbished Dell tower. Same RKE2 binary, no hardening profile, used for experiments I don’t want to put on the prod box.
- One single-node RKE2 install on a beefy bare-metal server at a client site — the kind of “we have one server room and no cloud budget” engagement where the cluster needs to be reproducible, hardened, and operable by a small team. Air-gapped install, CIS-1.10 profile, SELinux enforcing.
In all three cases the install is the same: curl | sh, then a
config file with the right profile, then nodes added by token. The
muscle memory transfers cleanly between very different deployment
shapes.
Where it doesn’t fit
I owe the honest version:
- Don’t use RKE2 for homelab on a Raspberry Pi. K3s exists for a reason. RKE2’s overhead will eat your tiny SBC alive.
- Don’t use RKE2 if you’re hosted on a hyperscaler that already offers managed K8s. EKS, GKE, AKS exist for a reason too. You’re paying twice — once for the cloud, once for the cluster ops you’re now doing yourself.
- Don’t use RKE2 if your team is allergic to the Rancher ecosystem. It’s all upstream Kubernetes underneath, but the defaults and the helm charts and the docs all lean SUSE/Rancher. If that’s a cultural mismatch, kubeadm or Talos may suit you better.
- Don’t use RKE2 if you want to learn Kubernetes internals. Too much is done for you. Run a kubeadm cluster from scratch first — you’ll appreciate RKE2’s defaults much more once you understand what they replaced.
The summary
RKE2 is what happens when a Kubernetes distribution takes on-prem production seriously instead of treating it as a degraded version of the cloud experience. It’s not glamorous. It doesn’t get the KubeCon keynote slot. It doesn’t have a hundred dev-rel YouTubers making content about it.
But if you’re standing up a real Kubernetes cluster on hardware you own, in a network you control, with a security posture you can defend to an auditor — RKE2 is the right answer, has been for a while, and is only getting more so as SUSE keeps quietly investing in it.
It deserves more love. So here’s mine.