# RKE2 啟用 Api-Server L4 Load Balancer
* domain 解析位置是 LB 的位置,他會分流到 control-plane 節點上
```
$ host api.example.com
api.example.com has address 192.168.11.111
```
```
$ kubectl get no -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
rke2 Ready control-plane,etcd,master,worker 79d v1.28.12+rke2r1 192.168.11.113 <none> SUSE Linux Enterprise Server 15 SP5 5.14.21-150500.53-default containerd://1.7.17-k3s1
rke2-m2 Ready control-plane,etcd,master,worker 62d v1.28.12+rke2r1 192.168.11.118 <none> SUSE Linux Enterprise Server 15 SP6 6.4.0-150600.21-default containerd://1.7.17-k3s1
rke2-m3 Ready control-plane,etcd,master,worker 62d v1.28.12+rke2r1 192.168.11.108 <none> SUSE Linux Enterprise Server 15 SP6 6.4.0-150600.21-default containerd://1.7.17-k3s1
rke2-w1 Ready worker 76d v1.28.12+rke2r1 192.168.11.121 <none> SUSE Linux Enterprise Server 15 SP5 5.14.21-150500.53-default containerd://1.7.17-k3s1
```
* 建立 LB,113 118 108 是三台 master 的 ip。
```
$ nano nginx.conf
events {
worker_connections 8192;
}
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr"';
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log proxy;
upstream api_servers_https {
least_conn;
server 192.168.11.113:6443 max_fails=5 fail_timeout=8s;
server 192.168.11.118:6443 max_fails=5 fail_timeout=8s;
server 192.168.11.108:6443 max_fails=5 fail_timeout=8s;
}
server {
listen 6443;
proxy_pass api_servers_https;
}
}
$ docker run -d --restart=always -p 6443:6443 -v /root/nginx.conf:/etc/nginx/nginx.conf -v /var/log/nginx:/var/log/nginx nginx:stable
```
* Rancher UI 編輯 RKE2 集群,在 Networking -> TLS Alternate Names 新增
* TLS SAN 代表新增 api-server 可以聽的 hostname,意思就是 kubeconfig 可以自定義 domain 去訪問 api-server。
* 設定好後檢查可以發現已多出 `api.example.com` 這個 domain
```
$ openssl x509 -in /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt -noout -text | grep -A1 Alternative
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:api.example.com, DNS:localhost, DNS:rke2, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.11.113, IP Address:10.43.0.1
```
* 檢查 rke2 設定檔
```
$ cat /etc/rancher/rke2/config.yaml.d/50-rancher.yaml
{
"agent-token": "m8b4kkj74lb2mm2h8lncptlc6x77n5fvd5x5lbxd4khwnfqhkz94vf",
"cni": "calico",
"disable-kube-proxy": false,
"etcd-expose-metrics": false,
"etcd-snapshot-retention": 5,
"etcd-snapshot-schedule-cron": "0 */5 * * *",
"kube-controller-manager-arg": [
"allocate-node-cidrs=false",
"cert-dir=/var/lib/rancher/rke2/server/tls/kube-controller-manager",
"secure-port=10257"
],
"kube-controller-manager-extra-mount": [
"/var/lib/rancher/rke2/server/tls/kube-controller-manager:/var/lib/rancher/rke2/server/tls/kube-controller-manager"
],
"kube-scheduler-arg": [
"cert-dir=/var/lib/rancher/rke2/server/tls/kube-scheduler",
"secure-port=10259"
],
"kube-scheduler-extra-mount": [
"/var/lib/rancher/rke2/server/tls/kube-scheduler:/var/lib/rancher/rke2/server/tls/kube-scheduler"
],
"kubelet-arg": [
"max-pods=200"
],
"node-label": [
"cattle.io/os=linux",
"rke.cattle.io/machine=419f880f-3b9d-48d3-9d1f-d4085d214ae6"
],
"private-registry": "/etc/rancher/rke2/registries.yaml",
"protect-kernel-defaults": false,
"server": "https://192.168.11.108:9345",
"system-default-registry": "registry.rancher.com",
"tls-san": [
"api.example.com"
],
"token": "mnhttz5x54mpjgm45wcrj4kwqvzjb6r9td4265qw44mwb8nccx7d88"
}
```
* kubeconfig 就可以使用這個 domain 訪問 api-server
```
$ kubectl get no
NAME STATUS ROLES AGE VERSION
rke2 Ready control-plane,etcd,master,worker 79d v1.28.12+rke2r1
rke2-m2 Ready control-plane,etcd,master,worker 62d v1.28.12+rke2r1
rke2-m3 Ready control-plane,etcd,master,worker 62d v1.28.12+rke2r1
rke2-w1 Ready worker 76d v1.28.12+rke2r1
```
Sign in with Wallet
Connect another wallet