RKE2 啟用 ACE

# RKE2 啟用 ACE ## 實作 * domain 位置是 LB 的位置，他會分流到 control-plane 節點上 ``` $ host ace.example.com ace.example.com has address 192.168.11.65 ``` * 建立 LB ``` $ nano nginx.conf events { worker_connections 8192; } stream { log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr"'; error_log /var/log/nginx/error.log; access_log /var/log/nginx/access.log proxy; upstream api_servers_https { least_conn; server 192.168.11.103:6443 max_fails=5 fail_timeout=8s; } server { listen 6443; proxy_pass api_servers_https; } } $ docker run -d --restart=always -p 6443:6443 -v /root/nginx.conf:/etc/nginx/nginx.conf -v /var/log/nginx:/var/log/nginx nginx:stable ``` 1. 透過 Rancher 建立一個 RKE2，此時不配置 ACE 和 TLS SAN 等 2. RKE2 就緒後，在 Rancher UI 中新增 TLS SAN 配置，更新證書，透過 openssl 能夠看到對應的 SAN ![image](https://hackmd.io/_uploads/ry7_h_iJ1g.png) ``` tls-san: - ace.example.com ``` * TLS SAN 代表新增 api-server 可以聽的 hostname，意思就是 kubeconfig 可以自定義 domain 訪問 api-server。 ``` $ openssl x509 -in /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt -noout -text | grep -A1 Alternative X509v3 Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:ace.example.com, DNS:localhost, DNS:demo-1, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.11.103, IP Address:10.43.0.1 ``` ![image](https://hackmd.io/_uploads/HkwYXtsJ1e.png) ``` $ cat /etc/rancher/rke2/config.yaml.d/50-rancher.yaml ``` ![image](https://hackmd.io/_uploads/B1nkVKjJke.png) 4. 在 master 建立一個包含以下內容的檔案，所有 master 節點都需添加 ``` $ nano /var/lib/rancher/rke2/kube-api-authn-webhook.yaml apiVersion: v1 kind: Config clusters: - name: Default cluster: insecure-skip-tls-verify: true server: http://127.0.0.1:6440/v1/authenticate users: - name: Default user: insecure-skip-tls-verify: true current-context: webhook contexts: - name: webhook context: user: Default cluster: Default ``` 5. 新增 apiserver 參數 ![image](https://hackmd.io/_uploads/HkPrrKok1g.png) ``` authentication-token-webhook-config-file=/var/lib/rancher/rke2/kube-api-authn-webhook.yaml ``` 6. 在 Networking 開啟 ACE，FQDN 使用第 2 步驟中新增的 TLS SAN，憑證使用 RKE2 Control Plane 節點的 `/var/lib/rancher/rke2/server/tls/server-ca.crt`。 ![image](https://hackmd.io/_uploads/BkoU2Yokyg.png) 7. 下載 kubeconfig，切換 context，且能正常使用 ![image](https://hackmd.io/_uploads/BJg3Kctjkke.png) ``` $ kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * demo demo demo demo-fqdn demo-fqdn demo $ kubectl config use-context demo-fqdn ``` ``` $ kubectl get no NAME STATUS ROLES AGE VERSION demo-1 Ready control-plane,etcd,master,worker 19d v1.28.10+rke2r1 demo-2 Ready worker 19d v1.28.10+rke2r1 demo-3 Ready worker 19d v1.28.10+rke2r1 ``` ## 參考 https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/register-existing-clusters#authorized-cluster-endpoint-support-for-rke2-and-k3s-clusters