Enable Authorized Cluster Endpoint

Rancher
1

I’d like to be able to login to my cluster directly, without needing access to Rancher.

I’ve read about enabling ACE but struggle with implementing it.

The documentation states that you should tweak some config files on the control-plane nodes - so I figured I could use cloud-init to do that:

#cloud-config
write_files:
  - path: /var/lib/rancher/rke2/kube-api-authn-webhook.yaml
    content: |
      apiVersion: v1
      kind: Config
      clusters:
      - name: Default
        cluster:
          insecure-skip-tls-verify: true
          server: http://127.0.0.1:6440/v1/authenticate
      users:
      - name: Default
        user:
          insecure-skip-tls-verify: true
      current-context: webhook
      contexts:
      - name: webhook
        context:
          user: Default
          cluster: Default
  - path: /etc/rancher/rke2/config.yaml
    content: |
      kube-apiserver-arg:
        - authentication-token-webhook-config-file=/var/lib/rancher/rke2/kube-api-authn-webhook.yaml

It seems however to work poorly, as node got stuck reconciling over night:

Screenshot 2024-04-11 at 08.16.08
Screenshot 2024-04-11 at 08.16.08719×118 17.8 KB

How am I supposed to make the setting part of the image? The node is based on a jammy ubuntu cloud image.

2

Seems I had an additional issue with my etcd database which prevented nodes from reconciling. Still interested in feedback on the way I suggest to enable ACE though.

3

Have you enabled ACE from the Networking section in the cluster configuration?

4

Are you saying that I don’t need these lines in cloud-config:

Screenshot 2024-04-16 at 14.47.06
Screenshot 2024-04-16 at 14.47.061151×598 152 KB

But do need to set FQDN here:

Screenshot 2024-04-16 at 14.47.30
Screenshot 2024-04-16 at 14.47.302159×820 117 KB

?

I don’t necessarily infer that from the documentation.

5

Hi @azzid , you need to do both. In addition to your cloud-config configuration, you need to enable ACE from the networking tab in the cluster configuration.
Please refer these steps in the official documentation. The step 4 indicates that you need to enable ACE from the networking tab in the cluster configuration.