has anyone played with Kube-VIP as of late and have that example functioning with rke2? It works fine for a single node and my kubectl traffic - but I cannot join additional nodes following that example due to receiving a

connection refused

on port 9345 of the VIP. Any thoughts?

9345 is the RKE2 supervisor port. It exists outside of Kubernetes, and is used to bootstrap the various components, including etcd and the apiserver. It would not be handled by kube-vip, even if you asked kube-vip to expose a LoadBalancer service for the apiserver.

That aligns with my current understanding at a high level - thanks for the feedback. That gist lead me to assume that it could play a role in enabling a virtual IP to establish high-availability in some aspects of the word through a leader election process. This would likely be the case if it could handle the 9345 traffic?

That gist is just for exposing the apiserver. It does not handle the supervisor port, which is required for bootstrapping nodes.

Yeah that’s what was tripping me up

if I look at the file at

<http://kube-vip.io/k3s|kube-vip.io/k3s>

which that gist references it appears to only be handling port 6443, which is fine for k3s (where the supervisor and apiserver are on the same port) but I would not expect that to work on RKE2 without adding the supervisor port.

That makes sense and looking through environment variables of Kube-VIP, I don’t see any additional capability to target other additional ports - so this may just be a known gap

it is used for node join, and there is also a websocket tunnel between agents and apiservers that they use to facilitate reverse connections from the apiserver to kubelets

When deploying kube-vip can you use a subnet that is not the same as the nodes subnets to establish HA for nodes?