RKE2 Cluster Direct Kubectl Access

Rancher RKE2 Direct Cluster Access

Setup Direct Access to Downstream Cluster

In order to directly access any downstream RKE2 kubernetes cluster (circumventing rancher server), you need to manually enable authorized endpoints using Cluster Managament > Edit Config. However BEFORE doing that, you need to complete the following steps on ALL Control Plane Nodes. You can use MobaxTerm Multi-Execution mode to speed this task up.

Note: For a deep dive on “Authenticating Directly with a Downstream Cluster you may visit the official Rancher Labs documentation, here. The instructions on this page are meant to simplify and speed up the process.

Step 1 – Create a file /var/lib/rancher/rke2/kube-api-authn-webhook.yaml:

touch /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
chmod 600 /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
nano /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
apiVersion: v1
kind: Config
- name: Default
    insecure-skip-tls-verify: true
- name: Default
    insecure-skip-tls-verify: true
current-context: webhook
- name: webhook
    user: Default
    cluster: Default

Step 2 – Create config file (create if it doesn’t exist) /etc/rancher/rke2/config.yaml:

echo "kube-apiserver-arg:
    - authentication-token-webhook-config-file=/var/lib/rancher/rke2/kube-api-authn-webhook.yaml" > /etc/rancher/rke2/config.yaml

Check config.yaml:

cat /etc/rancher/rke2/config.yaml

Step 3 – Restart RKE2 Servers

systemctl stop rke2-server
systemctl start rke2-server
systemctl status rke2-server

Step 4 – Enable Authorized Endpoints via Rancher Server UI

Home > Cluster Management > “kebab” menu > Edit Config

rancher rke2 cluster access edit

Scroll down to Cluster Configuration > Networking > Authorized Endpoint > Enable

Optional: If you have created an FQDN for your cluster, you can enter it here with a CA Certificate.

Click SAVE to continue. Rancher will apply changes and your cluster will go from “Active” to “Updating”.

enable authorized endpoints rke2 rancher

Copy New Kubeconfig File

You can now copy the new Kubeconfig file to the path of your choice (example: /root/.kube/kube.config). Just go to Cluster Management > “kebab” menu > Copy KubeConfig to Clipboard.

The kubeconfig file now has contexts that allow you to connect directly to your cluster via one or more of your control-plane nodes. After completing the steps above, your new kubeconfig file will have the same number of contexts plus one “Rancher UI” context (example: 3 control-plane nodes endpoints + 1 Rancher UI endpoint = 4 contexts)

kubectl config get-contexts --kubeconfig /PATH/TO/KUBECONFIG-FILE/config-wpnocpi1.yaml
Rancher RKE2 cluster direct access context


That concludes this RKE2 kubernetes tutorial. You should now be able to directly access your cluster through any of the control planes in your cluster. If you have any questions let me know in the comments below.

READ MORE: Kubernetes

Related Articles