https://rancher.com/ logo
Title
p

powerful-elephant-25838

11/10/2022, 9:40 AM
is possible to have the rancher cli pointing directly to the downstream cluster and NOT to the rancher upstream?
m

microscopic-diamond-94749

11/10/2022, 11:37 AM
you can export the kubeconfig with
rancher kubectl config view --raw
and use that with
kubectl
directly. If you then switch your context to the k8s api node you don't need the rancher server anymore.
p

powerful-elephant-25838

11/11/2022, 4:51 PM
No I need rancher cli to autenticate with LDAP so at the moment it points to rancher upstream that I believe is the one that has the link with LDAP, I'd like to be able to point directly to the ACE endpoint of the RKE1 downstream since if rancher is down everyone will be cut off even if the downstream is working
m

microscopic-diamond-94749

11/14/2022, 12:52 PM
I see. I only authenticate my
rancher
cli once with an API key and after the initial
rancher login
I can view my
KUBECONFIG
files and use the k8s api directly. How often do you need to authenticate via LDAP? I didn't event know that was possible via the CLI ­čśé
p

powerful-elephant-25838

11/15/2022, 7:02 PM
we set the timeout of the kubeconfig since we do not want people to use them. There is a single kubeconfig file that has the settings to use rancher cli; rancher by itself is set to use ldap this allows us to have people only use rancher cli to anth themselves, BUT we need rancher to be up since it is the one that mediate login for the downstream cluster. It could be interesting to have a way to have a component of rancher in the downstream that uses the ACE to allow a direct access to only the downstream
LDAP auth get a token duration that at the moment I do not remember where we set it but it last for the period you decide than have to re-auth
m

microscopic-diamond-94749

11/16/2022, 7:18 AM
well since your rancher server does the LDAP Auth to generate short-lived kubeconfig files I don't see how you would bypass the server. You can't have it both ways, use rancher for LDAP and then not use Rancher ­čśä