How to add an authorised cluster endpoint to a RKE2 cluster created by Rancher

Question

There is a Kubernets RKE2 cluster created by Rancher v2.6 with 3 nodes on vSphere. No authorized cluster endpoint was defined. Is there a way to add an authorized cluster endpoint after cluster was created?

Answer 1

Manual steps to be taken on the control plane of each downstream cluster to enable ACE:

1. Create a file at /var/lib/rancher/{rke2,k3s}/kube-api-authn-webhook.yaml with the following contents:

apiVersion: v1
kind: Config
clusters:
- name: Default
  cluster:
    insecure-skip-tls-verify: true
    server: http://127.0.0.1:6440/v1/authenticate
users:
- name: Default
  user:
    insecure-skip-tls-verify: true
current-context: webhook
contexts:
- name: webhook
  context:
    user: Default
    cluster: Default

2. Add the following to the config file (or create one if it doesn’t exist); note that the default location is /etc/rancher/{rke2,k3s}/config.yaml:

kube-apiserver-arg:
    - authentication-token-webhook-config-file=/var/lib/rancher/{rke2,k3s}/kube-api-authn-webhook.yaml

3. Run the following commands:

sudo systemctl stop {rke2,k3s}-server
sudo systemctl start {rke2,k3s}-server

4. Finally, you must go back to the Rancher UI and edit the imported cluster there to complete the ACE enablement. Click on ⋮ > Edit Config, then click the Networking tab under Cluster Configuration. Finally, click the Enabled button for Authorized Endpoint. Once the ACE is enabled, you then have the option of entering a fully qualified domain name (FQDN) and certificate information.