https://rancher.com/ logo
#k3s
Title
l

late-needle-80860

09/18/2023, 9:42 AM
So I’m reaching out to know what the best practice is in regards to the use of
—tls-san
parameter. • should I configure / set it on all server nodes? • And if I upgrade control-plane/server nodes by replacing them one by one ( will end up with the same name and ip ) should I set the parameter in that scenario as well? —- With the v1.28.1 release ( and others ) this parameter have come into focus because of the need to set it to patch the cert. CVE on k3s … Thank you
Please anybody with an idea?
c

creamy-pencil-82913

09/19/2023, 5:05 PM
--tls-san or --tls-san-security?
What sort of environment are you in that you would need to set --tls-san? Do you have the k3s apiserver behind an external load-balancer or dns alias?
l

late-needle-80860

09/20/2023, 5:34 AM
—tls-san …. The api ip is a VIP. So e.g. moved from control-plane node A to B if A goes down. In certain environments .. the api is behind a dns name. Thank you
c

creamy-pencil-82913

09/20/2023, 4:51 PM
in that case yes, you should add --tls-san entries for the VIP address and hostname, on all the servers.
but you always should have been doing that, that’s what the setting is for.
🎯 1