Toggle Side Panel
Close search

RKE2 Cluster Direct Kubectl Access

teedog
teedog May 15, 2024
0 Comments
Rancher RKE2 Direct Cluster Access

Setup Direct Access to Downstream Cluster

In order to directly access any downstream RKE2 kubernetes cluster (circumventing rancher server), you need to manually enable authorized endpoints using Cluster Managament > Edit Config. However BEFORE doing that, you need to complete the following steps on ALL Control Plane Nodes. You can use MobaxTerm Multi-Execution mode to speed this task up.

Note: For a deep dive on “Authenticating Directly with a Downstream Cluster you may visit the official Rancher Labs documentation, here. The instructions on this page are meant to simplify and speed up the process.

Step 1 – Create a file /var/lib/rancher/rke2/kube-api-authn-webhook.yaml:

touch /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
chmod 600 /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
nano /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
apiVersion: v1
kind: Config
clusters:
- name: Default
  cluster:
    insecure-skip-tls-verify: true
    server: http://127.0.0.1:6440/v1/authenticate
users:
- name: Default
  user:
    insecure-skip-tls-verify: true
current-context: webhook
contexts:
- name: webhook
  context:
    user: Default
    cluster: Default

Step 2 – Create config file (create if it doesn’t exist) /etc/rancher/rke2/config.yaml:

echo "kube-apiserver-arg:
    - authentication-token-webhook-config-file=/var/lib/rancher/rke2/kube-api-authn-webhook.yaml" > /etc/rancher/rke2/config.yaml

Check config.yaml:

cat /etc/rancher/rke2/config.yaml

Step 3 – Restart RKE2 Servers

systemctl stop rke2-server
systemctl start rke2-server
systemctl status rke2-server

Step 4 – Enable Authorized Endpoints via Rancher Server UI

Home > Cluster Management > “kebab” menu > Edit Config

rancher rke2 cluster access edit

Scroll down to Cluster Configuration > Networking > Authorized Endpoint > Enable

Optional: If you have created an FQDN for your cluster, you can enter it here with a CA Certificate.

Click SAVE to continue. Rancher will apply changes and your cluster will go from “Active” to “Updating”.

enable authorized endpoints rke2 rancher

Copy New Kubeconfig File

You can now copy the new Kubeconfig file to the path of your choice (example: /root/.kube/kube.config). Just go to Cluster Management > “kebab” menu > Copy KubeConfig to Clipboard.

The kubeconfig file now has contexts that allow you to connect directly to your cluster via one or more of your control-plane nodes. After completing the steps above, your new kubeconfig file will have the same number of contexts plus one “Rancher UI” context (example: 3 control-plane nodes endpoints + 1 Rancher UI endpoint = 4 contexts)

kubectl config get-contexts --kubeconfig /PATH/TO/KUBECONFIG-FILE/config-wpnocpi1.yaml
Rancher RKE2 cluster direct access context

Conclusion

That concludes this RKE2 kubernetes tutorial. You should now be able to directly access your cluster through any of the control planes in your cluster. If you have any questions let me know in the comments below.

READ MORE: Kubernetes

Categories: Kubernetes, Rancher, RKE2
Tags: , ,
teedog
teedog
-->First computer owned: TSR-80 Model II | -->First computer built: Pentium 233mhz MMX-Technology, Matrox Mystique 2D, Diamond Monster 3D, RAM PC-100 64MB. | -->I am and will always be a Computer Techie for life.

Related Articles

Responses

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .