Cloudnet K8s Deploy 7주차 스터디를 진행하며 정리한 글입니다.
RKE2 소개
RKE2(Rancher Kubernetes Engine 2)는 SUSE가 제공하는 엔터프라이즈용 Kubernetes 배포판입니다. 기존 RKE를 보안 중심으로 재설계한 버전으로, CIS Benchmark를 기본적으로 고려해 구성되어 있습니다. Docker 대신 containerd를 사용하며, 컨트롤 플레인 구성 요소가 패키징되어 있어 설치와 운영이 비교적 단순합니다. 폐쇄망 환경도 지원해 금융·공공기관과 같은 보안 요구사항이 높은 환경에 적합합니다.
RKE2 실습
[root@k8s-node1 ~]# curl -sfL https://get.rke2.io --output install.sh
[root@k8s-node1 ~]# chmod +x install.sh
INSTALL_RKE2_CHANNEL=v1.33 ./install.sh
[INFO] using stable RPM repositories
[INFO] using 1.33 series from channel stable
Rancher RKE2 Common (v1.33) 62 B/s | 659 B 00:10
Rancher RKE2 Common (v1.33) 448 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Rancher RKE2 Common (v1.33) 172 B/s | 2.6 kB 00:15
Rancher RKE2 1.33 (v1.33) 59 B/s | 659 B 00:11
Rancher RKE2 1.33 (v1.33) 467 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Rancher RKE2 1.33 (v1.33) 382 B/s | 5.9 kB 00:15
Dependencies resolved.
===============================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================
Installing:
rke2-server aarch64 1.33.8~rke2r1-0.el9 rancher-rke2-1.33-stable 8.3 k
Installing dependencies:
rke2-common aarch64 1.33.8~rke2r1-0.el9 rancher-rke2-1.33-stable 25 M
rke2-selinux noarch 0.22-1.el9 rancher-rke2-common-stable 22 k
Transaction Summary
===============================================================================================================================================================================================
Install 3 Packages
Total download size: 25 M
Installed size: 113 M
Downloading Packages:
(1/3): rke2-server-1.33.8~rke2r1-0.el9.aarch64.rpm 1.6 kB/s | 8.3 kB 00:05
(2/3): rke2-selinux-0.22-1.el9.noarch.rpm 4.1 kB/s | 22 kB 00:05
(3/3): rke2-common-1.33.8~rke2r1-0.el9.aarch64.rpm 3.8 MB/s | 25 MB 00:06
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.8 MB/s | 25 MB 00:06
Rancher RKE2 Common (v1.33) 471 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: rke2-selinux-0.22-1.el9.noarch 1/3
Installing : rke2-selinux-0.22-1.el9.noarch 1/3
Running scriptlet: rke2-selinux-0.22-1.el9.noarch 1/3
Installing : rke2-common-1.33.8~rke2r1-0.el9.aarch64 2/3
Installing : rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/3
Running scriptlet: rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/3
Running scriptlet: rke2-selinux-0.22-1.el9.noarch 3/3
Running scriptlet: rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/3
Verifying : rke2-selinux-0.22-1.el9.noarch 1/3
Verifying : rke2-common-1.33.8~rke2r1-0.el9.aarch64 2/3
Verifying : rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/3
Installed:
rke2-common-1.33.8~rke2r1-0.el9.aarch64 rke2-selinux-0.22-1.el9.noarch rke2-server-1.33.8~rke2r1-0.el9.aarch64
Complete!
[root@k8s-node1 ~]# rke2 --version
rke2 version v1.33.8+rke2r1 (eb75e3c1774cee5a584259d6fee77eb8cfa9b430)
go version go1.24.12 X:boringcrypto
[root@k8s-node1 ~]# dnf repolist
repo id repo name
appstream Rocky Linux 9 - AppStream
baseos Rocky Linux 9 - BaseOS
extras Rocky Linux 9 - Extras
rancher-rke2-1.33-stable Rancher RKE2 1.33 (v1.33)
rancher-rke2-common-stable Rancher RKE2 Common (v1.33)
[root@k8s-node1 ~]# tree /etc/yum.repos.d/
/etc/yum.repos.d/
├── rancher-rke2.repo
├── rocky-addons.repo
├── rocky-devel.repo
├── rocky-extras.repo
└── rocky.repo
0 directories, 5 files
[root@k8s-node1 ~]# cat /etc/yum.repos.d/rancher-rke2.repo
[rancher-rke2-common-stable]
name=Rancher RKE2 Common (v1.33)
baseurl=https://rpm.rancher.io/rke2/stable/common/centos/9/noarch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
[rancher-rke2-1.33-stable]
name=Rancher RKE2 1.33 (v1.33)
baseurl=https://rpm.rancher.io/rke2/stable/1.33/centos/9/aarch64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
# 디렉터리 생성 확인
[root@k8s-node1 ~]# tree /etc/rancher/
/etc/rancher/
└── rke2
1 directory, 0 files
[root@k8s-node1 ~]# tree /var/lib/rancher/
/var/lib/rancher/
└── rke2
├── agent
│ ├── containerd
│ │ └── io.containerd.snapshotter.v1.overlayfs
│ │ └── snapshots
│ └── logs
├── data
└── server
8 directories, 0 files
# RKE2 설정 : cni 플러그인(canal) 등
[root@k8s-node1 ~]# cat << EOF > /etc/rancher/rke2/config.yaml
write-kubeconfig-mode: "0644"
debug: true
cni: canal
bind-address: 192.168.10.11
advertise-address: 192.168.10.11
node-ip: 192.168.10.11
disable-cloud-controller: true
disable:
- servicelb
- rke2-coredns-autoscaler
- rke2-ingress-nginx
- rke2-snapshot-controller
- rke2-snapshot-controller-crd
- rke2-snapshot-validation-webhook
EOF
# canal cni 플러그인 helm chart values 파일 작성
# https://docs.rke2.io/networking/basic_network_options
[root@k8s-node1 ~]# mkdir -p /var/lib/rancher/rke2/server/manifests/
[root@k8s-node1 ~]# cat << EOF > /var/lib/rancher/rke2/server/manifests/rke2-canal-config.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-canal
namespace: kube-system
spec:
valuesContent: |-
flannel:
iface: "enp0s9"
EOF
# coredns 의 autoscaler 미설치를 위한 helm chart values 파일 작성
[root@k8s-node1 ~]# cat << EOF > /var/lib/rancher/rke2/server/manifests/rke2-coredns-config.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-coredns
namespace: kube-system
spec:
valuesContent: |-
autoscaler:
enabled: false
EOF
# 모니터링 : 신규 터미널창
Every 2.0s: pstree -a k8s-node1: Mon Feb 23 06:01:54 2026
systemd no_timer_check --switched-root --system --deserialize 31
|-NetworkManager --no-daemon
| `-2*[{NetworkManager}]
|-VBoxService --pidfile /var/run/vboxadd-service.sh
| `-8*[{VBoxService}]
|-agetty -o -p -- \\u --noclear - linux
|-anacron -s
|-atd -f
|-auditd
| |-sedispatch
| `-2*[{auditd}]
|-chronyd -F 2
|-crond -n
|-dbus-broker-lau --scope system --audit
| `-dbus-broker --log 4 --controller 9 --machine-id 3b2405e60e2a4236814b5ee5095ec74f --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit
|-gpg-agent --homedir /var/cache/dnf/rancher-rke2-common-stable-38dcbd8c1e621b96/pubring --use-standard-socket --daemon
| |-scdaemon --multi-server --homedir /var/cache/dnf/rancher-rke2-common-stable-38dcbd8c1e621b96/pubring
| | `-{scdaemon}
| `-{gpg-agent}
|-gpg-agent --homedir /var/cache/dnf/rancher-rke2-1.33-stable-ecd687a1e3012961/pubring --use-standard-socket --daemon
# RKE2 시작 : 2분 정도 소요 -> coredns 파드까지 정상화 대략 1~2분 추가 소요
[root@k8s-node1 ~]# systemctl enable --now rke2-server.service
Created symlink /etc/systemd/system/multi-user.target.wants/rke2-server.service → /usr/lib/systemd/system/rke2-server.service.
[root@k8s-node1 ~]# pstree -a | grep -v color | grep 'rke2$' -A5
|-rke2
| |-containerd -c /var/lib/rancher/rke2/agent/etc/containerd/config.toml
| | `-12*[{containerd}]
| |-kubelet --volume-plugin-dir=/var/lib/kubelet/volumeplugins --file-check-frequency=5s --sync-frequency=30s...
| | `-16*[{kubelet}]
| `-11*[{rke2}]
[root@k8s-node1 ~]# pstree -a | grep -v color | grep 'containerd-shim ' -A2
|-containerd-shim -namespace k8s.io -id88344110551ed4fde4bf09fd9c7
| |-etcd --config-file=/var/lib/rancher/rke2/server/db/etcd/config
| | `-9*[{etcd}]
--
|-containerd-shim -namespace k8s.io -idbb4b8065833472be21fe676308f
| |-kube-proxy --cluster-cidr=10.42.0.0/16 --conntrack-max-per-core=0 --conntrack-tcp-timeout-close-wait=0s...
| | `-7*[{kube-proxy}]
--
|-containerd-shim -namespace k8s.io -id1524b3e2df0bdd9e189009ae36f
| |-kube-apiserver --admission-control-config-file=/etc/rancher/rke2/rke2-pss.yaml --advertise-address=192.168.10.11...
| | `-11*[{kube-apiserver}]
--
|-containerd-shim -namespace k8s.io -ide0b4bdbe434721b4a1f44f0349e
| |-kube-scheduler --permit-port-sharing=true ...
| | `-9*[{kube-scheduler}]
--
|-containerd-shim -namespace k8s.io -id6f3b2d3a4c6a211ff764bc472f1
| |-kube-controller --permit-port-sharing=true --flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins--terminated-pod-gc-thres
| | `-6*[{kube-controller}]
--
|-containerd-shim -namespace k8s.io -id0e4c3909fbf2e6f18bb5b436134
| |-pause
| `-10*[{containerd-shim}]
|-containerd-shim -namespace k8s.io -id68674ccda6bf02469a45f21cf6c
| |-pause
| `-10*[{containerd-shim}]
# 자격증명 파일 복사
[root@k8s-node1 ~]# ls -l /etc/rancher/rke2/rke2.yaml
-rw-r--r--. 1 root root 2973 Feb 23 06:02 /etc/rancher/rke2/rke2.yaml
[root@k8s-node1 ~]# cp /etc/rancher/rke2/rke2.yaml ~/.kube/config
# /etc/rancher 디렉터리 확인
[root@k8s-node1 ~]# tree /etc/rancher/
/etc/rancher/
├── node
│ └── password
└── rke2
├── config.yaml
├── rke2-pss.yaml
└── rke2.yaml
2 directories, 4 files
# 바이너리 파일 확인
[root@k8s-node1 ~]# tree /var/lib/rancher/rke2/bin/
/var/lib/rancher/rke2/bin/
├── containerd
├── containerd-shim-runc-v2
├── crictl
├── ctr
├── kubectl
├── kubelet
└── runc
0 directories, 7 files
# PATH 안 건드리고 표준 위치로 바이너리 노출 설정 : 심볼릭 링크 방식
[root@k8s-node1 ~]# ln -s /var/lib/rancher/rke2/bin/containerd /usr/local/bin/containerd
[root@k8s-node1 ~]# ln -s /var/lib/rancher/rke2/bin/kubectl /usr/local/bin/kubectl
[root@k8s-node1 ~]# ln -s /var/lib/rancher/rke2/bin/crictl /usr/local/bin/crictl
[root@k8s-node1 ~]# ln -s /var/lib/rancher/rke2/bin/runc /usr/local/bin/runc
[root@k8s-node1 ~]# ln -s /var/lib/rancher/rke2/bin/ctr /usr/local/bin/ctr
[root@k8s-node1 ~]# ln -s /var/lib/rancher/rke2/agent/etc/crictl.yaml /etc/crictl.yaml
[root@k8s-node1 ~]# runc --version
runc version 1.4.0
commit: v1.4.0-0-g8bd78a99
spec: 1.3.0
go: go1.24.11 X:boringcrypto
libseccomp: 2.5.4
[root@k8s-node1 ~]# containerd --version
containerd github.com/k3s-io/containerd v2.1.5-k3s1 e77c15f30e5162d6abab671b0d74ca2243e2916e
[root@k8s-node1 ~]# kubectl version
Client Version: v1.33.8+rke2r1
Kustomize Version: v5.6.0
Server Version: v1.33.8+rke2r1
# 편의성 설정
[root@k8s-node1 ~]# source <(kubectl completion bash)
alias k=kubectl
complete -F __start_kubectl k
echo 'source <(kubectl completion bash)' >> /etc/profile
echo 'alias k=kubectl' >> /etc/profile
echo 'complete -F __start_kubectl k' >> /etc/profile
[root@k8s-node1 ~]# kubectl cluster-info -v=6
I0223 06:09:46.771465 12296 loader.go:402] Config loaded from file: /root/.kube/config
I0223 06:09:46.772287 12296 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0223 06:09:46.772307 12296 envvar.go:172] "Feature gate default state" feature="InOrderInformers" enabled=true
I0223 06:09:46.772312 12296 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0223 06:09:46.772315 12296 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0223 06:09:46.772319 12296 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0223 06:09:46.776487 12296 round_trippers.go:632] "Response" verb="GET" url="https://192.168.10.11:6443/api?timeout=32s" status="200 OK" milliseconds=3
I0223 06:09:46.778659 12296 round_trippers.go:632] "Response" verb="GET" url="https://192.168.10.11:6443/apis?timeout=32s" status="200 OK" milliseconds=0
I0223 06:09:46.789710 12296 round_trippers.go:632] "Response" verb="GET" url="https://192.168.10.11:6443/api/v1/namespaces/kube-system/services?labelSelector=kubernetes.io%2Fcluster-service%3Dtrue" status="200 OK" milliseconds=2
Kubernetes control plane is running at https://192.168.10.11:6443
CoreDNS is running at https://192.168.10.11:6443/api/v1/namespaces/kube-system/services/rke2-coredns-rke2-coredns:udp-53/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
# 노드, 파드 정보 확인
[root@k8s-node1 ~]# kubectl get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node1 Ready control-plane,etcd,master 4m13s v1.33.8+rke2r1 192.168.10.11 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
[root@k8s-node1 ~]# helm list -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
rke2-canal kube-system 1 2026-02-22 21:07:14.396735594 +0000 UTC deployed rke2-canal-v3.31.3-build2026020600 v3.31.3
rke2-coredns kube-system 1 2026-02-22 21:07:14.422743523 +0000 UTC deployed rke2-coredns-1.45.201 1.13.1
rke2-metrics-server kube-system 1 2026-02-22 21:08:06.964477155 +0000 UTC deployed rke2-metrics-server-3.13.007 0.8.0
rke2-runtimeclasses kube-system 1 2026-02-22 21:08:08.967529212 +0000 UTC deployed rke2-runtimeclasses-0.1.000 0.1.0
[root@k8s-node1 ~]# kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system etcd-k8s-node1 1/1 Running 0 3m34s
kube-system helm-install-rke2-canal-cn9bh 0/1 Completed 0 4m9s
kube-system helm-install-rke2-coredns-t87xt 0/1 Completed 0 4m9s
kube-system helm-install-rke2-metrics-server-wpjzt 0/1 Completed 0 4m9s
kube-system helm-install-rke2-runtimeclasses-5pn9f 0/1 Completed 0 4m9s
kube-system kube-apiserver-k8s-node1 1/1 Running 0 3m34s
kube-system kube-controller-manager-k8s-node1 1/1 Running 0 3m34s
kube-system kube-proxy-k8s-node1 1/1 Running 0 3m34s
kube-system kube-scheduler-k8s-node1 1/1 Running 0 3m34s
kube-system rke2-canal-9wqbn 2/2 Running 0 2m54s
kube-system rke2-coredns-rke2-coredns-559595db99-lv2ww 1/1 Running 0 2m55s
kube-system rke2-metrics-server-fdcdf575d-vxcnw 1/1 Running 0 2m2s
/var/lib/rancher/rke2 디렉터리 : addon helm chart, 인증서
# 디렉터리 확인
[root@k8s-node1 ~]# tree /var/lib/rancher/rke2 -L 1
/var/lib/rancher/rke2
├── agent
├── bin -> /var/lib/rancher/rke2/data/v1.33.8-rke2r1-1b2872361ec5/bin
├── data
└── server
4 directories, 0 files
# server 디렉터리
[root@k8s-node1 ~]# tree /var/lib/rancher/rke2/server/ -L 1
/var/lib/rancher/rke2/server/
├── agent-token -> /var/lib/rancher/rke2/server/token
├── cred
├── db
├── etc
├── manifests
├── node-token -> /var/lib/rancher/rke2/server/token
├── tls
└── token
5 directories, 3 files
[root@k8s-node1 ~]# ls -l /var/lib/rancher/rke2/server/
total 12
lrwxrwxrwx. 1 root root 34 Feb 23 06:02 agent-token -> /var/lib/rancher/rke2/server/token
drwx------. 2 root root 4096 Feb 23 06:02 cred
drwx------. 4 root root 35 Feb 23 06:05 db
drwx------. 2 root root 66 Feb 23 06:02 etc
drwxr-xr-x. 2 root root 180 Feb 23 06:05 manifests
lrwxrwxrwx. 1 root root 34 Feb 23 06:02 node-token -> /var/lib/rancher/rke2/server/token
drwx------. 6 root root 4096 Feb 23 06:02 tls
-rw-------. 1 root root 109 Feb 23 06:02 token
[root@k8s-node1 ~]# cat /var/lib/rancher/rke2/server/node-token
K10dc56af1974bf2a4a0dafabf6ada975428ac30b1cdfaee37aa24bab82bc13ba44::server:0f98c22f8008e212824486083fde55dd
[root@k8s-node1 ~]# cat /var/lib/rancher/rke2/server/token
K10dc56af1974bf2a4a0dafabf6ada975428ac30b1cdfaee37aa24bab82bc13ba44::server:0f98c22f8008e212824486083fde55dd
## helm chart manifests + values 포함
[root@k8s-node1 ~]# cat /var/lib/rancher/rke2/server/manifests/rke2-coredns.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
annotations:
helm.cattle.io/chart-url: https://rke2-charts.rancher.io/assets/rke2-coredns/rke2-coredns-1.45.201.tgz
rke2.cattle.io/inject-cluster-config: "true"
name: rke2-coredns
namespace: kube-system
spec:
bootstrap: true
chartContent: H4sICO13j2kCA3RtcC5PYUZIbGlVRmRqLnRhcgDcOmd74zaT+5m/AidfP5OS3OLVN62tXJzsOnpsv71CJCThDAI8ALSXKf/9ZgYgKTGyU6+9SrE4mI5pBGQfxUmaGysK7cZPXNXCZQ0v1Ztf8DOBz8XZGfylz+Dv6dnpxcWb6fn0bHp2fjY9P38zmZ5+cnbxhk3e/A98aue5BVV+Lp+hcf9PPkfsWqx5rTwLm8/WxrIYD1lyxB620jH4l7PfzT+8T2G15N6Lgq2lEoAA5LniVgC5lXylgIM3bCVYxZ0DNKnhsTG1ZV6UleJeANtElnwjZgljVlTGSW9sM2OW63wr7HjLbSG0KNqwBLQj9uWTsFYWyH4rGNEzzzfseWucYEW0QYblHFh4xqvq18I6aXSWMESesdHTNJueZdN0VUtVnExOLiYnk4sRLFe1UkujZA6K3KxvjV9a4YT2KBykVx7YcKUa5iqRy3XDuGbcWt4wsw7qLIHDvcit8C4LVPGJlRBj6JKS65p4AJh7cg6pq3kpXMVzEemsWM/Y1vvKzcbjx3olrBboN2nGhcnd2HP36Ma50Wu5qa1IK4O+0p5LDe5DS1LUCBasfAJBqRUb6bxtxsQ/Whu1m7E//AnBezACMJaSajNWNneRwxeiCTi3sJAksH3gMn5lau1nbIoAB3udC2KhZCkDM8byqgaEyaSkp1KUtOXTk8sPksLgPyH2fghuYo1SUm9+VRXcUwiV/OOvNH/iUmH4AV6A3dd2A08n5/+QJF7YUmqOe/jvFvy8FFaaAgwxugAHnE6SBHw419p4QgLY199CbLNc1Q6IU15743KuhM3298PxtUi9ScWTzD3E15orJ0bE7j1fCRU4JU5YQBAPTSUA6SpwvVkiojWlgCCoyfaIF9wgNBpUzBgxJRDfUZEAjHUMgj655STD21qMDqJUxqKmb6fnpwHBCSVybyypCr4zGhPyZR2KQoZs6C2khS6MgTtxxuQHg7gKgKGopLP2iOWtSwj1iCnDi3dccZ2/ALxS3LkIFx+BFPS5WYZo7iEPlq/XMg+JHbWQ1ae8lKoJwMjCB8RrDHK5qtG+GVtCIqIkQ5ZDLYy5CilPeXsf9Ke1mzWDrQED/THjAUs6thFaWEr12kHQEtUa8ozW24KYBNdF9fh+FBLzpSk61yUveHGe55SFCYvlZQZG1a8qHkmwYNduaAYoUkROYAnx+hmWxVJ+yMDErng+i9KjnCj3H1EvdvdufsW6wjK0L4mhc2eUCFzeNW0/+LH6Znuthm2FBdo1cHMS1J9Fc+J62DCIHeliQke3xhYhhYPuhHlnY0NyW1OrAjtBISplGlCGu67GuEhtLNPYZRV7vHTYxLJkKKE1vW9MrLLSWOkbYMdd7MHovYIaOlobt4BVpnAZ+1W71Jc2NHWn0LUcKdOw3LeRkSXDJXSFaxy4MW2tyWFdAiPy0FXbqkgRUIAp8SQUMMtr4mO0Fx+RMVTlfRiGyD6LAQIZAQmCs8hCuyCEe2opuGtMSV1/ZDmv+EoqoCPfSAhuLIRM1+VKWHCWMs/Qc07OaNhxTm400P7zX6/my7/cLh7+8u7m9vov94u7X99cLf76L1kyUB1jgyvgsYSWK5XYiAW6kcK8K569ElK4WVtM20KesqEcWiisqXqU+fv31C558aVWzZ0x/lOQFnzfRUU30n1lNAX/Mzrki65xAX1uylJg8wPs7500eFFKLWlb4/aOIZDSHL6aMsWUwNgV1o2PYpClYTgpeZUailCXBBQQmJJaZH/4OmMZ2QfR+hefV13dCo3q/JSSMk2hqFfGhRDqckUzzgq5XgsrtCcKwo7ry8iBeFB56RsxOUabgpBwQmU519101y5QDSDiFoLjwiQy3BrnWxmosKo3kjpzNzkJa411hIy5K3CQHm8FV37LwP+VkdqjFbPLyeXkuAtaCmolnwQ4yi2tWYkdnoGcXBbc/E6Z/HHGvkljmChAK+r8EeJ5KBojpxlInl5OB5IRSx4STeTE8q7F94bB7GYb1ocPmy9viE/BPe+pdzBI0YpbAHsMirYIZmAJV0zqFBLDZtxWnMnqgr68YjCWNCCinBQRBjkHXrKm3mxf4ceY9wp2dOAmUMvK3O07CiemgaNiOH0II1Nvaj9yfdfUSUb/ELueAtk9c1t8Bz1jY+HzMfY/9ZSh/TtEOc+3YkhC5nQoyphqbwdxitpb58UqDFWhzkIrBD6QbRy/sWfpt1jaKO9CMlPVaNOYDT9HhPlXWv0rW+FWUWqtBFNiDa6sPfjVS9CkOW47NXWsUYajWF8WtkIpkz0bq4qMGJvY7Q6TMebAG2iTV1jPEPIa2Yj98/NW5lsGO8qVY6NCI9mISQ1usOL69v5f9vRZG5OtuM0G0gIZAodFrHeJEx7cIl2/T6iC6V4rd4tbZSwFHLDB+eAZvIB/66LqejmohiHmTW5UEHz4c8RujY8NkcQ/S6Woj4NXH5lcU+HD13dwgAlK0HQE7gBRG1vlqAmVXJwAQhEniaE6T09Oz85J1I/19vnp0M9d/TwYUHExDqvRE9JFlUKcAZdD1SZyiRNw5HSM1tOAVIKOEkPdyxKQRT9E7Ahmrq7QZMek/zuQM8w5iA0GsYFylHSe5HTLjK/hzw63wGBYzVpz5fqgYBgzLI8J5XyjRKQ/JhSIIRnbVQyIkD+M8qeDRT0x1RfErz1GoFElWC1p7FRSFJisThbdi0OxO1iQJjR2xVLhDZM6V3Uhdl4SowA6L3LHLMRAyRuAl7CN1pTBsF8bVZeCSgs9h4FvRorLkqLtgNvHEG3j9vjyX0N53CWP0+MDBQ2asN9VjwkU+3H0txaiiAN0+/q7E6n/FAMumpXsscPOH0m6KUZqcARX10LxpjtxuMAKXe2fQkwBRiEIPu+A5wBbc6kgIh+2VritUUWAujrPQe4OdLpv6H4TP+5gzU8zlNj9eEtPD1h6/oMNnb5gKAVJJXJMR13VnjnQIfeYt9yhuPYdLKewfm3EtYKGx1yMu1fEHbSUV3KMh4bT8RFfr9HEJn2aprmhPMMqFBtliM4WJ8YqTY3zAawbIa5rC8X2HtpIUSv4drPRpgMvPoo8nENEssjtPr78Pwhbup21lJXc59vFx8qCt9ouzfrlR9H0LQySb2yNEvvNw4DnOB0s3Oj9FToc3ucYROLUlvRWM0YHaV72Rv8UiwN3byqjzKb5AjUf7e8djt5Y0EfdzLsSqvUNMqDPAZ8MHPJ4iXtcJS844bse2DUfVUoL7f7n4/EE4rF1j6swNyGPQCiX2u/EJ9dF3z8+E6psjzrA3Vi5Px3Gb8vznnhedTy7rU+Hng7gztd0JrgfKHSGsW9p6ND/9PXXrT6iOyLKaFdZxr799p++h4sE7bjOI6fsDnTiTmR4ILFLvR9H7cOAF3a0SBCOjx/Fcyip4fO8FfpX2oHn3FqGg+YYxmKum2fe/K3452Ca/UzXvBxVeFyb4JRaiOC4cAFVmSIewpRCe0C4+54rkdoJm25qWYgxFsk0HJFKo8cJPu8Whn1q42bhhOh/p6d4o4Qlfq91lR4rRs7r1byvYAuctQkaC9gsluwIE+s1GDwD/7c7luzJinJG5FOUMIgwvHUCcAohqqkU96JHi4/SeQfATsqoFzP6XtbC58UP4Ri6BjD8ISdZttZY7VXcw907tGI1PoqnP1AcU463aoV0tq4Qc1UXG+ETgF13sHcEa0fMjhUL52JhRqapN8ZPp17IZNLtZDL9ZDw5H08ux4EM20kqwKtSOLxtTXtbxgmypPO+eM3BUhIQqkWMmKxYhc0tTMml7uAYJGEBN01Q8n0Tw2AXJ4PHm1t2/+WcOdCR9My51mFNm3wIAhPOJ5cncHXPPjmZTNjpBfxvejJ5exEfXhYCb7FslUmueRqPBzOwNHudgP8Ygjn8mb49yaYXl9nbtxkc8La4/5rtYR/GTfrX2f62F1+Icm5Zd+XquleO+By3p30TdaYUaYeddvWULmnjcvhO9+O+X1zu3ErPFZRSd1AjEs+ewhsU8ybekCS7L1aHdAoUvUKirHxzLeli6aCgku6L6EgsFOpdCbviPiDiD5JJLJfcb2fhoOsZX2FhZ1/wfbxS9ybqIjVuR3e50XkZqCvjnFwpugbJuQMFtIjnduGkELF1aBPhmAtrDlvx/FHoIlhDl91DQwgvzZUU2qe5sN4dtKR9LfXKUTUjpPgG/cEUwOfsZDJ0z5rrvEmDma/65wC3s8lhpwn9JK2hVtr/TAP98APdVlnzBE52CLGoK82VFXfu2djgULQPl+k+aQuCYoV1CQgfeO83n80fFr9e3P1lcftrALediW4pomURFarQhwXchlzdLR72sT+1pmyHqOAsGF5wSIgwtuvTgJDuzjGh+cQF+B4PCeKszJTY8LyJ13ToNxevDePLcQgXMJSN4gvErHsZGIVBpruldVie7oXoyv8GaOsVlp0uRLZCleOVMqtxaM9jujB03frdYn79YZGVxREvYH+xQQlohvQl4qT9DekRA6XmVUWz5s5tZachHfRSuwm6Uj5hX2zwy3Vn9TFerB2zq/Yy57i9Oe6+xJNvqJ908AP6DC4U4yFBloT2tvujiE6H/kb4f06ReS8zanMEFRZcrwH4JPaPxSjEP1vOdwICWT5z7UWBlFfhvvozY+VXmEoK1J334s3qPyAUMsDEIaXiFKXD31ZQskt9F35S48KETQP3Dig003g9QWyGTynz9CuTuxgObcS34RHRuhSJv6/poZ7/F3vv3t02riuK77/9KXi0u0+TObFi59UZ79Xf+nX6mOk5feQm7czdt9NbKxZj61SWdEUpTeZxP/slSJimIcu0XTWP1p41qS2RIAGCIAiCQD7khVWMIcS3RRRHvyuC2C8DyWDBkFtvwb61XmfA9afxnrQUxSv0rlCb0HqvZUiL2xRzCs1ZYI7tszwFkaFEruUnZIvX2vlvbwqiZFCegaK764Dcmn7V/g5PNV5KHLnqUqudAvBKn4Gn56rDsP2xYbGMG0wYOny1mC56zHMkGHhaHRFoSRouC00VtaF1NbCXYACPfucAznY206PXYx1dKricW4pt4QIJLzr6wBcGeVuP9aT6r+ilYdmvy0TonQoQy0YEf+xqSkmiDsoYRVdbH0igrUuwC+18yLr+937nPyYm9JnBwObe2q29AvjIpLZXDAtTDggU2tGAwXoUc1TGADqaTwENcNMEWxxoCklxqkoeQ8Fnuow9+pYkrPiK2Gxk9VwduAL8qtNcrb8krMSoqJ7HwVBJ+gxdVWyurTKtr2CCx8p5GWttwx/6ZixwBQOgqiTuv57J35YjY7s9LftwgQ3oYSnaPBBFuxsALsZR1eWqihjMjK7tdNrx96tOpwvdTtd1PF3f9fTLO5+i++k8B9Q5LqhLOqEytoofFGVjn1FvJiwfGVc4oA0thN5fjN2Kkwjr4AEnodOmxthnWdUYo3a1BZY1xm6JbY2Y0hhb2cBVY5CqMXIxtqyZywGXmLqAoEbfh9ElXC0LzHhiUw9r9LH29g7H0IrtZu11j15G8BD9t0kNcMuuVDk6gCrWRKz0yfiDtdj0O87xhUtQuwYItBX53GeiAB6QslxkUZIEH3kOZMW1l4fGJxtEAR7tGzgsEsl9cBUECQNEq3qnWhqWqJ4fQ2+dmuAaekHlVLl62krPW+1TZHLiiqew5tCVFq6eu4JjUs3JK2NL2sQYm2cVY2yxXYyxhZYxxhbZxlrT/Znypv8YZegHYNQpSkbjee1iRGvvN99Le7GbNnRcQtEdlrD0lQQu2Cj9pNx5lINXCRBZJJ8GSRhbi1YGDq6oqybU49hy0AZOm/W7QV9Qxf/BRRqFbBDloLTmpFnfnr89hvV2GDb1LMoF+fVrVIx+TkXxCpzeX6UJn3pZFqpteObtgI+RVkTQkASE0OMCbRqq9KadVYBMKa3wyhGRBGsPc+CWEDpPN+mUVuAiq9dyOKKyyB+J2S6yNFdFUHUE2FAAzCtCeUeB4ZAjVPR2QdVy2kv9AD6WR6x5qBSZ7331n3kmeJDLtYKUGl8pE7t+6YtSruyXpoCeeqSGZuIkTAthPTeGNW/Pa9kdpS7VQokSMxEXsb7fgqJkTre0uWnWwgQLnvLmnLv1jrIP4JHJhVArzg++PD/w9zpST/bU2wt7B4SDhSyOTmufIjGaOIOZtrRdbhDFUTkGFRf6A3L58krtC4MBByTYWJb38WaE5gXByowF7LGu+ULBOuFhlPNBwZBrtl6cHG9Dk6LgXM8evDaiOjey+wFUA+dMbMbe/oMW4+suKgUgUfrK4W7CC3DKs5SZXQWrnWM/2pnqx+7flS6h38EKqdpRY2Z0o5Z2RNStfIjzDKm5wo4GIENDGry1m5HOB0f+A7qZweXoiwBfTdkcxumZ5jrtFo8yZbJ5UML+b5sPfmbu/5ormruvXr95euoXl8WXv//b2Tvco/d/D/c6+5v7v9fx+eOPNkhU/xd99ZtoFuAn0sIzD20++8TyMknkwkjteoFgAb3L5LcAPI/F8nD81vNi4i4eKPXTvrKl7+kYt/wW9h6XLgHLub6l4RmMrBsf0AnQStURz6vXT55+OH598ubhvS2QJYMiZkNesHbb2EQY9ZqBpwCFtVP23yJNsqAYPfT+8GHz6gNU8a7z3k+wD395DBsXbK4nD94/Q2+ebdK358ekZwBXrNW/SLatuiaKoCiFj0svV8/wx1+e6sBglDLvHnagd89QyTNDOUvwF9adzAVEB3nSY88L5flbBB/Bgn7OP4ERtyz4VOOwwbHnx2i/Mbd7feN+9y+8sPMJnKpUVY0bO7synHXfpp64GLD2p2UG4j5scsxY4F0sHA4CcKnBcDZJBuz+H5Nxsi+8+hIjGCcYsij76z6MFo7XvWkf546SfeOY1Y8RY94SXfXr8PQlQfyZezweANUu3qCXzU503dMkhLatr9b0hw0fD6dHrecpbAMkGXqtVtdnL4IykUMfsOMUCymNLE1jIQvgSAEvsHYE0zofwx8O4r54+AoOmllbby4fRsl5ehanl3CtTQHA7Sab/G619nz2P+Cak7l+oRV82dIuXgSzrzfd+fX/w4jHGbjXFFn8hdf/vYMHD+j6f9TtPNis/9ez/u9+xy6iMThDFMqbDI5YH8J2HVTzHvtuV85KKNWSbtTg91GQy+TKVcFvYbk2WB+ipOKv2jZv9YGc/xiqKQFiJJJ9uZr9Cdu9ZMCO9tXXaHyqNsLMayMwlBnwXfcPD+ED0wYIrisGLpBwGzsExwLVc7/1K9fQVfkC2gAsBJMyIygFV4Yn+8KswlfCiENtD1CWUX35UVlcts6MYICysPiATrBNyUKlqiENUcPwpaGGKUMKrEiuWEwh3VM49R66R4T2IcujpDhn3j9E+x/CI37FAHb5wasZyHQ8ThM8u6inoH6vAVadn8dBEgx52D676s0szRPF9k/JGGmhlr5FntN0tbPrgdeOL0baWacHq6dFRCjRnj7BSDSyOhoimPcfHvM+eLKY11pCCzd+RnPXaPlWvlQU0ct0axYhopibACHz3M49VNQ9e12u81F3uKi7Rlct3Jbt2zXa/rTo3IHfDLx9BH3zPEB7VGWHR8qZAZHUXIFaf6oFT8iTGq4g6BtpMkhlW2IwFWPaPmn/pN5x9vitsfT8hEeRsAiY+5/61g0gPw7AHxIWI1CGoRCqjxofdVNygaCzohmguGPyo1buU15gO7hTSrQTLwujQQFrN5YFga/KgcSHd7NgnhfYfbwwz+Xaj+v7zAVbMQsyD5LhlMq6oDCQDfTHQQZHvaqj02MIMUgz5ab36SNcfE+4sKDPdBr6XKSnRQ7FffWkTcshjeCltahhaZuCqups/1TQm4TPR3gUCAZGY3WaqFd7BfOKF3ojm6SFqhoV1e6jD8GWBCKdFnAI9D/bMzhUB0nwwi4vgahh8yJRDDJPm3PhVxlOf1lE8CyS0MYM/9KBOgF3N36h2ThKEp4rXtG3guEEUMAbc/McT3nZEE4rNVWqA6jAABRAKkpCfmmhNW84zI8XafqRBYXNjDrmgA5NNOKDj/o6sekQFLnS42egPCpUxXEKgzi7j1SqHLr88hAsByj1eqb22yfHkwv+5tmbx8eTEAM76oo8fDHmfVPMkILMFoWCoT3hFuA247TmeczXQQa22ZaSKiZEgecR/rEIaDkN4cGLCiVgbswjX5jYAnZHaX/4/zHdQSbzMcLBtnZKo1Vrhx74GZ/YfAxAajAx6846wMuwDrjN/esMQRHjEMDQ62+TscdBaZAYpL/kmVOW4XwxPngKkx0jHYsUeRuCPJylxQgYBaJuhdlcWQbzbksJNJzIFRS2t2kBMibbSKKGhnN94hIiEkyNEXeN9iZVPQLFPXi/5hHqEABJ3UTRATThUVoWPCfrunvZsHuGnaAdsBuHVkwQEgEW+DRXzvTYCbCUMSlp4SQOdtRn6QWfpxOotncIobBf7XmdfxEJVUbNsXaV9er4yZSdD/EhbPoB1+kjXEf1Irk1JINnL6HbzJusLB7z5FIg/2q1dmuyB5ZdUJtgXNI97bJ+rGHrAfgThnB78QrsQLQYXCeibx7PQbQYfDai5iFhkyc2e7ywx99JGjPV6uWu3YKZHE9IbUId6xVitdoqMiFam/1D/JZI8EX6nyJNTNsOfQx/38hew3iBbHYbuNv4mrcMm33BZl+w2Rds9gWbfcGy+4JJyM812ptU9RDKLdoX0AafcfCqUOVQiyA3Yk2MOhPnkgm8Sc/V5YVaMYdx/CzMqWBRpmPmTUEv0u5MIeVPStZuEyhuaQAfYtyH5HzIL0+zOJID1/OqDbW7S8EEEpoFrqY1Ask9fAT8FmVnusivLDrw92aTaGvDZKOz6uaw+R1g81i4d37Xu70DMbn+9s7Upts7fHU7t3foxUC9LIxyNhuz33VmhCH+X9U4GpBi/kA1bvXUqARbeFV5rlvYdh08hQH1PiCQPfziuYBcC92sbAKUaKDmmD5a5eY9I54TBmtX2RpqOdzyHNQxWGKQ/g9I8Q+Tq7lzWUP70ftznejn+ILseqvUJM4o3jJuIWB9sBwIlRMeju7z4zkjaorBYTo4Py6aAb7JQMKsaVpfSAHSSNhWDzkwz4/1iq11h50KWazuk5o6ZgGsbzwxoEwZVI+skl1GpEx9S7bssTttgR4WdaAJdv6HDpFvBiSpAddF/YN9X93rwfd0E0d+zv2KDHAcCFHPAbiRtW7hoMpaZQ1T4m0mipwHYxeTmAo+XE1ihGsRf3yKknI+B4KsbDvQfBZhtHXVYpSp0AYsSghyj188X4CZusL0/BiiIKyPEZnkO6AGNIaeScQD18xycNa9quIzm6xn4QSeLWqzlrvkNU9lx3xTI6GTDz0pg/i0kPs9M31MV0l5HeSDlnXMq1r/X8QMLqxb7juYGbDh+z/do8PDWf/fvW73YHP/51o+c1Qba7zx3qZ5BamaUEkE9mm3260gi9DFrcfgNVQfpTkGYAJfK3Ufv9v6GCVhjz2e6j2tMS8CSBHSM/ewl1B02rMX5TGeGKCBgmmhy6AvFf5EdgRsvgesKkzsKGUoGIr0X5Lr55aQwCxYdI6BayOpZt0vh1IkoRtUwtZoP23YeRlP0udI4v+Up2UG93A9733Ljq2lnqk7Q/hCiugz9RC2z1Kaqasz8G4ZQDk3UVMxJkYMCX8UXSn8IZfgmVeqFH3zGoD0bIkApKFckGViXpPTW8fYDhTGfgheLNk4RDkZp3h2YSI/CAZUZBKZyZ2ySIhSXaSXnn48hKBj6wTn+nv3aDl6TntSg4CaZYCALa6b/7jlv0voNyD/K/c/H8inNyT/N/J/Ou8c8v8aZD/djqslYDm5T4T9NUlle+orSeB5NBhP29xfFeoXqqX6B0ZWa5vIXPAchYN6DsJbfVHiu9peGIkBeE5fIfkXtB5HDuh0dVRjnIlMx8MBrCvN6xgFuh0j5UkfEE3MoKdqRLQjpeBWLRh7fLGKLQS/UgxUwh/krAWo2MX8y3YdOXH41HXR2RHVaWvcFMauugX9jcj/sygB4z7dBjQo//ceUP1f3gk8+Mrl/0b//1Ez1mYbsOaCI0moIl4zI7gWjIAsVRmAdektShXPGFY7DZQkFF4Xrp1CuuY6PRGTm8+1yX8q9BuU/90u0f9l9Je9o69Y/m/0f5T9X+E2oHmp7KbEOhLZcVYMYL9ZgbyR/8Y85VT7G4j/dVCx/3cOD/auUf5v5P8C3R/1fJRTii9eBtmM7L/o2oK8AeWvXtg0oOsz+XHo+1jEofTPhYqS0DSR5vOIa+aXby0yq6xHFhaOagSV2rIufGhzbnTaph5p3V3VTVzzA7kOY+OaeHTRJGVPHORDzNqwpVb9cZrr0KZie4d5JI+Fx8QoLeMQ0qdFSVBwH4PaIjQxDuJYQ5OV4V9X5ThKeJCbbPV/qL+s2jBw9DwCkXKSNOdxGhRHQJgdBIYdcQODck5gtWkjasHW1rDBSpLUApDvtCveTIXgsr5CcFmtUJtOoxZMXQ0zdah6882t/8ZRBJf/5tf/g+6Dg8r+76BzA+v/Zv03o02Xf7LcU22guvzPBim2l3dMlabdA82Crle0IAzTREfwyWlcH5Xk7gRi1w+imBu5D3ezIG6ZlLC4TlQCwFB/HZUZk3mzwQolpr3DfSOfGQPzRy7MTxWqGF6TD0bJZz/88P2BCrRPPiFPoiDWrw/N26n3Ts4hzKP5GadpVu+sNRvV2XYCAjMN6/jqP+NgSQsAcapAp8G4SbhKl6ecfdhitXSe5nDHkvkaVp4E+ZXbb8z78OH4+YsXj04+fHj84u3pm6fyiyzz4YNX57SmekvpDa0P1E20Kq3t6yq9H/YO99ch9IgHcTEiJLZfLUHk3ved7zsW5QwE0ucoaUMlP8izwM2cwH0brrp5rqKDmB1tBvAuD6C/GbnJyE0H4+3x6RuZlvTlhw8QffjpiRwR5iDo3VOnN/Y/p9bfgP1vn9r/ukcHN+L/tdH/q2c/KBEwLsW8gtM0S2tvFty2QnoY8Vn2wa/DAWDOBqhNb9gCyeQNW5jOrPfQ9AIzc+GYYSVdWv6WX6NzXcm6Q41LCX2sy9PLPPbPmsAt1evAUXgp+wqhCVRf4Ysw3YG32AVcCE2z9mVCTwPA4AzkpY9vATS+Q1g+AmsTUyc4cIG+DvyG3xkt2qq94z57ScqfIW+FsjOX36dbXw/e2nvaeytuarG/+pvVqiGg6ZEW+j9CEBtVGrh+5qFh8+6ejRthgAoL6L92oWo4HxiRZ1HMkWjQMvA0kqxn25DB/1x2gs46u9nPdKvbrP9hwMdpInhxDfa/o71up2r/O7yt6//G/gcXNqZeHU8Uq5zyojEjoIl4XanO2HIhrVc0JUIcHGhaXxo5xYyiujNw0yVKhm/VK/1IJQ9/m5isNDp5vJhJTzYG794XBqnFaOG8Q/A2GdUnngHjohAiA595WYs1xTH7Wh6pYHFE+yFuPgir6iVCm7dFbS1f2ZncDHCS380Ie1d9swJ8TyQ92uN0ckpIqwcriK2/Onfgdl5KvMMOB4FPUsgYWwpzCRlyPvhYhSQXhk/byuur0/q27KBJsOLPt2Jg6BYo4ewzljVdJzkaW7N5Ij8FUTER+fgK0wISRbw2WgDo43MNDyYHoD9N/wfLt6NwEQxtfWKQjscBiJZ398Xo/g673x7AX8l1UcySAWv/fsHapdXXOusRaDGH+/9kYaoTJQHmci6DPQOGd8LS/2Qi5jxje1Ay4fffVzlpUEtNksawOVouT8cqDWn6Z/zQJNBWYue9w7H90OR2PnwZmedBPhQ9ZhVrM6+Nl9Q9+zFkRFhklQKMDW3qLq0DYQjUNiij5Blk0N6dbIFo+RKNXOJiQF5NMpWaIt4aNjpsBTbABQ/yMP2UPFQLEC3AizKLkoLn58GAP4TpWlMmK1SmaSwyxxQ3uTUD05tfFvZIQsJ9SYOhyW5sXqS5PeZtNhMQqMcs+9xk4bZFAzNxFHsQ93BVOG1jcyWw3jxeAAushhQarIx5NBBOaDR9tvlAQL6feNEjFo3lxxsXlR5zMTgdOvxAgrce28UzpJk3Cm04F8LHtSm+j+wSNKX3oXl3kcblmL+ExVqsjXCbjQHAse52Xia7l5pDfdgQVgYIX7bJy5wHISRjxiy0hDa2NNW7zbbuuwXB7gVMeLN8kfpmWmtACyBMSrZsalHpThEyHKAh2YzopBDk1eox2OO+znWwotZyfR9MDGdWe6TK9IXJzY4ywEFeVwNUvzQflVLSlMdGPnI5xCiLNXhCIPPSPwsEv71b883+35h3qQNw8/v/Bw86Xbr/f3B43fc/Nvc/tuqdgDF666TAKAumb9wGAsNLDXsJuw8BvqkLgbjxdxsi1kx7hrXdKcuw4GckLqsJ9dxAAjKXsYXaWlzYLo7ePpc5PCSMt42VGyEWJVf1UYM0bIKP3E74ptiSfvjfL0CdTCkspKPFi3JsDrz1CKDIwCCo7J7/Bknj/ygRAt2PefV3ZLxtNU/FKNg7PJLAoQ9r8JN2SQagQZyNAkJq29bE7r/7w5PKl9fzHqNJ7xFYPwUo3RBMZmKDkgW0Ecr76/19F+MYOUWdvdNwzh0Des/APS7UWkktjOutDyYKG7F9kmSniFa10ByEaaGqMLy3oAh5hUiRGjWSloxL/QWM4Fzl9rialp08IdbUuoqWKXWtDljsOC1uPXR0wyr5uT1Z0cDsAPB5nUHbXCb5Ve7Qc15YxFGvjs0bSiEnJEfXnIbLKWxquFzPcjmF5zJd0pLUdmkoM7G/L6qbmXLzzJ8uqppy1tl2BwE5hnbGyGQdly1vhaq3DP3uNA3h+gAD+fObN8cumxFQ0IXCnIqztq+M51EargQTq1Bo1HK1LDisY8OjfvhvRjkXkJNmOYi01izMc32LaUWYpJZDIzPHHTMGYVeguZnC7bbZFT2s2xSRCkZ5ebjOCmvA6DRgD6dbvN2VYoZTVzJ4V+1rnA5l80XI81yZ18nri4d77umKOiMcLZANnKNsVS7QcaxvE92sUAK726XlTdtHDp+WL2j/oUafxu0/3cODww71/zzqbuw/t8f/8zPsOw2Igy/t+jl/K3uByFoS39JW/jRYYeLwR1k2J9N7z4Ok4faT/1/lfl+YYhz3AU1boRyX0y2y380r6RQJd5u0wvINz7G60VRYaxtTGcMYt7M6ET7U4cJpJxgTttMSnjWd2K5Lyzsz2Y3a5f3ZgtCuAXBa5kNHVSiClYyF0jGGk3KOASSl60YPXX3vllW0WVMoZeUvZQ5dH9EmbZZrGSqbF7/UOY2CzdKwBiZ5TQCuY+Bcw7pZa9KsokHkPMGFlnEgZFsGq02dzvrBQKX5DjLEfFxTHUTGynaegufjKFG4/JQHA348f7O7sBj0b1WAtF9uw6k70hfNwWetXmMoezpT8036kSeY+NPUXlQWPT+WJOyq1lRTcW2jqkOkUYdQbJIsQKaAuzV0/lwMxXuVJtxDdWF+SX2HZ3sWPtgfmGfeskgoz78o5yH7NOLJFBN4JbjKiqXacnQcTwTqOzItbh71nKcDS4+N08qdxWwLW6BVttm9tWy5RZqlcTq8Os3AiUmiBIpWlNiG3NoitFNuoKv2Ms3ZVh3jbptXtnV9u8Y6v8YCj/4+1RMnU4JVnZ/rV3naNHavfjFxnRnQRtyjvb5z+mcdGKx5SlBffa1OzDqN1zuT0/Zpzc88lzCLldeIP7XjKGK5Hf1yZxP1BxLGd/od+jDDmaztxzh1YGbvaxw4P9dTkl65w0uglOGsFqwri/PhQwHz05QiHp9gsK1VfrETv1iYYhnksfpy9gqyUL3myYXdN/mzRxvAYhbIbseGueS5kuswCR2xoWbFOjXj/gxWqhqRRpD7kodQX/AMqrGDpyZOmxo6YmrsXOlzDpMof8A8jBYyCJZYkUOg1tU8Bul+322CQbBXDXCIgbQ+iyCQBngE4TTAJAhpRS4h3EH2ynYl8soWmbXVbfG52OSx1MHY0qdh1IPfvVLWu72vFpGiMX94kjl18eV42gS9LT+3pfoy9tX8prQEoSoAPeizVwtqsYkO9jINZ8+ODjod5lsvsa9upYLyVrWEw1CHX78x/384lHAc/DaX/+FB94Cc/x7udW4m/8/G/5+eSLkOs/B82EzBx0EWnEVxVESy/KPj57iHEv7PgWAeAoCTod2LPY8mkZh9baKeLS52xotgz5qreCz9MyRbgNUjPk7DR6bjm+hDDd82AKq+UW5AmPeCsXm+AvC84i/AWMN+AuMoOSGnp4alrXdYOLisLYzvTGG8e0r3faY8viZjQcYVCp7xUXARTcxLk18ULC29eIzxa4PyP85dkZ+bzP92WMn/2X2wif98zfK/PgaM88Ywlc+efuVHKQj5Sfw39Uxd8T/hYQQZ37WZbI5E9mb4zzPCBm7aTyo/y9Pxj8HgI0+m991z8w62JBOfSryU/RLO/Hk+UUqjTLazVAwJzxjMj8lNenJb3t4Je4f7nvsKPbkm7wBCbrsbdIEMBltFsqeY4/PU9rSgfg/uaDIUZ4ox7eoibCmu7uqI5/Vr4Zv7v1kahpHIS3WZ/KwMh7z4UvG/QNt/UMn/s7/R/29h/jfJFk8MW/yo2IK1ifDXGYCn7qHH1TobHbxZHdy6eVo/UsSdznlNeH2/qTvrLYbA6HDX874Z9T0yMndd/qOjUBu3NUT2Nxz/+bDbpfr/7ZT/G/lv4rqjK5l9pDQ/7DPO9fVE/oT/buQGwCAdZ2kiC5nAU9fpj18l9Vy/fHzXgM++o2WHM72j4lre/Ku0vkaT139fwRWswz0SLpd4Ry23a/z6i/6SC/5aiz0lZIP+7yY4XpsGmTN70x+6GItO33Y8Ng8dK/7dX//dNsAG1v/Og4N9uv/r7O/f6Pq/if+8/rpeCa25ctxnKPJlIz5XAaPh8b/kQ2kAfItdN6bHqpwow6yNciEz4S+p7YuKDVXIgCgGDhBo56Mg6LpRpRyRTOvOf8esbyj/Y4faf7pHnQcb/f925X+5Fybi+bGAIDoii6OCeTteXX7FV6d2LXVlEerFPDFgyK1ih2hZ/5QQGfmarhJf4/6gecV/o28vr2S7NeuNZo3S4Plxb6lQ7RabDwtLcHQJNNGzE8igQAHxYokWxtrQJr4jvEB+1DEBv1Q5CmMD0jyALhCmqK9K+WKltt/kcH9pYF8nmPsKKLw8kOX6AEkMfwxiYM98QsTZZ9Cqo9p6zanre9gifexsFCvTduud7w2Yquv9HmZ50vfp7VRSOP2Ad0ln3siyusUoexaMo/hKU57MgtmXOAOWIVShh/MJ3HeJzsrCXFCZ8wLaXB7A5qD12/q49f9AX+GlAS4bPv/t7h2R/b/cANxU/J+N/b/q5FmTGMipweMN8E3Y5y95CLxi8Mnmwk7ufSve8hv5T83Azdp/peCn8v+gc/P2343/Z/Pif928gF/OEuyWWpv5T2d9w/rfwVHF//vg8Nbl/9z4f9D4QZYoaEALdMQo+vpMt4jhHQ63SBFxtuuo5OpArda7vqr7jeu3Dvk/ThOImvJl5f/e4cF+xf+vc7vl/8b/D1mjzk8AX0fJ0AfuSoX8Z7xLl4aXutTa/uDY+wXdM0vG3BVkyXpEDK3vZOjubxCGkQ72Xr/2uCuSJQlbvyGvdL4cneuWc1PitOqwrorq3+16lcDG3O1yR7voOA101NpEo3WcGS7reltpl+MVNzP+WZqT8suMrkrLexHE0+5MnkD3V6t555QFsv77Ix6Po2Eif7prNrb+w2Uvsv7vP9jYf67n83d2HBRwTiwgCKgeex0k9KyM4hCypUsx+jEYcuG3/s7ejCBiaJmpw1QmJL/EDJx/tAiTpXdYzuOgiC64ijtjPQ+SUAJI+FAtJxB8mJ9HlzzU69C/bfsMAsaxNIGaqksQ1YnFUcL9lv/k9MNpIfsmQTxOx2MJ4JfHpyyMctHyh1Gxq/7q7rf8s9/zXfV38mA03IU/k5/iItmdAjqT+JUZg+A4ovWdLz5l8u9Z8FH+Lcby+/+VRX8J8igtBXv+5KlogTD4bz4oWn4U8mBXlYNHrde/vnp6cgq/OcS6vHP6/8nTR09ePvXHIby5pvnf7RzIaC90/nf2N/f/r+UDsyAHj9dW6x1+e78Fkd9EbxdjR6oVeZtFggVMvmZCee2wYhQUbDAKokSwLC6H8C9sI7I8vYhCLlRZVDhEC2THi38+Oflnq9Xv9wdpItKYt+4xWHEYhOcEmy3DBhnpAMztUXkG/YDyWG0m7ZFlNWZKU4pjAw3/nUCDDsj+/J09T4o8DcsByKNWC0Qb4JMX7CxNCwjJmwHKVbJgb2BDQ0Bvs+nmiaUJ1P4vo9hoALL+jK6zPfFsYqUAaVuMOHv3s0TPtKdw9sVoeyKJ2cSyzaw+f4rieEJ7m/R6UAaBlHMce8dDFiVsXMZFlMUc46CVuZbLRTqR7+wChZ4Y8AS+ChZHsqehhBSnn3qtVnvCPCyQzRhEgOZoQFCNByzM06wdJZM0KIo852nOgDi7px+vJAhEJhJAAeNnA9Z6gGEaioRBAholhwCAl80Jhj8QugKnSJYKWOKuIPp1AWTvUx25D5SAEwWfoJkYFywbUV9yEytMGzXdDZIr6xQDFF/ocSlhqHD30XnEw9lOG1CGojiU/DJLhSydloWAIQeqITUAL8VM+JdH8mWuSrxKQ+XmBObIF5bTlPJwYuk5trIuvSDIu4tgyKM5MIBNjHMeYjjnKSsETJRnEmOh+nZ/HuHvS20lGoyAiILxYhCiMALwphtnOkAGArbmKCCoOgkPOWzTBqCCsD5Aak+iV/f1HNvBphLOQ1CXYBiynLdR3vDQV2LlOOcq3LqIJFowSaYigHX9bgdoDzuiHIWQqjyZ+ir2MAgjjvMah9u0Ab09T2M5AUXvtshS6C1msUPiCkP6NAG8LBoYLo0Se6rPiiHN+u9mnr3f+vvM720muJLdSiwJI64+BVdqdFK5SuVRWNMCC0uwTlnMIEfv/2Pfffcmyr77rsdeSJgMMM/1TlvgZOoDuVSLkmby/ZRuQq8qrx8/Z5EZVDqUQSzS2fE0Yh+HVf4iA7vaCKWDCNao0SCHMTbjBT0wwyaBYX4ryZH73/ud+nGEjvV1oT6bVErPP3d8FalgmWNvk6hgb7hQYuXf2RN+Vg6H8P2nUg4ersthOihhjEDsxUrlGKWfYJA/5VHBd1heJjtMdRuqa8AlAFaauJIFhVkrkeTvgKxtKAWF5i7vMyVmf237LTgABzwqUx7nNKCPXcFKKJv0+J4FYtQCmPjUjORqHQFQuhfspEwSwMyQVPZFPgM2tqmBA6NoAUwHwniL+0N/h/X9CYv0t2kvDRI+mf0pLEJZWUB07DJWDch59J+qF//z5YvvvgP6j4PCAjj+GEY5a2eqR22sR5pptwWYcgr2W4vJH7qNtlqoADZ5Dtu3GWg2ldRT0Gn8y3EM9QgOZiQN+yEPgThWVIS1IbfIZo5K9PY150HMLpSpCLhScSGhn6kybRu6r4pCQZgQ/3r08gWopTyOI8EToRSaX07lZIOZ8CgMNRfDnpgFhepOkWYwHa/SMp+OsQYEJFG8r6MwB9DBKNTST+llJdwyk53i8MhqSvccDn2k2g7/tOMgGZbBkLe18t9j9zTIhxNezYNPuLKANjNQ4bcKF+vujoMo2dWQ9BvFoGVUcP+/RZogfyllYAx6AxcaMx5GIC4UFjzPJYajaDiK5f/qMaAMkED2REkE2AklcWBmzF9vU1ZOXu2GXFKEa8k3mQ3WOjFXOpvarHZlzPlYYQCFiMg09k75Voh0EAUFGkYslgMYumtaKuPCpBF7bEvXVutPdhzkwZiDHF7q86fkfDHIo0yxwo1+oC+4ZqxXXWLfa6/yYX9C+Vvygc6v/1HY92nWi76D3sCmqg6b1gE5Bufi7DxPx9c49kTDXH3s+yapB0Hbjb2sM4v2Vsjz6IKH8AtXA3UYvv2lsO+7+uxG3CQgcQ77cyivsc1UhRuc8s/PX6XFcc4FT4p1sSeuHP3FLZ6qHffVNBUNi6b0EBrEdWHff/fe9HY97O38oP0lWnxVjuXyA6oD1hQ3N/ZdZxk39ph6xY+jcVQIf5CV/QUtmrQCEAQ4Gpdybh+/vSHs+91OZ9xvFPsxHxOp78BeV7gZ7Pe+fxn1G8Ee9mBcmNF3Yo/leQijf+fH3mBPRt+Nva5wF8feunPZX6KKrXOj3VJZPm9m7M0d0v6a2NeHY+vPX/F4oTeQRcr6RV5qoy168SI91Obp2ACe+FM0j72yFX/O2C8ON9avtGg7NxXKRgr/SAAGRyTBdYz9H1bvo1TugfMgM3cYdtjsWwyRDCGnvL/6ddgbl6P+vBaP05BNCrAb/QD2f32mtlPviLg+56MzIpkAJoXlLeN8h/tff4bzzUv0XYTDW3O0UMIxkkgpGeBAEV6HkRiAKR3O/a4swqyJ/R9/fa6ut8iLsD937JHrixRnAJ7jmFranjKJmS5YegbuHYIFuY2+2gP6nzn2ntc45xtHtP5czleShU3KKO7OdG5+W/YZdzqfbT31hz7z9jvCc29zbxz7hVLPSPRJobst9SaCfuBUHHBPfYy5D/SCJ0Q01Af817TO0bFvGHvRXxJ77sT/9u/v58dX6a889lCfnSEAthWdT9w9eLh9q8eeRtbpL2rxKZabZYKbmffv3n/uircwok9/DvZKFWKDOAJjmt4fAiWynAMopQPfPexNxByKdo3MD8sgbotCun5Q6+adknrurY17l3P9Er8hXc+xtfnKdzkLIjYt1HawPMvTUp2Hgi9jwYdX14k9fBrAnl427i86QVD+ejuTbd2/w86GzUK5LuzVFq9J7GGvQnGn2CdpAf55EnGkQCSQIkAI434wuUV3m8ceIk24Rtw99ic/Pno8Tdl+XWMPHWkA+0xkah1HArhPsiIu4OaG8vUMQBKeYn5mjPwnRmkZg/MuEimEveyts+sh9so7GTV9QgY39vKP7VmK7lU2SMUabopcP/ZVv9pVxx69RQxuC/2l05wl4JsVw01AdRHvZjk/y6MUWFYFcYS7jY4dLhSBM8xjrMegor3jydJQ3BldjyRU77taJOUtdyc084Ti+tw27Ly/QRj6r56++fDj81dPPpw+Pfnl+eOnS614PBf9ZVu0XZ5m3b2DZOIFfl1jf8o5uv/5V+N4nbGPowtu8vnXG7PJHm83jAT8q0TeCwTBMoBxjboeWtTJZ33sFRMH8RMeB1enEKkpFP3ZFtUrdsblqHMWz+IdCaYAgEC/FuyPOtC7xrDPeB6loY03bfHn9BNLzwuuDDqyOLjXAgcgAa77BLtR7ItozNOysNCnLf464omFLVQQTFa5kT3eYZ81if15EMVlzt+Mci5GaRxWTzFfRony2JDkAfGvbtrqWujrayiDN1SgYBSqAwwoB3rAOWhAkFga9oblYMB5yEP/5rFXfRFiReyxlht9LCj3PzMkQLL4q3P+52Kf8yCMHELfIfNPJiAQ6bsi8wn2bqFPZD5WvhGhD9jvd/pNjj0R+l+9zCfYE6H/dct8xN4h9L9WmY/YO4T+1yvzg3O1R7vqL9niI13e3LwVk60d7nDhRsrdsecnaWjiOC3lpSzLo8+KE+/bj32Rxjy3znCcFxNMeTf2t/8c7/c04c/gSlp/tf09Zzo4GftfEgBeart7Z7j8ssgD43wrnLad1xl6bAV5HlyBjQtE2iDI2cAAuWPY/5LG5RiHf2XsL3Rly23vTmL/Ek5zRP8zsB8DBBYlJuoDWr2mfHEbsXdcyXFwvqp8R7FPLhxIu7CXEKI8BZGvQ7IEZ3it1437jWNvBUlebeytNf+JuXm7JbZ34GBrZ3LSvUOdVtFz85as9zSo5vLz3lS5GRKgoq7dRN9mYVBwfxxcvk2CiyCK6WmcUdTxMlFirpaV0wrTa2YYeAOhs1KBb36L2m8a+9MyH1p4u7FX5y94ssiCs/QCzuJElPOQFmoc+73Df/Q/C3vZrSeRyEvFkT+W4ZAX/aVY97hakd01tyPA3j1ra7BnKYQxtKrfRewdEtuFva6OBe4Y9mEi9M5jHexhNSaBjJTpSvBiR4GeOC9GQoXfGMtCgyCO1fZeXU55lSa8f4NbVJ6Po0R1/ac8GPDjWrskwT5EhFkE2Kri2i6ThtOAWRPonA0BOHgiXfmNjf1+53OxH2WBywo/z9H25yxg05xZKo4PD0Il3fM0S3MkEWxf8XMrHW8Aezk8J7hQO7eogLYsT1Y9VEod18pv23qP2AeXK2Evy98O7PeawB6vAi3F+S91WTvCjr5IdnYFlIHJrmYDKzMduCb9lNxemV9NedhfRuaD3Mby0/CXbXvOt6eQ7R3b7Zn3BHsIuiKkzMdZ0HeEjoDiJp4Y4g+HU3QafEnOPzzqNzX2SRqugj0Uv2Hsu4B8M9iD6O+75z0s79HvHPC3Q47chK4Hy31z2AeXS2AfXN4i7LeCjwFLUliFtj8Te0xj8jaBYGxhqXbsr4C9+7aTm3IpBW43yxsK+bNAhaJNMCJdEcRmScz1jsCCi/PmFkm9LOcXPClOo2QY82O4BftMn672qy7mLEy5UK72AUTrZEJVYpObw+d4MAtkUGEPb6HzBcFeW6mexcFQ9OuPIVXIU8BPF2fnUB6QzAIBQrBInQtgU9hvJSkL8qHYbgJ7d6g0V3y0KbBrCJX2J8v5EO4BXUF2FhXhNQt2HZR3YE9CpTnio1072mTF87/3Dxua9zXx0hxB0ozLwRTS3QmStii1c/+rDpJGsHfcNCDWjUlpNoDi8zggS0N/7v0FtSuKzO0s/2auFxDsiRfK+q4n8Mgmw53Y4zm8UByuJw68bz32bi8U6npyw9i/e98g9vWRAp3hAQFp90rb/A4XIsQ1jz2NFOgOD3jdBEBXU4gQ1zT2NFKgOzxgc8jf/NjTSIEO7G9m9Bsee30qMw4yGknBHTzBwk9DYQCGPUtzxi8DiJ8OpQREYn/8nOU8CcYYXWl8W2S+43bZV3eljGDvvl12y66UoYN989jTiwa38noB7u+ax55eNPgKrxcQ7N23y27Z9YL9BrF33C772q4XEOypx/E34GZMU5evcI5nr3qQloRNYakDzKgQLOeQpU1xyFSZuvkVj2JPw8W4gicAyha20fl8QmI0GZ+9lhXyT5HQxEoQisrzFoliNqnWPFOJfPLz8SPlDxLkQ174xrrREPa1Gp5b15s3/Lc9VBTB3sTK+jYCZRHsLR+r2irgpkWNuWDg2MK8MzsMY7A8i3JBfv0aFaOfU1G8Ao8ucNba/lzsPWzV6zeCvcN5DfZ46gSn6qvGtmAuYxiOHSZ4kA9GXH5LlZgU2z47gSxnsPCpFNGG1iAbPCCGd/1jj1vSkzTmSuy9xrR//Trsp+VRdmEFLHGHgqS1IOxIH+OOQFqaPrAzGdQkLeRbY8jnwWDEMkwOZSed7bfb4IP4kV89VBDf7Ziv7/tw3qYT8BUppkDEfFf9mY3wzrzcWDRDIeRfo1l+4JnugBX666E65DWZtLQPtcmnhSu25UjJVDWdoBCDf5Uxh9Rfj2IVOROW7vhqhwXTBGk6FLYwUZSAFAppo/ths4ZmAgNnYyZTNRkAEMkspsIwrU4cSpj2ObMGGADMpKn8V1qq7pSCz2RbfGdVer9F0j/uWi+3dfqw4EJSTigyWwmFiY9qyLUDJ9cBtIEAkEEuhgVU5wZOWJoYb4AWdMiUgRR12l0MSKUT1sGVQDHJNcuDBAOTQ8mB8jXIUgmziKD1FqB4lhYj5r15fOwppcx7++TYgyaD6Tm8JHrrNB2DR05ahvbtGUic95Ez76fHTz1QQrxHv5c5t462MCqWxwZKg2hpLjTpa1Xs3EnoXEz8N69DBmeYdmkLNpeoTgBvoHOQrm4nsHjo2Rl5vT7gJcrBSCPSshHZYeNAYiKg+4qsqfZIKCDIn5qjSCx7jDBhoJBc3CqiMSaOe4R6mcpV+qM565nnE8ceMq2jBq13DkPgvGyaVt7rdpQMyjOIqu86ut5uAR/aYcyQXeCx4XbQ38wMQt8UNX25lO1XTPqIqbewlOWt7tFczy2AywXmV1aTIBliEr6FLnItGPdFXmToAm7SogoUujEov9iVLdXMWIJuAXy45NOnDU1CuoWp9qH2wSVFgxJjECEK1E4LLlkvrog5FVUuWs3j8gc7nYk4uWMvlCq3qv3gxygJMdNii2j3Mwl1SVoqsKMNkzTXJ6IFZnlG9vJt/kNfbMp4MjV6mkdSbBTocP+IshzNr74bpgOxWwTio9jNy6QdZKpDwGi7IwOrnaXhlOt2t1vTbqHfpuItCzlkQ+AWVYcl1YRaxi1qzCPlLttSAuhxVr4tojj6XfVih71U9nXrEQgnVNJAQOJEDdNMUcbsslCSmL0oZJ49t+XBp0Av2FZCy/rKRigjo+7AL4VfAC2r2nZhNecwByULBCCuUqbu+3t+R3YZVia9hgCbwRUA6ApuzTgwlD5dVY2afllNFCm6WAFYDOlXjrW8ztMYd65jH4Kv9WqS5uIf8FbYfXB08INagVvW/rDXYpACIfAxyf4uYqSSLfdU39r2o9rimEvC1KHPWwpZ1R6EWZzlUZ3QP2yfXfUUtnqZf50MlHgHoxI3lAunpIPvcUxGxuQ5trQaPZbj4MqMQ5yqJd1EhSV5RiEhKWS/CIYBKCjT4ZE9jc65UGzFE1iAoCaUzEGWodgUu2F0fi58IUVUy2BwxkEMBjnc+9DdRMEEvAoVNGYcylbxKpNxKgtFSIBEMkapkvJq4sGcBJZQA9NSGoCVkDdKLrhEYKgwTaFQhmyN3EfQU5VM+mbD5Tmkxm1DrMxHWaYuOU12G/IpLuWwCYGf9tVXSAnNhFJKAoHDoSaHGY80zyTlcKaSTk2FDmg5djYLzVOK9tF4XBYgsHzN48BggyJGiDaMaQ5w2ZlBEPKHunHNdPbiilLDrm0Nke0Hym2GSFLl7g86RmWN/RdBHCheAidicxTqo2dvnp7oURgFAkcCWEAC+DS71vwMbAjLWmKO5XRGW9UM8M6Vgm7N/ulUUvKrKoTkcP/66OTV81c/9dhpeSbfFmXB2b9evz358PPTFy8/nDx98fTR6dMPrx69fCqfnDzVCoNtGFODObL4CEfo7/+2W4p89yxKdnlywVSi6Bbg3OZlyrIo42BFbrVg/fkYgQkywa0dshoNbv1PFqYtJj98MEqZhytpLb4JuwdgJ5sCT1WdsE07YXaSeSO2223YLqus67q6YadasfhwAbW+UJvVNPmLGlIEqW9lobx+qMR1mCa4TX31+s3THgPpow6Rdhj4FkdpaasOwGu6AyHueCz5OI6GuZLyRWrWaFHAjAGV3tTCvanhBEAaVuFPPI6Rv5blAgSxO4HttVYZEKytC67NB8016WADFwvUN+LmAiD63+7YJ//I99oTs4DKvj7ZkeVpzK2N2Ad4qSwGK7fRkZ+jgwP4Fz70372D7oO/dQ+7B92Dw4Pu4eHfOnvd/YP9v7HOdRBA4hrksiufC4cid0c+N5vfX33tMXhq7y6Je2GrNdFSlfrcZuZnDa9qU1kLwGKNqOhNlM2cg9ZoN6eM2VZ7IB+VGVIpVrgNVAuI4AXAg8+0+OQJmxTtqd0qPgU4pgTutmcK2HritGDBg3GPhfwizQQ+pNFErNJJCkBtiqkuCsHzwhRrgwb1JB2AHRef4kdpDz3WbZmSkfivKAntMul5z6bZtOg4KAajEz7kl3bxLChGPSWYw6AIlE48+xZMaj32v/3vrHG7N4UqzxmCuApQ2XPfdd5PndmsIkrd77F3njKAeO+d0Ez39GLoA9EpPDMISwOzVlofBoZAJANFuFNWmMeh0bnNn5EA4/fqbAnmdDdfrsc8nRVQgbYRicbnFmK5JhKNyta7v/67F/1G1v+Dvdn1v/tgr9PdrP/fzPpviwd1bPdGFltu1celHoWH2WOpX1RoWAKjuhCbdDvWs1VUCEkb2DDmfFDgZiwJ9XJFJNGyK+zS6w20Vl1jcIvVhi3WZIIbkHjkJVZcYHHYeyZZbHMQcbvVHMAsDRsDZmUKXlJD6b73gyz6KU/LDKBXhwfTCptrnEt3tbvs0MSGnM7e7jl6i74yawDrVoGp49REROkK/LjnHuxJLhzV1YivBFuOw9lcuKXgrW95/T/Tx3wf6s0ATaz/h4f7ZP+/9+Bos/5/k+s/Hixb57puZYCyK7UEGPVg+nxF9aC6Rx9ftfXDdgxPe8xDYF6rdqeOFQLzXNYCgrSVYPRaLTRdQmnrPFEVMb/dOgklpa2aGK1BqSeiVLFC11RQEH7rCygq1giuvIknI1NtEAdqvQ19ZQyr8KdD6mwCmPaEn5sFswpMecNJaihXBdUgKgxLw4ajDArXHsfle/llxg+ZEBSP+X0ljimrALyGLk8nJm2GTtw7vP7TRb/Z/X93f4+s/53D/c5m/f+G1//VF/1GDAHyie1C3mM4M1S/W4yctysAUIEUvLGFXNzClRyQ/HbXQcD+Nq6AtH/fynK3+bjXfxMpwb3tb2T93z/odOn5vzwC2Kz/3876rzjuZZCtsO03XLr2bp8x4mHfg4sC6gXxoO+x/T31vDZQpAV0HCVwlK6+Bpfya0d9r42waR/LGqTMSWj1tN9GrK0P/j2MvGzCs0xLeHfLemEYoVbXsbDXC89KSo9p4LZYLZZfUL82Q4i7CcLn1Qbq2X459xRNrSjhQT7POeW+RwSEpyTE/YaAEyHjgZRpCnatoPK0pGqqnXGUSIjdxsAFlwCu0xS8WqHrodS9X6+mbvQ/h9LXmP1nv0P9P44OHxxs9L9vRv/zQNcz7vaG/9iQJxiE0ltCEZzv9emhhoF3eQMDHnUMvY4pV3t1HRxUjN9NolGPuqZRw1KNaxpU+hhlWt1AWeN243SoWFhOD5FVra06bB7YDyUAvAsDY4UQzEeNDJTx7TdwDbfHDvcP9+2HcTmMEtoGGr/O0/xTkIcE+vTCPLTAvvfVf5OWTDZYGw+guQYZnvlWx6tn8xLmnzPtWaV9xp6/YuwRY90f4C7int9traUkLr8IIfvM83E1I/Dbb9C5HhCW/fbbH15D0JH4EqSksfxj/ve+lF5HeNKNxH1o5Z03O6be+/tuasm/v/0m/uP5K/j7CP7IIZUPO/J/+LfrNb2Ab9b/qYhr5vqHa/2X6z71/+h2D4++rfV/c/9jbgiBNew/pNwU1ooXROb2Z9YuoULhr+u8znR1S1paySV6FhirQBEMe+yiK9e0jvV0msCgN5MhAIuMsmDRXQBDq95SVFtlIX1ioHxZa4sLOtyD9yfI+eqXCfqiTjVwIOvvafSQ6I00dGzGizZJxo9wJnCZ4T2aaUBrrlZs9/X5sgK6x/Q1yfbE0DLIIxUTyFSx2rWp0oZwUj3mPcbyj8JQlnidxFezqmiaQe00l0Wfwh1s4TUzSa5xBizPEZS8lPGc5F6lMWtg1PEin8Nz1dH5/IYmI1ptTQ9w/W0hW9ySe0/rX3q6RkZY/54UwRx6u/7tQ4owKXB9+N5ZBX2j/zuU/qbOf/e7h/T+V6e70f+/Hf0f41xY+iJ7AwWXNvrVqfxL6fkV9b4YcaLir2EEJLoL0VxomMfWjPLS9bsdv6uehShan8u+XoI0dYvtelndtH5MkOhhvymh8RTGVhL1lftIoPsV+jdhiOn16U3g4ct6FRUV1FoNiCinqLp8gXFRgFfVsyqExkFjcsINPopyjNPE8iJYj7JNIUsthS6E5xooCXJzowq8C9rnnfYP7/84Ovjr3txtFIR7nlwZ0zblSxXbimR6W5MTAfwpQn+sgVtioEweibcCpGxXrhSttTZdNyUXxCxWvkGGSgdE7lq3R00siBv9b5QFDsWvYfvvIfX/78p/N/7/1/L5f+xdd/OjNhD935+CSa8EjMtdeu+990Q22GYOGwbsX8bfPlqktQQLBGGc8e9M6tGeMFr2PaTd1VXoP1gNojncD4yyGN3Hd5CwPhWBJ2NqMi0ST+2ail0BlGTVnOD+mMBQo8wzVu5a7sATtZj/5KD2ybUs9LMsCalVdi0cZfxJ82euHX7VeiBc5iKAhWTiFOHyr/AfEoXOrXZxuuyncMcLLspFjV61PEeNDmM6tLpS/dSveUfi2Cz13YXdhVWj+OFpMceCJkJUhh2WYg6hwwwDDjFMkYR3kuGcHsIRwS4bAhGBrUxGw1Xl4q9jXwW6XiIS8RrCD5tiD7HzLxZ6qAyllQLRPAbFcltiKBdDMabtMHKL+D53JDId5scgzSp/IUsSXsffNcetTYVRX9+dQBsTTdohSpcMX5zgoSgaOmdjOHTidXeZHLpDCsdffce67z+7BcoXtL0HTrtmkGBsySx2PaHQRjynaytIR/VdjKR0Pn4OWPlZ0gN4gRBJI0CQ91b/J7Hvh1l6SMASFgd/HZgNBJvX/3Cccv7vfHw7+T+D/ud66P2Txb2bW1zz90ClkZpkAI/oYKE6ktDbeRW/In7YsTsWRoAFysA0u8YwvSbtKbGm6gn3qGwr0C+kaoekGjSKNgxWtNfOyhaXG7DzkVth6b89Qethw0oRsHbRE38092e/rUJfYovGyrO5MZ5hDuvFNKE/huN/ssjBy1KJmnO/6fzveD4vz//OpzdU/2vg/xTWS9gEh8z6QhgdVjxolgHEVg0lQHJqV5wg0WCDnN+UkKtwwCFly5QlylOLU9DBqItYkryKrK98lbqHmta28S7kOOFuTXVFsw7BO+oiQhr0Uh/qRPX/ttj/DSIF0lQMRAoiXkKYoPldgUCpYkhYzCne8degisiMbx3bKVkXYPc3yMfxq16q3htRbxOFVu9XV3TyOnW8fypTeCcTJOJM2iDCW0TqxJhZB8WCP1Csh+7UMwOSA19f18MNE7gX039K9116/nc8J/m/3lD//Yb0H5L9tyAHwBm3lH2Gck9epc9WootGHQl7n6iTXnhSQR6pNEii8U68y0/DBdawVsUnX/OdrmM/nNmO7TqlY0rMkJPEzpXvOK++irtwgeLShfbY9uxJ8ZTvU7ZahUtMF3ric1gHUpwSqdWHxe1NbI9DuPRoHprzqgUSIFq8vIQtcVKYfMi2YXQ8wX+dBqsgfZ+7+u/2bPlInLUX98CHjDi5LA7yQX4fJ3EUr49PXHhQDUwQrukkaLP/CiYFdgr9gnyVd2FQraZnyVph4z0q1ex+FqbpBk5cAEUX/zPUcydXQeFaS7mT96AYyocYQoEK6xXOrYBDZ9YODD1Z3c1Jt9cajLpFipl7yXaIRS9KoaRTNQRDp0vxNB/cDrN62vU97KJ2IEVHT+FKfr8daAUvUGSkiUH6X1j/M1Fs1LwIpHn95+m0vP6DM7+d/J9B/6tguFKl23bfAWiq3StBYqaOyqfnkR1pgApNq3UD/jYN1uCijvxhwUnGC0f0FwZJxOqrlr78bdchWdIPdHmrlxTyS3It4Zf0bybY8PUnaa57sfFz5a/+RK68VOP1h0tiAQPs1oahQ/qiDHR7//jfnPTN+d+Zled/Z9Mh/+N2+P8c0jcYA6QLOFDKbh76Q6GhzujG30dRWVCqDqI5iOKAo+hEW024imO4W15xNuVfJ7/rP/GSoWIX4l5uC914vdYmTeWDObmjTT6+xD7wv5wa/x/4fzp3SfyXO8z/3Rz/fyEsznQaEC3VSAmQ2C8J0hD7pbOtihuRx0L+QFLuHCH1A0dpme+H4I9ZpA8AiER9tn2VX7NKWW18mBaJijuNxw/qAsYM4rmK/FrUHH6wYodo30pXYO82RHThMzCXEgh+tVJCdYLx2ADYCgGUttNJN6h7OTdvUv3i7wrx01C1oXJyBi2me1B2P0Ml2AIulk2jlkgElDkeugSKCS7iGvn/vQ1Lzbn+XP533dkk539vNvfmOf+Px1cR/30Df5W+dXn/hyu2BJ7PI0c3XBcEWGsdqiWBCwZiC/xTRZxsmYaJ+LDl9ZNkff1DCn4EJq/FFCHUiNc4mV+8ioKAKwi230cBtLU47PwoeDnk+GCUI0x+Btw72ExwE+pjebY7KjSNNcTCzGIW/EEoGWu/YXtruYEV4LGIvazzE9+FHMH67BQrC5choWSjTQzkh/pHviKw4GDIf2HVgVfg84mrEnknf70XR/Eh/Uul/dsJd7m83tQ/cepLtkSOgT/j/yF4F/4M4knU4IKT1XAAd29rbXvDmF/YXLNwwTiJaTsz3p8bxkNDt8dHI7FLf/FHIs9YNoO/TMi9XOOVq5WJ+hEsgXR38cl5p/pmMrXHjjuCn3HqsWfffANKsnqe/eDml1z5lz04EAAAAAAQ5G89wgLVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAD//+zBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADswbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAOzBsQAAAADAIH/rXbOoBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAA7MGxAAAAAMAgf+tds6gGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkADtwbEAAAAAwCB/612zqAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ3sSQqgAAQAA=
set:
global.clusterCIDR: 10.42.0.0/16
global.clusterCIDRv4: 10.42.0.0/16
global.clusterDNS: 10.43.0.10
global.clusterDomain: cluster.local
global.rke2DataDir: /var/lib/rancher/rke2
global.serviceCIDR: 10.43.0.0/16
global.systemDefaultIngressClass: ingress-nginx
워커 노드 추가
[k8s-node1]
# A token that can be used to register other server or agent nodes
[root@k8s-node1 ~]# cat /var/lib/rancher/rke2/server/node-token
K10dc56af1974bf2a4a0dafabf6ada975428ac30b1cdfaee37aa24bab82bc13ba44::server:0f98c22f8008e212824486083fde55dd
# 노드(서버/에이전트)가 RKE2 클러스터에 조인할 때 사용하는 전용 관리/부트스트랩 API 포트 확인
[root@k8s-node1 ~]# ss -tnlp | grep 9345
LISTEN 0 4096 192.168.10.11:9345 0.0.0.0:* users:(("rke2",pid=6496,fd=6))
LISTEN 0 4096 127.0.0.1:9345 0.0.0.0:* users:(("rke2",pid=6496,fd=7))
LISTEN 0 4096 [::1]:9345 [::]:* users:(("rke2",pid=6496,fd=8))
[root@k8s-node1 ~]# watch -d 'kubectl get node; echo; kubectl get pod -n kube-system'
Every 2.0s: kubectl get node; echo; kubectl get pod -n kube-system k8s-node1: Mon Feb 23 06:15:40 2026
NAME STATUS ROLES AGE VERSION
k8s-node1 Ready control-plane,etcd,master 9m49s v1.33.8+rke2r1
NAME READY STATUS RESTARTS AGE
etcd-k8s-node1 1/1 Running 0 9m5s
helm-install-rke2-canal-cn9bh 0/1 Completed 0 9m40s
helm-install-rke2-coredns-t87xt 0/1 Completed 0 9m40s
helm-install-rke2-metrics-server-wpjzt 0/1 Completed 0 9m40s
helm-install-rke2-runtimeclasses-5pn9f 0/1 Completed 0 9m40s
kube-apiserver-k8s-node1 1/1 Running 0 9m5s
kube-controller-manager-k8s-node1 1/1 Running 0 9m5s
kube-proxy-k8s-node1 1/1 Running 0 9m5s
kube-scheduler-k8s-node1 1/1 Running 0 9m5s
rke2-canal-9wqbn 2/2 Running 0 8m25s
rke2-coredns-rke2-coredns-559595db99-lv2ww 1/1 Running 0 8m26s
rke2-metrics-server-fdcdf575d-vxcnw 1/1 Running 0 7m33s
---
[k8s-node2]
# Run the installer
[root@k8s-node2 ~]# curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" INSTALL_RKE2_CHANNEL=v1.33 sh -
[INFO] using stable RPM repositories
[INFO] using 1.33 series from channel stable
Rancher RKE2 Common (v1.33) 62 B/s | 659 B 00:10
Rancher RKE2 Common (v1.33) 472 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Rancher RKE2 Common (v1.33) 166 B/s | 2.6 kB 00:16
Rancher RKE2 1.33 (v1.33) 64 B/s | 659 B 00:10
Rancher RKE2 1.33 (v1.33) 472 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Rancher RKE2 1.33 (v1.33) 388 B/s | 5.9 kB 00:15
Dependencies resolved.
===============================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================
Installing:
rke2-agent aarch64 1.33.8~rke2r1-0.el9 rancher-rke2-1.33-stable 8.3 k
Installing dependencies:
rke2-common aarch64 1.33.8~rke2r1-0.el9 rancher-rke2-1.33-stable 25 M
rke2-selinux noarch 0.22-1.el9 rancher-rke2-common-stable 22 k
Transaction Summary
===============================================================================================================================================================================================
Install 3 Packages
Total download size: 25 M
Installed size: 113 M
Downloading Packages:
(1/3): rke2-selinux-0.22-1.el9.noarch.rpm 4.2 kB/s | 22 kB 00:05
(2/3): rke2-agent-1.33.8~rke2r1-0.el9.aarch64.rpm 1.5 kB/s | 8.3 kB 00:05
(3/3): rke2-common-1.33.8~rke2r1-0.el9.aarch64.rpm 4.0 MB/s | 25 MB 00:06
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 4.0 MB/s | 25 MB 00:06
Rancher RKE2 Common (v1.33) 472 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: rke2-selinux-0.22-1.el9.noarch 1/3
Installing : rke2-selinux-0.22-1.el9.noarch 1/3
Running scriptlet: rke2-selinux-0.22-1.el9.noarch 1/3
Installing : rke2-common-1.33.8~rke2r1-0.el9.aarch64 2/3
Installing : rke2-agent-1.33.8~rke2r1-0.el9.aarch64 3/3
Running scriptlet: rke2-agent-1.33.8~rke2r1-0.el9.aarch64 3/3
Running scriptlet: rke2-selinux-0.22-1.el9.noarch 3/3
Running scriptlet: rke2-agent-1.33.8~rke2r1-0.el9.aarch64 3/3
Verifying : rke2-selinux-0.22-1.el9.noarch 1/3
Verifying : rke2-agent-1.33.8~rke2r1-0.el9.aarch64 2/3
Verifying : rke2-common-1.33.8~rke2r1-0.el9.aarch64 3/3
Installed:
rke2-agent-1.33.8~rke2r1-0.el9.aarch64 rke2-common-1.33.8~rke2r1-0.el9.aarch64 rke2-selinux-0.22-1.el9.noarch
Complete!
[root@k8s-node2 ~]# TOKEN=K10dc56af1974bf2a4a0dafabf6ada975428ac30b1cdfaee37aa24bab82bc13ba44::server:0f98c22f8008e212824486083fde55dd
[root@k8s-node2 ~]# cat << EOF > /etc/rancher/rke2/config.yaml
server: https://192.168.10.11:9345
token: $TOKEN
EOF
[root@k8s-node2 ~]# systemctl enable --now rke2-agent.service
Created symlink /etc/systemd/system/multi-user.target.wants/rke2-agent.service → /usr/lib/systemd/system/rke2-agent.service.
---
[root@k8s-node1 ~]# kubectl get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node1 Ready control-plane,etcd,master 21m v1.33.8+rke2r1 192.168.10.11 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
k8s-node2 Ready <none> 2m10s v1.33.8+rke2r1 192.168.10.12 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
---
[k8s-node2]
# 디렉터리 확인
[root@k8s-node2 ~]# tree /var/lib/rancher/rke2 -L 1
/var/lib/rancher/rke2
├── agent
├── bin -> /var/lib/rancher/rke2/data/v1.33.8-rke2r1-1b2872361ec5/bin
├── data
└── server
4 directories, 0 files
# rke2-agent
[root@k8s-node2 ~]# systemctl status rke2-agent.service --no-pager
● rke2-agent.service - Rancher Kubernetes Engine v2 (agent)
Loaded: loaded (/usr/lib/systemd/system/rke2-agent.service; enabled; preset: disabled)
Active: active (running) since Mon 2026-02-23 06:25:20 KST; 3min 8s ago
Docs: https://github.com/rancher/rke2#readme
Process: 6372 ExecStartPre=/sbin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
Process: 6373 ExecStartPre=/sbin/modprobe overlay (code=exited, status=0/SUCCESS)
Main PID: 6374 (rke2)
Tasks: 59
Memory: 2.2G
CPU: 37.756s
CGroup: /system.slice/rke2-agent.service
├─6374 "/usr/bin/rke2 agent"
├─6397 containerd -c /var/lib/rancher/rke2/agent/etc/containerd/config.toml
├─6455 kubelet --volume-plugin-dir=/var/lib/kubelet/volumeplugins --file-check-frequency=5s --sync-frequency=30s --config-dir=/var/lib/rancher/rke2/agent/etc/kubelet.conf.d --co…
├─6518 /var/lib/rancher/rke2/data/v1.33.8-rke2r1-1b2872361ec5/bin/containerd-shim-runc-v2 -namespace k8s.io -id 51b9f02e55775472f04a5e01fd88c2148cfd6d56ab2df6e59023b653d45e39a9 …
└─6520 /var/lib/rancher/rke2/data/v1.33.8-rke2r1-1b2872361ec5/bin/containerd-shim-runc-v2 -namespace k8s.io -id 677b5182e8e8a2247e49513207b6cb10d57fd11374e83da2bdae951223a2edbc …
Feb 23 06:24:56 k8s-node2 rke2[6374]: I0223 06:24:56.200674 6374 event.go:389] "Event occurred" object="k8s-node2" fieldPath="" kind="Node" apiVersion="" type="Normal" reas…by rke2 are OK"
Feb 23 06:25:20 k8s-node2 rke2[6374]: time="2026-02-23T06:25:20+09:00" level=error msg="Failed to process image event: failed to import /var/lib/rancher/rke2/agent/images/kube-proxy-image.tx…
Feb 23 06:25:20 k8s-node2 rke2[6374]: time="2026-02-23T06:25:20+09:00" level=info msg="Pulling images from /var/lib/rancher/rke2/agent/images/runtime-image.txt"
Feb 23 06:25:20 k8s-node2 rke2[6374]: time="2026-02-23T06:25:20+09:00" level=info msg="Pulling image index.docker.io/rancher/rke2-runtime:v1.33.8-rke2r1"
Feb 23 06:25:20 k8s-node2 rke2[6374]: time="2026-02-23T06:25:20+09:00" level=info msg="Running kubelet --alsologtostderr=false --config-dir=/var/lib/rancher/rke2/agent/etc/kubelet.conf.d --c…
Feb 23 06:25:20 k8s-node2 rke2[6374]: time="2026-02-23T06:25:20+09:00" level=info msg="Annotations and labels have been set successfully on node: k8s-node2"
Feb 23 06:25:20 k8s-node2 rke2[6374]: time="2026-02-23T06:25:20+09:00" level=info msg="rke2 agent is up and running"
Feb 23 06:25:20 k8s-node2 systemd[1]: Started Rancher Kubernetes Engine v2 (agent).
Feb 23 06:25:57 k8s-node2 rke2[6374]: time="2026-02-23T06:25:57+09:00" level=error msg="Failed to process image event: failed to import /var/lib/rancher/rke2/agent/images/runtime-image.txt: …
Feb 23 06:26:37 k8s-node2 rke2[6374]: time="2026-02-23T06:26:37+09:00" level=info msg="Tunnel authorizer set Kubelet Port 0.0.0.0:10250"
Hint: Some lines were ellipsized, use -l to show in full.
[root@k8s-node2 ~]# cat /usr/lib/systemd/system/rke2-agent.service
[Unit]
Description=Rancher Kubernetes Engine v2 (agent)
Documentation=https://github.com/rancher/rke2#readme
Wants=network-online.target
After=network-online.target
Conflicts=rke2-server.service
[Install]
WantedBy=multi-user.target
[Service]
Type=notify
EnvironmentFile=-/etc/default/%N
EnvironmentFile=-/etc/sysconfig/%N
EnvironmentFile=-/usr/lib/systemd/system/%N.env
KillMode=process
Delegate=yes
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/rke2 agent
ExecStopPost=-/bin/sh -c "systemd-cgls /system.slice/%n | grep -Eo '[0-9]+ (containerd|kubelet)' | awk '{print $1}' | xargs -r kill"
# PATH 안 건드리고 표준 위치로 노출 설정 : 심볼릭 링크 방식
[root@k8s-node2 ~]# ln -s /var/lib/rancher/rke2/bin/containerd /usr/local/bin/containerd
[root@k8s-node2 ~]# ln -s /var/lib/rancher/rke2/bin/crictl /usr/local/bin/crictl
[root@k8s-node2 ~]# ln -s /var/lib/rancher/rke2/agent/etc/crictl.yaml /etc/crictl.yaml
[root@k8s-node2 ~]# crictl ps
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID POD NAMESPACE
4010ec38f31bb fc62334b90cf6 2 minutes ago Running kube-flannel 0 51b9f02e55775 rke2-canal-522dn kube-system
d48f2671d4f9f 3b9613c95d89e 2 minutes ago Running calico-node 0 51b9f02e55775 rke2-canal-522dn kube-system
094341fc3e0ac 603f9fc02b584 3 minutes ago Running kube-proxy 0 677b5182e8e8a kube-proxy-k8s-node2 kube-system
[root@k8s-node2 ~]# crictl images
IMAGE TAG IMAGE ID SIZE
docker.io/rancher/hardened-calico v3.31.3-build20260206 3b9613c95d89e 217MB
docker.io/rancher/hardened-flannel v0.28.1-build20260206 fc62334b90cf6 19.8MB
docker.io/rancher/hardened-kubernetes v1.33.8-rke2r1-build20260210 603f9fc02b584 187MB
docker.io/rancher/mirrored-pause 3.6 7d46a07936af9 253kB
docker.io/rancher/rke2-runtime v1.33.8-rke2r1 35592a070625a 91.3MB
수동 업그레이드 v1.33 -> v1.34
# 모니터링
[root@k8s-node1 ~]# while true; do curl -s http://192.168.10.12:30000 | grep Hostname; date; sleep 1; done
Mon Feb 23 06:32:25 AM KST 2026
Mon Feb 23 06:32:26 AM KST 2026
Mon Feb 23 06:32:27 AM KST 2026
Mon Feb 23 06:32:28 AM KST 2026
...
# 버전 정보 확인
[root@k8s-node1 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-node1 Ready control-plane,etcd,master 27m v1.33.8+rke2r1
k8s-node2 Ready <none> 7m44s v1.33.8+rke2r1
[root@k8s-node1 ~]# rke2 --version
rke2 version v1.33.8+rke2r1 (eb75e3c1774cee5a584259d6fee77eb8cfa9b430)
go version go1.24.12 X:boringcrypto
[root@k8s-node1 ~]# curl -s https://update.rke2.io/v1-release/channels | jq .data
[
{
"id": "stable",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/stable"
},
"name": "stable",
"latest": "v1.34.4+rke2r1"
},
{
"id": "latest",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/latest"
},
"name": "latest",
"latest": "v1.35.1+rke2r1",
"latestRegexp": ".*",
"excludeRegexp": "(^[^+]+-|v1\\.25\\.5\\+rke2r1|v1\\.26\\.0\\+rke2r1)"
},
{
"id": "v1.18",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.18"
},
"name": "v1.18",
"latest": "v1.18.20+rke2r1",
"latestRegexp": "v1\\.18\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.19",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.19"
},
"name": "v1.19",
"latest": "v1.19.16+rke2r1",
"latestRegexp": "v1\\.19\\..*",
"excludeRegexp": "(^[^+]+-|v1\\.19\\.13\\+rke2r1)"
},
{
"id": "testing",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/testing"
},
"name": "testing",
"latest": "v1.18.9-beta22+rke2",
"latestRegexp": "-(alpha|beta|rc)"
},
{
"id": "v1.20",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.20"
},
"name": "v1.20",
"latest": "v1.20.15+rke2r2",
"latestRegexp": "v1\\.20\\..*",
"excludeRegexp": "(^[^+]+-|v1\\.20\\.9\\+rke2r1)"
},
{
"id": "v1.21",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.21"
},
"name": "v1.21",
"latest": "v1.21.14+rke2r1",
"latestRegexp": "v1\\.21\\..*",
"excludeRegexp": "(^[^+]+-|v1\\.21\\.3\\+rke2r2)"
},
{
"id": "v1.22",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.22"
},
"name": "v1.22",
"latest": "v1.22.17+rke2r1",
"latestRegexp": "v1\\.22\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.23",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.23"
},
"name": "v1.23",
"latest": "v1.23.17+rke2r1",
"latestRegexp": "v1\\.23\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.24",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.24"
},
"name": "v1.24",
"latest": "v1.24.17+rke2r1",
"latestRegexp": "v1\\.24\\..*",
"excludeRegexp": "(^[^+]+-|v1\\.24\\.9\\+rke2r1)"
},
{
"id": "v1.25",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.25"
},
"name": "v1.25",
"latest": "v1.25.16+rke2r2",
"latestRegexp": "v1\\.25\\..*",
"excludeRegexp": "(^[^+]+-|v1\\.25\\.5\\+rke2r1)"
},
{
"id": "v1.26",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.26"
},
"name": "v1.26",
"latest": "v1.26.15+rke2r1",
"latestRegexp": "v1\\.26\\..*",
"excludeRegexp": "(^[^+]+-|v1\\.26\\.0\\+rke2r1)"
},
{
"id": "v1.27",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.27"
},
"name": "v1.27",
"latest": "v1.27.16+rke2r2",
"latestRegexp": "v1\\.27\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.28",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.28"
},
"name": "v1.28",
"latest": "v1.28.15+rke2r1",
"latestRegexp": "v1\\.28\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.29",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.29"
},
"name": "v1.29",
"latest": "v1.29.15+rke2r1",
"latestRegexp": "v1\\.29\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.30",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.30"
},
"name": "v1.30",
"latest": "v1.30.14+rke2r4",
"latestRegexp": "v1\\.30\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.31",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.31"
},
"name": "v1.31",
"latest": "v1.31.14+rke2r1",
"latestRegexp": "v1\\.31\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.32",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.32"
},
"name": "v1.32",
"latest": "v1.32.12+rke2r1",
"latestRegexp": "v1\\.32\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.33",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.33"
},
"name": "v1.33",
"latest": "v1.33.8+rke2r1",
"latestRegexp": "v1\\.33\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.34",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.34"
},
"name": "v1.34",
"latest": "v1.34.4+rke2r1",
"latestRegexp": "v1\\.34\\..*",
"excludeRegexp": "^[^+]+-"
},
{
"id": "v1.35",
"type": "channel",
"links": {
"self": "https://update.rke2.io/v1-release/channels/v1.35"
},
"name": "v1.35",
"latest": "v1.35.1+rke2r1",
"latestRegexp": "v1\\.35\\..*",
"excludeRegexp": "^[^+]+-"
}
]
# v1.34 버전 업그레이드! : 아래 Running scriptlet 과정에서 업그레이드 수행됨, app 통신 영향 없었음.
[root@k8s-node1 ~]# curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.34 sh -
[INFO] using stable RPM repositories
[INFO] using 1.34 series from channel stable
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Error: Failed to download metadata for repo 'rancher-rke2-1.34-stable': repomd.xml GPG signature verification error: Bad GPG signature
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Error: Failed to download metadata for repo 'rancher-rke2-1.34-stable': repomd.xml GPG signature verification error: Bad GPG signature
Rancher RKE2 1.34 (v1.34) 59 B/s | 659 B 00:11
Rancher RKE2 1.34 (v1.34) 471 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Rancher RKE2 1.34 (v1.34) 235 B/s | 3.6 kB 00:15
Package rke2-server-1.33.8~rke2r1-0.el9.aarch64 is already installed.
Dependencies resolved.
===============================================================================================================================================================================================
Package Architecture Version Repository Size
===============================================================================================================================================================================================
Upgrading:
rke2-common aarch64 1.34.4~rke2r1-0.el9 rancher-rke2-1.34-stable 25 M
rke2-server aarch64 1.34.4~rke2r1-0.el9 rancher-rke2-1.34-stable 8.3 k
Transaction Summary
===============================================================================================================================================================================================
Upgrade 2 Packages
Total download size: 25 M
Downloading Packages:
(1/2): rke2-server-1.34.4~rke2r1-0.el9.aarch64.rpm 1.5 kB/s | 8.3 kB 00:05
(2/2): rke2-common-1.34.4~rke2r1-0.el9.aarch64.rpm 3.9 MB/s | 25 MB 00:06
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.9 MB/s | 25 MB 00:06
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : rke2-common-1.34.4~rke2r1-0.el9.aarch64 1/4
Upgrading : rke2-server-1.34.4~rke2r1-0.el9.aarch64 2/4
Running scriptlet: rke2-server-1.34.4~rke2r1-0.el9.aarch64 2/4
Running scriptlet: rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/4
Cleanup : rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/4
Running scriptlet: rke2-server-1.33.8~rke2r1-0.el9.aarch64 3/4
Running scriptlet: rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Cleanup : rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Running scriptlet: rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Verifying : rke2-common-1.34.4~rke2r1-0.el9.aarch64 1/4
Verifying : rke2-common-1.33.8~rke2r1-0.el9.aarch64 2/4
Verifying : rke2-server-1.34.4~rke2r1-0.el9.aarch64 3/4
Verifying : rke2-server-1.33.8~rke2r1-0.el9.aarch64 4/4
Upgraded:
rke2-common-1.34.4~rke2r1-0.el9.aarch64 rke2-server-1.34.4~rke2r1-0.el9.aarch64
Complete!
[root@k8s-node1 ~]# rke2 --version
rke2 version v1.34.4+rke2r1 (c6b97dc03cefec17e8454a6f45b29f4e3d0a81d6)
go version go1.24.12 X:boringcrypto
# 위 스크립트 설치 과정만으로 아래 처럼 파드들이 신규 재생성되었음
## 첫번쨰(etcd, apiserver, kube-proxy) -> 두번째(scheduler, kcm)
[root@k8s-node1 ~]# kubectl get pod -n kube-system --sort-by=.metadata.creationTimestamp | tac
helm-install-rke2-canal-9bdxv 0/1 Completed 0 54s
helm-install-rke2-coredns-nsmb5 0/1 Completed 0 54s
helm-install-rke2-metrics-server-ltsxc 0/1 Completed 0 54s
helm-install-rke2-runtimeclasses-98gw5 0/1 Completed 0 54s
kube-scheduler-k8s-node1 1/1 Running 0 71s
kube-controller-manager-k8s-node1 1/1 Running 0 73s
kube-proxy-k8s-node1 1/1 Running 0 102s
kube-apiserver-k8s-node1 1/1 Running 0 102s
etcd-k8s-node1 1/1 Running 0 102s
kube-proxy-k8s-node2 1/1 Running 0 13m
rke2-canal-522dn 2/2 Running 0 13m
rke2-metrics-server-fdcdf575d-vxcnw 1/1 Running 0 31m
rke2-canal-9wqbn 2/2 Running 0 32m
rke2-coredns-rke2-coredns-559595db99-lv2ww 1/1 Running 0 32m
NAME READY STATUS RESTARTS AGE
# repo 추가 및 기존 repo 삭제 확인
[root@k8s-node1 ~]# dnf repolist
repo id repo name
appstream Rocky Linux 9 - AppStream
baseos Rocky Linux 9 - BaseOS
extras Rocky Linux 9 - Extras
rancher-rke2-1.34-stable Rancher RKE2 1.34 (v1.34)
rancher-rke2-common-stable Rancher RKE2 Common (v1.34)
# kube-system 파드 별 컨테이너 이미지 정보 출력
[root@k8s-node1 ~]# kubectl get pods -n kube-system \
-o custom-columns=\
POD:.metadata.name,\
CONTAINERS:.spec.containers[*].name,\
IMAGES:.spec.containers[*].image
POD CONTAINERS IMAGES
etcd-k8s-node1 etcd index.docker.io/rancher/hardened-etcd:v3.6.7-k3s1-build20260126
helm-install-rke2-canal-9bdxv helm rancher/klipper-helm:v0.9.14-build20260210
helm-install-rke2-coredns-nsmb5 helm rancher/klipper-helm:v0.9.14-build20260210
helm-install-rke2-metrics-server-ltsxc helm rancher/klipper-helm:v0.9.14-build20260210
helm-install-rke2-runtimeclasses-98gw5 helm rancher/klipper-helm:v0.9.14-build20260210
kube-apiserver-k8s-node1 kube-apiserver index.docker.io/rancher/hardened-kubernetes:v1.34.4-rke2r1-build20260210
kube-controller-manager-k8s-node1 kube-controller-manager index.docker.io/rancher/hardened-kubernetes:v1.34.4-rke2r1-build20260210
kube-proxy-k8s-node1 kube-proxy index.docker.io/rancher/hardened-kubernetes:v1.34.4-rke2r1-build20260210
kube-proxy-k8s-node2 kube-proxy index.docker.io/rancher/hardened-kubernetes:v1.33.8-rke2r1-build20260210
kube-scheduler-k8s-node1 kube-scheduler index.docker.io/rancher/hardened-kubernetes:v1.34.4-rke2r1-build20260210
rke2-canal-522dn calico-node,kube-flannel rancher/hardened-calico:v3.31.3-build20260206,rancher/hardened-flannel:v0.28.1-build20260206
rke2-canal-9wqbn calico-node,kube-flannel rancher/hardened-calico:v3.31.3-build20260206,rancher/hardened-flannel:v0.28.1-build20260206
rke2-coredns-rke2-coredns-559595db99-lv2ww coredns rancher/hardened-coredns:v1.14.1-build20260206
rke2-metrics-server-fdcdf575d-vxcnw metrics-server rancher/hardened-k8s-metrics-server:v0.8.1-build20260206
# 노드 정보 확인
[root@k8s-node1 ~]# kubectl get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node1 Ready control-plane,etcd,master 35m v1.34.4+rke2r1 192.168.10.11 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
k8s-node2 Ready <none> 16m v1.33.8+rke2r1 192.168.10.12 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
---
[k8s-node2]
[root@k8s-node2 ~]# rke2 --version
rke2 version v1.33.8+rke2r1 (eb75e3c1774cee5a584259d6fee77eb8cfa9b430)
go version go1.24.12 X:boringcrypto
[root@k8s-node2 ~]# curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE=agent INSTALL_RKE2_CHANNEL=v1.34 sh -
[INFO] using stable RPM repositories
[INFO] using 1.34 series from channel stable
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Error: Failed to download metadata for repo 'rancher-rke2-1.34-stable': repomd.xml GPG signature verification error: Bad GPG signature
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Error: Failed to download metadata for repo 'rancher-rke2-1.34-stable': repomd.xml GPG signature verification error: Bad GPG signature
Rancher RKE2 1.34 (v1.34) 63 B/s | 659 B 00:10
Rancher RKE2 1.34 (v1.34) 472 B/s | 2.4 kB 00:05
Importing GPG key 0xE257814A:
Userid : "Rancher (CI) <ci@rancher.com>"
Fingerprint: C8CF F216 4551 26E9 B9C9 18BE 925E A29A E257 814A
From : https://rpm.rancher.io/public.key
Rancher RKE2 1.34 (v1.34) 239 B/s | 3.6 kB 00:15
Package rke2-agent-1.33.8~rke2r1-0.el9.aarch64 is already installed.
Dependencies resolved.
=============================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================
Upgrading:
rke2-agent aarch64 1.34.4~rke2r1-0.el9 rancher-rke2-1.34-stable 8.3 k
rke2-common aarch64 1.34.4~rke2r1-0.el9 rancher-rke2-1.34-stable 25 M
Transaction Summary
=============================================================================================================================================================================================
Upgrade 2 Packages
Total download size: 25 M
Downloading Packages:
(1/2): rke2-agent-1.34.4~rke2r1-0.el9.aarch64.rpm 1.4 kB/s | 8.3 kB 00:05
(2/2): rke2-common-1.34.4~rke2r1-0.el9.aarch64.rpm 4.0 MB/s | 25 MB 00:06
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 4.0 MB/s | 25 MB 00:06
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : rke2-common-1.34.4~rke2r1-0.el9.aarch64 1/4
Upgrading : rke2-agent-1.34.4~rke2r1-0.el9.aarch64 2/4
Running scriptlet: rke2-agent-1.34.4~rke2r1-0.el9.aarch64 2/4
Running scriptlet: rke2-agent-1.33.8~rke2r1-0.el9.aarch64 3/4
Cleanup : rke2-agent-1.33.8~rke2r1-0.el9.aarch64 3/4
Running scriptlet: rke2-agent-1.33.8~rke2r1-0.el9.aarch64 3/4
Running scriptlet: rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Cleanup : rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Running scriptlet: rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Verifying : rke2-agent-1.34.4~rke2r1-0.el9.aarch64 1/4
Verifying : rke2-agent-1.33.8~rke2r1-0.el9.aarch64 2/4
Verifying : rke2-common-1.34.4~rke2r1-0.el9.aarch64 3/4
Verifying : rke2-common-1.33.8~rke2r1-0.el9.aarch64 4/4
Upgraded:
rke2-agent-1.34.4~rke2r1-0.el9.aarch64 rke2-common-1.34.4~rke2r1-0.el9.aarch64
Complete!
[root@k8s-node2 ~]# rke2 --version
rke2 version v1.34.4+rke2r1 (c6b97dc03cefec17e8454a6f45b29f4e3d0a81d6)
go version go1.24.12 X:boringcrypto
[root@k8s-node2 ~]# dnf repolist
repo id repo name
appstream Rocky Linux 9 - AppStream
baseos Rocky Linux 9 - BaseOS
extras Rocky Linux 9 - Extras
rancher-rke2-1.34-stable Rancher RKE2 1.34 (v1.34)
rancher-rke2-common-stable Rancher RKE2 Common (v1.34)
[root@k8s-node2 ~]# systemctl restart rke2-agent
---
[k8s-node1]
[root@k8s-node1 ~]# kubectl get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node1 Ready control-plane,etcd,master 40m v1.34.4+rke2r1 192.168.10.11 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
k8s-node2 Ready <none> 21m v1.34.4+rke2r1 192.168.10.12 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
# 워커 노드에 kube-proxy 파드만 신규 재기동됨!
[root@k8s-node1 ~]# kubectl get pod -n kube-system --sort-by=.metadata.creationTimestamp | tac
kube-proxy-k8s-node2 1/1 Running 0 50s
kube-proxy-k8s-node1 1/1 Running 0 5m49s
helm-install-rke2-canal-9bdxv 0/1 Completed 0 8m22s
helm-install-rke2-coredns-nsmb5 0/1 Completed 0 8m22s
helm-install-rke2-metrics-server-ltsxc 0/1 Completed 0 8m22s
helm-install-rke2-runtimeclasses-98gw5 0/1 Completed 0 8m22s
kube-scheduler-k8s-node1 1/1 Running 0 8m39s
kube-controller-manager-k8s-node1 1/1 Running 0 8m41s
kube-apiserver-k8s-node1 1/1 Running 0 9m10s
etcd-k8s-node1 1/1 Running 0 9m10s
rke2-canal-522dn 2/2 Running 0 21m
rke2-metrics-server-fdcdf575d-vxcnw 1/1 Running 0 38m
rke2-canal-9wqbn 2/2 Running 0 39m
rke2-coredns-rke2-coredns-559595db99-lv2ww 1/1 Running 0 39m
NAME READY STATUS RESTARTS AGE
자동 업그레이드 v1.34 -> v1.35
# system-upgrade-controller 설치
[root@k8s-node1 ~]# kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml
customresourcedefinition.apiextensions.k8s.io/plans.upgrade.cattle.io created
namespace/system-upgrade created
serviceaccount/system-upgrade created
role.rbac.authorization.k8s.io/system-upgrade-controller created
clusterrole.rbac.authorization.k8s.io/system-upgrade-controller created
clusterrole.rbac.authorization.k8s.io/system-upgrade-controller-drainer created
rolebinding.rbac.authorization.k8s.io/system-upgrade created
clusterrolebinding.rbac.authorization.k8s.io/system-upgrade created
clusterrolebinding.rbac.authorization.k8s.io/system-upgrade-drainer created
configmap/default-controller-env created
deployment.apps/system-upgrade-controller created
# 확인
[root@k8s-node1 ~]# kubectl get deploy,pod,cm -n system-upgrade
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/system-upgrade-controller 1/1 1 1 82s
NAME READY STATUS RESTARTS AGE
pod/system-upgrade-controller-5f667989c7-kdsgf 1/1 Running 0 82s
NAME DATA AGE
configmap/default-controller-env 11 82s
configmap/kube-root-ca.crt 1 82s
# 계획 작성 후 실행 및 확인
# plan 작성 및 실행
[root@k8s-node1 ~]# cat << EOF | kubectl apply -f -
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
name: server-plan
namespace: system-upgrade
spec:
concurrency: 1
cordon: true
nodeSelector:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- "true"
serviceAccountName: system-upgrade
upgrade:
image: rancher/rke2-upgrade
EOFhannel: https://update.rke2.io/v1-release/channels/latest # version: v1.35.0+rke2r3 , curl -s https://update.rke2.io/v1-release/channels | jq .data
plan.upgrade.cattle.io/server-plan created
plan.upgrade.cattle.io/agent-plan created
[root@k8s-node1 ~]# kubectl get node -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-node1 Ready control-plane,etcd,master 54m v1.35.1+rke2r1 192.168.10.11 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
k8s-node2 Ready <none> 34m v1.35.1+rke2r1 192.168.10.12 <none> Rocky Linux 9.6 (Blue Onyx) 5.14.0-570.52.1.el9_6.aarch64 containerd://2.1.5-k3s1
Cluster API 소개
Cluster API(CAPI)는 Kubernetes 클러스터 자체를 Kubernetes 리소스로 관리하기 위한 프로젝트입니다.
Kubernetes SIG Cluster Lifecycle에서 개발했으며, 클러스터 생성·업그레이드·삭제 같은 라이프사이클을 선언적으로 관리할 수 있게 합니다.
일반적인 애플리케이션을 Pod로 관리하듯, Cluster API는 Cluster, Machine, MachineDeployment 같은 CRD를 통해 쿠버네티스 클러스터를 코드로 관리합니다. 관리 클러스터(Management Cluster)에서 다른 워크로드 클러스터를 생성하고 제어하는 구조가 기본 개념입니다. AWS, Azure, vSphere 등 다양한 인프라에 대해 Provider 구조를 제공해 멀티 클라우드 환경에서도 일관된 방식으로 클러스터를 운영할 수 있습니다.
Cluster API 실습
kind k8s에 관리용 management 클러스터 설치 init
> kind create cluster --name myk8s --image kindest/node:v1.35.0 --config - <<EOF 07:28:04
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraMounts:
- hostPath: /var/run/docker.sock
containerPath: /var/run/docker.sock
extraPortMappings:
# sample app
- containerPort: 30000
hostPort: 30000
# kube-ops-view
- containerPort: 30001
hostPort: 30001
EOF
Creating cluster "myk8s" ...
✓ Ensuring node image (kindest/node:v1.35.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-myk8s"
You can now use your cluster with:
kubectl cluster-info --context kind-myk8s
Thanks for using kind! 😊
# (옵션) kube-ops-view
> helm repo add geek-cookbook https://geek-cookbook.github.io/charts/ ○ kind-myk8s 07:29:08
helm install kube-ops-view geek-cookbook/kube-ops-view --version 1.2.2 \
--set service.main.type=NodePort,service.main.ports.http.nodePort=30001 \
--set env.TZ="Asia/Seoul" --namespace kube-system
"geek-cookbook" already exists with the same configuration, skipping
NAME: kube-ops-view
LAST DEPLOYED: Mon Feb 23 07:29:11 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
export NODE_PORT=$(kubectl get --namespace kube-system -o jsonpath="{.spec.ports[0].nodePort}" services kube-ops-view)
export NODE_IP=$(kubectl get nodes --namespace kube-system -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
> brew install clusterctl
> clusterctl version -o json | jq 14s 07:29:41
{
"clusterctl": {
"major": "1",
"minor": "12",
"gitVersion": "v1.12.3",
"gitCommit": "Homebrew",
"gitTreeState": "clean",
"buildDate": "2026-02-17T10:43:04Z",
"goVersion": "go1.26.0",
"compiler": "gc",
"platform": "darwin/arm64"
}
}
# [Docker 프로바이더] Initialize the management cluster : 현재 k8s 를 관리 클러스터로 변환
## Docker 프로바이더는 프로덕션 환경에 사용하도록 설계되지 않았으며 개발 환경 전용
## ClusterTopology관리형 토폴로지 및 ClusterClass 지원을 활성화하는 데 필요한 기능은 다음과 같이 활성화
## https://cluster-api.sigs.k8s.io/tasks/experimental-features/experimental-features
> export CLUSTER_TOPOLOGY=true
> clusterctl init --infrastructure docker
Fetching providers
Installing cert-manager version="v1.19.3"
Waiting for cert-manager to be available...
spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
Installing provider="cluster-api" version="v1.12.3" targetNamespace="capi-system"
spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
Installing provider="bootstrap-kubeadm" version="v1.12.3" targetNamespace="capi-kubeadm-bootstrap-system"
spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
Installing provider="control-plane-kubeadm" version="v1.12.3" targetNamespace="capi-kubeadm-control-plane-system"
spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
Installing provider="infrastructure-docker" version="v1.12.3" targetNamespace="capd-system"
spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
Your management cluster has been initialized successfully!
You can now create your first workload cluster by running the following:
clusterctl generate cluster [name] --kubernetes-version [version] | kubectl apply -f -
> kubectl get crd 29s ○ kind-myk8s 07:30:55
NAME CREATED AT
certificaterequests.cert-manager.io 2026-02-22T22:30:33Z
certificates.cert-manager.io 2026-02-22T22:30:33Z
challenges.acme.cert-manager.io 2026-02-22T22:30:33Z
clusterclasses.cluster.x-k8s.io 2026-02-22T22:30:51Z
clusterissuers.cert-manager.io 2026-02-22T22:30:33Z
clusterresourcesetbindings.addons.cluster.x-k8s.io 2026-02-22T22:30:51Z
clusterresourcesets.addons.cluster.x-k8s.io 2026-02-22T22:30:51Z
clusters.cluster.x-k8s.io 2026-02-22T22:30:51Z
devclusters.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:54Z
devclustertemplates.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:54Z
devmachines.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
devmachinetemplates.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
dockerclusters.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
dockerclustertemplates.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
dockermachinepools.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
dockermachinepooltemplates.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
dockermachines.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
dockermachinetemplates.infrastructure.cluster.x-k8s.io 2026-02-22T22:30:55Z
extensionconfigs.runtime.cluster.x-k8s.io 2026-02-22T22:30:52Z
ipaddressclaims.ipam.cluster.x-k8s.io 2026-02-22T22:30:52Z
ipaddresses.ipam.cluster.x-k8s.io 2026-02-22T22:30:52Z
issuers.cert-manager.io 2026-02-22T22:30:33Z
kubeadmconfigs.bootstrap.cluster.x-k8s.io 2026-02-22T22:30:53Z
kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io 2026-02-22T22:30:53Z
kubeadmcontrolplanes.controlplane.cluster.x-k8s.io 2026-02-22T22:30:54Z
kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io 2026-02-22T22:30:54Z
machinedeployments.cluster.x-k8s.io 2026-02-22T22:30:52Z
machinedrainrules.cluster.x-k8s.io 2026-02-22T22:30:52Z
machinehealthchecks.cluster.x-k8s.io 2026-02-22T22:30:52Z
machinepools.cluster.x-k8s.io 2026-02-22T22:30:52Z
machines.cluster.x-k8s.io 2026-02-22T22:30:52Z
> kubectl get pod -A ○ kind-myk8s 07:31:54
NAMESPACE NAME READY STATUS RESTARTS AGE
capd-system capd-controller-manager-54755cdd6-k6h72 1/1 Running 0 60s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-controller-manager-94d8964d9-vh5qz 1/1 Running 0 62s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-controller-manager-6796744c76-qs7zm 1/1 Running 0 61s
capi-system capi-controller-manager-59c5798655-hnnqx 1/1 Running 0 63s
cert-manager cert-manager-845844dd8-hq627 1/1 Running 0 81s
cert-manager cert-manager-cainjector-7b5d65fbcb-qnld4 1/1 Running 0 81s
cert-manager cert-manager-webhook-6fcf4cb6c-9n94f 1/1 Running 0 81s
kube-system coredns-7d764666f9-5nlsf 1/1 Running 0 3m30s
kube-system coredns-7d764666f9-z6hdf 1/1 Running 0 3m30s
kube-system etcd-myk8s-control-plane 1/1 Running 0 3m39s
kube-system kindnet-npqqh 1/1 Running 0 3m30s
kube-system kube-apiserver-myk8s-control-plane 1/1 Running 0 3m38s
kube-system kube-controller-manager-myk8s-control-plane 1/1 Running 0 3m38s
kube-system kube-ops-view-5c64986f74-twskv 1/1 Running 0 2m44s
kube-system kube-proxy-tt8bp 1/1 Running 0 3m30s
kube-system kube-scheduler-myk8s-control-plane 1/1 Running 0 3m38s
local-path-storage local-path-provisioner-67b8995b4b-vcdgh 1/1 Running 0 3m30s
관리용 management k8s 클러스터 정보 확인
## capd-system, capi-(kueadm-X/Y, system), cert-manager 네임스페이스가 생성
> kubectl describe -n capi-system deployment.apps/capi-controller-manager | grep feature-gates ○ kind-myk8s 07:31:55
--feature-gates=MachinePool=true,ClusterTopology=true,RuntimeSDK=false,MachineSetPreflightChecks=true,MachineWaitForVolumeDetachConsiderVolumeAttachments=true,PriorityQueue=false,ReconcilerRateLimiting=false,InPlaceUpdates=false,MachineTaintPropagation=false
# 프로바이더 (타입별)확인 : CAPI 구성요소가 설치된 상태
> kubectl get providers.clusterctl.cluster.x-k8s.io -A ○ kind-myk8s 07:33:08
NAMESPACE NAME AGE TYPE PROVIDER VERSION
capd-system infrastructure-docker 2m14s InfrastructureProvider docker v1.12.3
capi-kubeadm-bootstrap-system bootstrap-kubeadm 2m16s BootstrapProvider kubeadm v1.12.3
capi-kubeadm-control-plane-system control-plane-kubeadm 2m15s ControlPlaneProvider kubeadm v1.12.3
capi-system cluster-api 2m16s CoreProvider cluster-api v1.12.3
# CAPI의 핵심 컨트롤러 집합 : Cluster / MachineDeployment / MachineSet / Machine CRD 관리, 전체 reconcile orchestration 담당
> kubectl get providers -n capi-system cluster-api -o yaml ○ kind-myk8s 07:33:19
apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
kind: Provider
metadata:
creationTimestamp: "2026-02-22T22:30:53Z"
generation: 1
labels:
cluster.x-k8s.io/provider: cluster-api
clusterctl.cluster.x-k8s.io: ""
clusterctl.cluster.x-k8s.io/core: inventory
name: cluster-api
namespace: capi-system
resourceVersion: "950"
uid: 60d648d5-ff16-4364-a65a-3c229685137d
providerName: cluster-api
type: CoreProvider
version: v1.12.3
# 노드를 Kubernetes로 부팅시키는 역할 : cloud-init user-data 생성, kubeadm join/init config 생성
> kubectl get providers -n capi-kubeadm-bootstrap-system bootstrap-kubeadm -o yaml ○ kind-myk8s 07:34:00
apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
kind: Provider
metadata:
creationTimestamp: "2026-02-22T22:30:53Z"
generation: 1
labels:
cluster.x-k8s.io/provider: bootstrap-kubeadm
clusterctl.cluster.x-k8s.io: ""
clusterctl.cluster.x-k8s.io/core: inventory
name: bootstrap-kubeadm
namespace: capi-kubeadm-bootstrap-system
resourceVersion: "1021"
uid: 34a3a4da-2b1d-48d4-bd42-f5d63642a355
providerName: kubeadm
type: BootstrapProvider
version: v1.12.3
# Control Plane 전용 Machine 관리 : KubeadmControlPlane 리소스 관리, Control Plane 노드 스케일링, etcd 포함 업그레이드 관리
> kubectl get providers -n capi-kubeadm-control-plane-system control-plane-kubeadm -o yaml ○ kind-myk8s 07:34:16
apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
kind: Provider
metadata:
creationTimestamp: "2026-02-22T22:30:54Z"
generation: 1
labels:
cluster.x-k8s.io/provider: control-plane-kubeadm
clusterctl.cluster.x-k8s.io: ""
clusterctl.cluster.x-k8s.io/core: inventory
name: control-plane-kubeadm
namespace: capi-kubeadm-control-plane-system
resourceVersion: "1080"
uid: 5488efb2-f513-48f5-94c6-f0c028e636ae
providerName: kubeadm
type: ControlPlaneProvider
version: v1.12.3
# 실제 인프라 리소스 생성 담당 : 실제 Docker 컨테이너를 VM처럼 생성, Dev/Test 용도 (CAPD)
> kubectl get providers -n capd-system infrastructure-docker -o yaml ○ kind-myk8s 07:34:35
apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3
kind: Provider
metadata:
creationTimestamp: "2026-02-22T22:30:55Z"
generation: 1
labels:
cluster.x-k8s.io/provider: infrastructure-docker
clusterctl.cluster.x-k8s.io: ""
clusterctl.cluster.x-k8s.io/core: inventory
name: infrastructure-docker
namespace: capd-system
resourceVersion: "1176"
uid: a9f1e357-a3cd-4858-9ed8-f89f453f35ee
providerName: docker
type: InfrastructureProvider
version: v1.12.3
cert manager 확인
> kubectl get crd | grep cert ○ kind-myk8s 07:35:01
certificaterequests.cert-manager.io 2026-02-22T22:30:33Z
certificates.cert-manager.io 2026-02-22T22:30:33Z
challenges.acme.cert-manager.io 2026-02-22T22:30:33Z
clusterissuers.cert-manager.io 2026-02-22T22:30:33Z
issuers.cert-manager.io 2026-02-22T22:30:33Z
orders.acme.cert-manager.io 2026-02-22T22:30:33Z
> kubectl get deploy,pod,svc,ep,cm,secret,sa -n cert-manager ○ kind-myk8s 07:35:12
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 4m39s
deployment.apps/cert-manager-cainjector 1/1 1 1 4m39s
deployment.apps/cert-manager-webhook 1/1 1 1 4m39s
NAME READY STATUS RESTARTS AGE
pod/cert-manager-845844dd8-hq627 1/1 Running 0 4m39s
pod/cert-manager-cainjector-7b5d65fbcb-qnld4 1/1 Running 0 4m39s
pod/cert-manager-webhook-6fcf4cb6c-9n94f 1/1 Running 0 4m39s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.96.228.252 <none> 9402/TCP 4m39s
service/cert-manager-cainjector ClusterIP 10.96.50.51 <none> 9402/TCP 4m39s
service/cert-manager-webhook ClusterIP 10.96.176.129 <none> 443/TCP,9402/TCP 4m39s
NAME ENDPOINTS AGE
endpoints/cert-manager 10.244.0.7:9402 4m39s
endpoints/cert-manager-cainjector 10.244.0.6:9402 4m39s
endpoints/cert-manager-webhook 10.244.0.8:10250,10.244.0.8:9402 4m39s
NAME DATA AGE
configmap/kube-root-ca.crt 1 4m40s
NAME TYPE DATA AGE
secret/cert-manager-webhook-ca Opaque 3 4m29s
NAME AGE
serviceaccount/cert-manager 4m40s
serviceaccount/cert-manager-cainjector 4m40s
serviceaccount/cert-manager-webhook 4m40s
serviceaccount/default 4m40s
> kubectl get issuers.cert-manager.io -A ○ kind-myk8s 07:35:31
NAMESPACE NAME READY AGE
capd-system capd-selfsigned-issuer True 4m38s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-selfsigned-issuer True 4m39s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-selfsigned-issuer True 4m39s
capi-system capi-selfsigned-issuer True 4m41s
> kubectl get certificaterequests.cert-manager.io -A -owide ○ kind-myk8s 07:35:44
NAMESPACE NAME APPROVED DENIED READY ISSUER REQUESTER STATUS AGE
capd-system capd-serving-cert-1 True True capd-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 4m49s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-serving-cert-1 True True capi-kubeadm-bootstrap-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 4m51s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-serving-cert-1 True True capi-kubeadm-control-plane-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 4m50s
capi-system capi-serving-cert-1 True True capi-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 4m52s
> kubectl get certificates.cert-manager.io -A -owide ○ kind-myk8s 07:36:05
NAMESPACE NAME READY SECRET ISSUER STATUS AGE
capd-system capd-serving-cert True capd-webhook-service-cert capd-selfsigned-issuer Certificate is up to date and has not expired 5m12s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-serving-cert True capi-kubeadm-bootstrap-webhook-service-cert capi-kubeadm-bootstrap-selfsigned-issuer Certificate is up to date and has not expired 5m13s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-serving-cert True capi-kubeadm-control-plane-webhook-service-cert capi-kubeadm-control-plane-selfsigned-issuer Certificate is up to date and has not expired 5m13s
capi-system capi-serving-cert True capi-webhook-service-cert capi-selfsigned-issuer Certificate is up to date and has not expired 5m15s
첫 번째 워크로드 클러스터 생성 및 확인
# 첫 번째 워크로드 구성을 위한 환경 변수 설정 : 필요에 맞게 수정.
## The list of service CIDR, default ["10.128.0.0/12"]
> export SERVICE_CIDR=["10.20.0.0/16"]
## The list of pod CIDR, default ["192.168.0.0/16"]
> export POD_CIDR=["10.10.0.0/16"]
## The service domain, default "cluster.local"
> export SERVICE_DOMAIN="myk8s-1.local"
## PSS Disable
> export POD_SECURITY_STANDARD_ENABLED="false"
> clusterctl generate cluster capi-quickstart --flavor development \
--kubernetes-version v1.34.3 \
--control-plane-machine-count=3 \
--worker-machine-count=3 \
> capi-quickstart.yaml
> cat capi-quickstart.yaml | grep -E '^apiVersion:|^kind:' 07:37:12
apiVersion: cluster.x-k8s.io/v1beta2
kind: ClusterClass
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: DockerClusterTemplate
apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: KubeadmControlPlaneTemplate
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: DockerMachineTemplate
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: DockerMachineTemplate
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: DockerMachinePoolTemplate
apiVersion: bootstrap.cluster.x-k8s.io/v1beta2
kind: KubeadmConfigTemplate
apiVersion: cluster.x-k8s.io/v1beta2
kind: Cluster
> kubectl apply -f capi-quickstart.yaml ○ kind-myk8s 07:37:40
clusterclass.cluster.x-k8s.io/quick-start created
dockerclustertemplate.infrastructure.cluster.x-k8s.io/quick-start-cluster created
kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io/quick-start-control-plane created
dockermachinetemplate.infrastructure.cluster.x-k8s.io/quick-start-control-plane created
dockermachinetemplate.infrastructure.cluster.x-k8s.io/quick-start-default-worker-machinetemplate created
dockermachinepooltemplate.infrastructure.cluster.x-k8s.io/quick-start-default-worker-machinepooltemplate created
kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io/quick-start-default-worker-bootstraptemplate created
cluster.cluster.x-k8s.io/capi-quickstart created
# 생성 확인 & kubeconfig 자격 증명 & CNI 플러그인 설치 후 확인
> kubectl get cluster -o wide ○ kind-myk8s 07:38:29
NAME CLUSTERCLASS AVAILABLE CP DESIRED CP CURRENT CP READY CP AVAILABLE CP UP-TO-DATE W DESIRED W CURRENT W READY W AVAILABLE W UP-TO-DATE PAUSED PHASE AGE VERSION
capi-quickstart quick-start False 3 1 0 0 1 3 3 0 0 3 False Provisioned 71s v1.34.3
> clusterctl describe cluster capi-quickstart 07:39:31
NAME REPLICAS AVAILABLE READY UP TO DATE STATUS REASON SINCE MESSAGE
Cluster/capi-quickstart 5/6 0 0 5 False NotAvailable 110s * WorkersAvailable:
│ * MachineDeployment capi-quickstart-md-0-z2vw7: 0 available replicas, at least 3 required
│ (spec.strategy.rollout.maxUnavailable is 0, spec.replicas is 3)
├─ClusterInfrastructure - DockerCluster/capi-quickstart-gtgmc True Ready 103s
├─ControlPlane - KubeadmControlPlane/capi-quickstart-m4s8l 2/3 0 0 2 True Available 28s
│ └─2 Machines... 0 0 2 False NotReady 31s See capi-quickstart-m4s8l-c5frx, capi-quickstart-m4s8l-lt9vl
└─Workers
└─MachineDeployment/capi-quickstart-md-0-z2vw7 3/3 0 0 3 False NotAvailable 110s 0 available replicas, at least 3 required (spec.strategy.rollout.maxUnavailable is 0, spec.replicas
│ is 3)
└─3 Machines... 0 0 3 False NotReady 14s See capi-quickstart-md-0-z2vw7-kv5vb-k7h7t, capi-quickstart-md-0-z2vw7-kv5vb-qkrh4, ...
# 워크로드 클러스터 자격증명
> clusterctl get kubeconfig capi-quickstart > capi-quickstart.kubeconfig
# 노드 NotReady 상태 해결 : CNI 플러그인 설치 하자!
> kubectl --kubeconfig=capi-quickstart.kubeconfig apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml
poddisruptionbudget.policy/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
serviceaccount/calico-node created
serviceaccount/calico-cni-plugin created
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgpfilters.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrole.rbac.authorization.k8s.io/calico-cni-plugin created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-cni-plugin created
daemonset.apps/calico-node created
deployment.apps/calico-kube-controllers created
> kubectl --kubeconfig=capi-quickstart.kubeconfig get nodes -owide 3s ○ kind-myk8s 07:43:02
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
capi-quickstart-m4s8l-c5frx Ready control-plane 4m37s v1.34.3 192.168.228.4 <none> Debian GNU/Linux 12 (bookworm) 6.7.11-orbstack-00143-ge6b82e26cd22 containerd://2.2.0
capi-quickstart-m4s8l-lt9vl Ready control-plane 3m22s v1.34.3 192.168.228.8 <none> Debian GNU/Linux 12 (bookworm) 6.7.11-orbstack-00143-ge6b82e26cd22 containerd://2.2.0
capi-quickstart-m4s8l-zh5xj Ready control-plane 2m3s v1.34.3 192.168.228.9 <none> Debian GNU/Linux 12 (bookworm) 6.7.11-orbstack-00143-ge6b82e26cd22 containerd://2.2.0
capi-quickstart-md-0-z2vw7-kv5vb-k7h7t Ready <none> 3m52s v1.34.3 192.168.228.5 <none> Debian GNU/Linux 12 (bookworm) 6.7.11-orbstack-00143-ge6b82e26cd22 containerd://2.2.0
capi-quickstart-md-0-z2vw7-kv5vb-qkrh4 Ready <none> 3m53s v1.34.3 192.168.228.7 <none> Debian GNU/Linux 12 (bookworm) 6.7.11-orbstack-00143-ge6b82e26cd22 containerd://2.2.0
capi-quickstart-md-0-z2vw7-kv5vb-twppz Ready <none> 3m54s v1.34.3 192.168.228.6 <none> Debian GNU/Linux 12 (bookworm) 6.7.11-orbstack-00143-ge6b82e26cd22 containerd://2.2.0
'스터디 > K8s Deploy' 카테고리의 다른 글
| [K8s Deploy] Kubespray offline 설치 (0) | 2026.02.15 |
|---|---|
| [K8s Deploy] Kubespary HA & Upgrade (0) | 2026.02.04 |
| [K8s] Kubespray 배포 분석 (0) | 2026.02.01 |
| [K8s Deploy] Kubeadm Deep Dive (0) | 2026.01.24 |
| [K8s Deploy] Ansible 기초 (1) | 2026.01.18 |