is possible to have the rancher cli pointing directly to the downstream cluster and NOT to the rancher upstream?

you can export the kubeconfig with

rancher kubectl config view --raw

and use that with

kubectl

directly. If you then switch your context to the k8s api node you don't need the rancher server anymore.

No I need rancher cli to autenticate with LDAP so at the moment it points to rancher upstream that I believe is the one that has the link with LDAP, I'd like to be able to point directly to the ACE endpoint of the RKE1 downstream since if rancher is down everyone will be cut off even if the downstream is working

I see. I only authenticate my

rancher

cli once with an API key and after the initial

rancher login

I can view my

KUBECONFIG

files and use the k8s api directly. How often do you need to authenticate via LDAP? I didn't event know that was possible via the CLI 😂

we set the timeout of the kubeconfig since we do not want people to use them. There is a single kubeconfig file that has the settings to use rancher cli; rancher by itself is set to use ldap this allows us to have people only use rancher cli to anth themselves, BUT we need rancher to be up since it is the one that mediate login for the downstream cluster. It could be interesting to have a way to have a component of rancher in the downstream that uses the ACE to allow a direct access to only the downstream

well since your rancher server does the LDAP Auth to generate short-lived kubeconfig files I don't see how you would bypass the server. You can't have it both ways, use rancher for LDAP and then not use Rancher 😄