https://rancher.com/ logo
Join SlackCommunities
Powered by
This message was deleted.
# rke2
a
This message was deleted.
c
you should be able to do that anywhere that has connectivity to the cluster, and a kubeconfig for that cluster…
d
well, that is what I would like 🙂 But it's not working other than from rancher's web UI kubectl shell.
unless I'm missing some configuration to allow this?
I'm reading this: https://github.com/rancher/rancher/issues/36444#issuecomment-1086849271 And it maybe caused by the fact that my kube-apiserver pod parameter 
anonymous-auth
is set to 
false
, now I'm trying to figure out how to set it to 
true
. I have a rancher running in docker
c
don’t turn on anonymous
what specifically is not working when you use your kubeconfig to do that from a different host
d
Copy code
$ kubectl --kubeconfig .kube_config get --raw /.well-known/openid-configuration
Error from server (NotFound): the server could not find the requested resource
running it from the webUI:
Copy code
kubectl get --raw /.well-known/openid-configuration
{"issuer":"<https://kubernetes.default.svc.cluster.local>","jwks_uri":"<https://x.x.x.x:6443/openid/v1/jwks>","response_types_supported":["id_token"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"]}>
c
yeah so that’s because if you use a kubeconfig that talks to rancher, you’re making your raw request against rancher - not against the cluster. and rancher doesn’t have anything at that path.
You need to get a kubeconfig that talks directly to the cluster via the authorized cluster endpoint
or log in to one of the servers on that cluster and run the command there, using the admin kubeconfig available on the node
I guess you could also TRY looking at the server URL in your rancher-generated kubeconfig, and prepending the cluster proxy prefix to your request. I havent tried that myself though
d
Any idea how I could get the kubeconfig that talks directly to the cluster?
c
d
yeap, I started reading the same page 🙂
thx
ok, so far I don't see anything other than having to do manual steps to get the info I need from the downstream cluster. Not even an api available for the kubectl shell from the UI 😞
c
You’re not supposed to be using the shell in the UI like that
use the API to get a kubeconfig for your cluster, and then use native Kubernetes client stuff to do what you need from there
d
allowing native Kubernetes client requires manual steps: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters/access-clusters/use-kubectl-and-kubeconfig#authenti[…]-cluster
On RKE2 and K3s clusters, you need to manually enable authorized cluster endpoints
c
yes, or you could just fix the URL to run through the rancher cluster proxy using the kubeconfig you get from rancher
d
Any idea how to do that? The config I get is something like this:
Copy code
apiVersion: v1
kind: Config
clusters:
- name: "testjs"
  cluster:
    server: "<https://myrancherhost.mydomain.com/k8s/clusters/c-m-47k66slf>"
    certificate-authority-data: "REDACTED"

users:
- name: "testjs"
  user:
    token: "REDACTED"


contexts:
- name: "testjs"
  context:
    user: "testjs"
    cluster: "testjs"

current-context: "testjs"
c
OK so you were trying to get 
/.well-known/openid-configuration
right? But the base path in that kubeconfig to use the rancher cluster proxy is 
/k8s/clusters/c-m-47k66slf
. Put them together?
kubectl get --raw /k8s/clusters/c-m-47k66slf/.well-known/openid-configuration
may work, may not, worth a try
d
ok, let me try this
Oh! That works ! Awesome!
thx for the help, would be nice if this was documented somewhere 🙂
c
this is just how kubeconfigs and URLs work…
if you’re making raw requests through the rancher cluster proxy, you need to adapt the raw request path to include the base path from the server url
9 Views
Open in Slack
PreviousNext
Powered by