This message was deleted.
# rke2
a
This message was deleted.
c
when you download a kubeconfig from rancher, all communication to the downstream cluster goes through rancher
if you want to communicate directly with the downstream cluster without going through rancher, you need to set up authorized cluster endpoint on that cluster, and use that context from the generated kubeconfig provided by rancher
or you can ssh into the downstream nodes and get a copy of the admin kubeconfig, although at that point you’re just straight up bypassing rancher
m
pardon my lack of knowledge but we have RKE1 clusters that are working. Whenever I go to the Rancher UI and download the kube config for those, I get a kube config like this:
Copy code
apiVersion: v1
kind: Config
clusters:
- name: "<<< some name >>>"
  cluster:
    server: "<<< rancher host here >>>"
- name: "<<< some name >>>"
  cluster:
    server: "https://<<< node IP >>>:6443"
    certificate-authority-data: "<<< valid cert here >>>"
- name: "<<< name >>>"
  cluster:
    server: "https://<<< node IP >>>:6443"
    certificate-authority-data: "<<< valid cert >>>"
- name: "<<< another host here >>>"
  cluster:
    server: "https://<<< node IP >>>:6443"
    certificate-authority-data: "<<< valid cert >>>"
users:
- name: "<<< cluster name >>>"
  user:
    token: "<<< valid tolken >>>

contexts:
- name: "<<< cluster context >>>"
  context:
    user: "<<< cluster context >>>"
    cluster: "<<< cluster context >>>"

current-context: "<<< cluster context >>>"
c
right there are multiple cluster entries. the first one that goes through rancher, the others that go directly to the server nodes. because you have enabled ACE for that cluster. If you want to do the same for RKE2, you need to enable ACE on that cluster.
m
The new RKE2 cluster generates a kube config like this:
Copy code
apiVersion: v1
kind: Config
clusters:
- name: "<<< some name >>>"
  cluster:
    server: "<<< rancher host here >>>"
users:
- name: "<<< some name >>>"
  user:
    token: "<<< valid token >>>"
contexts:
- name: "<<< some name >>>"
  context:
    user: "<<< some name >>>"
    cluster: "<<< some name >>>"

current-context: "<<< some name >>>"
c
enable ace
m
oh, I failed to toggle that when setting it up. If I don't provide a cert, it should generate one for me correct?
thank you so much for your help
c
it’ll just use the cluster ca by default. which should be fine.
m
awesome, thank you so much for your help