This message was deleted Rancher Users #rke2

Join Slack

This message was deleted.

# rke2

adamant-kite-43734

02/02/2023, 6:29 PM

This message was deleted.

creamy-pencil-82913

02/02/2023, 6:38 PM

the static pods are managed by RKE2. There is no way to inject additional containers into the control-plane static pods.

creamy-pencil-82913

02/02/2023, 6:38 PM

you could edit them on disk but they will be regenerated whenever rke2 starts

creamy-pencil-82913

02/02/2023, 6:38 PM

what specifically are you trying to do with your sidecar?

broad-petabyte-50341

02/02/2023, 6:41 PM

I have a reverse proxy that I'm trying to put right next to the kube-apiserver to allow me to use kubectl with all ports closed.

broad-petabyte-50341

02/02/2023, 6:41 PM

so a reverse proxy client

broad-petabyte-50341

02/02/2023, 6:42 PM

so the only way to make this happen would be to do it before start up?

creamy-pencil-82913

02/02/2023, 6:43 PM

I mean you could edit the static pods but that is 1) not supported 2) going to be undone every time you restart rke2

creamy-pencil-82913

02/02/2023, 6:44 PM

other thing running on the node do need the apiserver to actually be accessible, if you lock it down somehow other stuff in the cluster is going to break

creamy-pencil-82913

02/02/2023, 6:45 PM

why not just deploy your reverse proxy thing as a pod in the cluster that connects to the in-cluster apiserver endpoint? Why would it need to be a sidecar?

creamy-pencil-82913

02/02/2023, 6:45 PM

Making the apiserver inaccessible is going to break pretty much everything

broad-petabyte-50341

02/02/2023, 6:45 PM

it would still be internally accessible, would just be closing off anything from outside the cluster

creamy-pencil-82913

02/02/2023, 6:45 PM

ok so just run it as a pod and leave the apiserver alone

creamy-pencil-82913

02/02/2023, 6:46 PM

if it’s still accessible internally then I don’t understand why it needs to be a sidecar

broad-petabyte-50341

02/02/2023, 6:47 PM

that does work, and that's what I've going at the moment, but I'd like to hit the kube-apiserver without using kubedns

creamy-pencil-82913

02/02/2023, 6:48 PM

the apiserver is always at the first address in the service IP range, you could rely on that fact, or use the KUBERNETES_SERVICE_HOST environment variable via downwards API… there are a lot of different ways to do what you want without having to hack at the static pod

creamy-pencil-82913

02/02/2023, 6:48 PM

why don’t you want to use dns?

broad-petabyte-50341

02/02/2023, 6:50 PM

KUBERNETES_SERVICE_HOST

would allow me to specifly directly where to send traffic from my pod?

creamy-pencil-82913

02/02/2023, 6:51 PM

just run

env

in a pod, look at what you see

broad-petabyte-50341

02/02/2023, 6:51 PM

the problem isn't necessarily DNS, more just getting traffic directly to its destination in as few steps as possible

broad-petabyte-50341

02/02/2023, 6:52 PM

that's the address of kubeDNS right?

broad-petabyte-50341

02/02/2023, 6:52 PM

in KUBERNETES_SERVICE_HOST

creamy-pencil-82913

02/02/2023, 6:52 PM

no, that’s the address of the Kubernetes service

broad-petabyte-50341

02/02/2023, 6:53 PM

mmmm right right

broad-petabyte-50341

02/02/2023, 6:53 PM

5 Views

Open in Slack

Previous Next