Thank you for response! I’m working on my own pet project, and there is no anyone with whom to discuss the problems.
- I am sure that there is ability to bind port to specific network interface. See: https://docs.docker.com/v17.09/engine/reference/commandline/run/#publish-or-expose-port--p-expose
- I am trying to put all components to one machine in economic reasons. In real production (not for pet project) I would prefer to separate Rancher Server from k8s.
- I don’t think that having nginx outside of cluster is a good idea. Ingress controller is a part of k8s cluster provisioned by RKE. And I really do not want to have two things solving the same problem.
- I can not be 100% certain, but I think it is common practice to expose kube API to Internet (https://stackoverflow.com/questions/48979432/kubernetes-over-internet). But access to the etcd should be restricted (https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restrict-access-to-etcd).
And now I have some vision to ideal setup:
- Setup k8s cluster by RKE (CLI util). Use only local network interface (192.168.1.2) for all k8s components.
- Run Ingress controller on public interface (192.168.0.2)
- Deploy Rancher Server on top of provisioned k8s cluster (currently, this option unavailable but I got answer from @jetatomic that this option should be available in future: Running Rancher Server on top of RKE-provisioned cluster)