How to use Rancher ACE

Rancher
1

I created a rke2 cluster using rancher ui and enabled the authorization cluster endpoint (ACE). The following are my steps.

CURRENT   NAME                                  CLUSTER                               AUTHINFO   NAMESPACE
          yk-dev                                yk-dev                                yk-dev     
          yk-dev-sg-dev-yk-k8s-master-01-rke2   yk-dev-sg-dev-yk-k8s-master-01-rke2   yk-dev     
          yk-dev-sg-dev-yk-k8s-master-02-rke2   yk-dev-sg-dev-yk-k8s-master-02-rke2   yk-dev     
*         yk-dev-sg-dev-yk-k8s-master-03-rke2   yk-dev-sg-dev-yk-k8s-master-03-rke2   yk-dev

[root@sg-dev-yk-k8s-master-01-rke2 spadm]# /var/lib/rancher/rke2/bin/kubectl --kubeconfig yk-dev.yaml --context yk-dev-sg-dev-yk-k8s-master-03-rke2 get node
E0417 12:13:24.416990 1133467 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0417 12:13:24.419895 1133467 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0417 12:13:24.422547 1133467 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0417 12:13:24.425318 1133467 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E0417 12:13:24.428502 1133467 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)

When ACE is enabled and no FQDN is specified, a context is created for each node.

When I configure the FQDN and resolve the FQDN to a certain master node through dns.

[root@sg-dev-yk-k8s-master-01-rke2 spadm]# /var/lib/rancher/rke2/bin/kubectl --kubeconfig yk-dev-fqdn.yaml config get-contexts
CURRENT   NAME          CLUSTER       AUTHINFO   NAMESPACE
          yk-dev        yk-dev        yk-dev     
*         yk-dev-fqdn   yk-dev-fqdn   yk-dev     

[root@sg-dev-yk-k8s-master-01-rke2 spadm]# /var/lib/rancher/rke2/bin/kubectl --kubeconfig yk-dev.yaml get node
E0417 11:25:19.482585 1080477 memcache.go:265] couldn't get current server API group list: Get "https://rancher-ace-yk-dev.ab.aaa/api?timeout=32s": dial tcp 10.65.23.14:443: connect: connection refused
E0417 11:25:19.490030 1080477 memcache.go:265] couldn't get current server API group list: Get "https://rancher-ace-yk-dev.ab.aaa/api?timeout=32s": dial tcp 10.65.23.14:443: connect: connection refused
E0417 11:25:19.496368 1080477 memcache.go:265] couldn't get current server API group list: Get "https://rancher-ace-yk-dev.ab.aaa/api?timeout=32s": dial tcp 10.65.23.14:443: connect: connection refused
E0417 11:25:19.541515 1080477 memcache.go:265] couldn't get current server API group list: Get "https://rancher-ace-yk-dev.ab.aaa/api?timeout=32s": dial tcp 10.65.23.14:443: connect: connection refused
E0417 11:25:19.547848 1080477 memcache.go:265] couldn't get current server API group list: Get "https://rancher-ace-yk-dev.ab.aaa/api?timeout=32s": dial tcp 10.65.23.14:443: connect: connection refused
The connection to the server rancher-ace-yk-dev.ab.aaa was refused - did you specify the right host or port?
Rancher v2.8.3
Dashboard v2.8.3
Helm v2.16.8-rancher2
Machine v0.15.0-rancher110

I don’t know if this is a bug or something wrong with my operation. who can help?

2

Hi, I get the same error after I enable the ACE for a downstream cluster, and using the --insecure option (still need to figure out how to avoid using it):
$ k get ns --insecure-skip-tls-verify
E0626 10:27:45.429754 21876 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0626 10:27:45.511118 21876 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0626 10:27:45.567954 21876 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0626 10:27:45.613827 21876 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
E0626 10:27:45.654933 21876 memcache.go:265] couldn’t get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)
I would be really inerested to understand what I’m missing.