Authorized Cluster Endpoint missing - regression?

I have a Rancher cluster (2.2.1) that has the ACE enabled and working as expected:

  • Via the API I can see that localClusterAuthEndpoint is enabled.
  • Both the Rancher end point and the ACE exist in the Kubeconfig file.
  • Gitlab can authenticate with the provided token/certificate and install Helm, runners, etc.

When I build another cluster via RKE (0.2.8) and Rancher stable (2.2.8) the ACE is missing:

  • Via the API I see that localClusterAuthEndpoint is NOT enabled.
  • The ACE endpoint is missing from the Kubeconfig file.

The Rancher documentation states that the ACE should be enabled by default. Regardless I’ve manually enabled it via the RKE cluster.yml and it’s still not enabled in Rancher.

There is definitely something lost in translation from the RKE built Kubernetes cluster and the Rancher UI installation.

In addition to the missing ACE the cluster name and etcd snapshot settings aren’t being picked up via Rancher even though they were created by RKE (which I have varified within the cluster, the RKE kubeconfig and the rkestate files).

My install steps are straight forward:


  • address:
    user: cowman
    role: [controlplane,worker,etcd]
  • address:
    user: cowman
    role: [controlplane,worker,etcd]
  • address:
    user: cowman
    role: [controlplane,worker,etcd]

snapshot: true
creation: 6h
retention: 24h

cluster_name: mycluster

kubectl -n kube-system create serviceaccount tiller

kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

helm init --service-account tiller

helm repo add rancher-stable

helm install stable/cert-manager --name cert-manager --namespace kube-system --version v0.5.2

helm install rancher-stable/rancher --name rancher --namespace cattle-system --set

I’ve been able to reproduce this issue in multiple environments with CentOS 7.

I’ve created an issue here: