Add docs for RKE cluster user authentication

Information on configuring RKE authn webhooks, provisioning RKE clusters as authorized cluster endpoints, and using kubeconfig contexts for connecting directly to a cluster. For rancher/docs/issues/1010
2026-05-22 12:55:19 +00:00 · 2019-03-11 16:52:24 -07:00
parent e5bba6fb18
commit b08232511f
4 changed files with 30 additions and 0 deletions
@@ -52,6 +52,8 @@ From this section you can choose:

    >**Note:** If your cloud provider is not listed as an option, you will need to use the [config file option](#config-file) to use that cloud provider. Please reference the [RKE's cloud provider documentation]({{< baseurl >}}/rke/v0.1.x/en/config-options/cloud-providers/) on how to configure these other cloud providers.

+- Whether or not to allow the cluster to act as an _authorized cluster endpoint_. Enabling will allow users to directly access a Kubernetes API server in the cluster without requiring communication through Rancher server. Providing an FQDN and certificate will generate kubeconfig files which use those values for accessing the cluster behind a load balancer, otherwise node IP addresses and kubernetes API certs will be used. See the [kubeconfig documentation]({{< baseurl >}}/rancher/v2.x/en/k8s-in-rancher/kubeconfig/) for more information.
+
 - Whether or not to use a [pod security policy]({{< baseurl >}}/rancher/v2.x/en/admin-settings/pod-security-policies). You must have an existing pod security policy configured before you can use this option.

 ## Config File
@@ -19,3 +19,20 @@ For more information, see [Using kubectl to Access a Cluster]({{< baseurl >}}/ra
 >```
 kubectl --kubeconfig /custom/path/kube.config get pods
 ```
+
+Rancher generates kubeconfig files that by default proxy through Rancher server to connect to the Kubernetes API server on a cluster.
+
+For RKE clusters which are configured as _authorized cluster endpoints_ we will generate extra contexts in the kubeconfig file for connecting directly to a cluster.
+If an FQDN is defined for the cluster then a single extra context will be created, otherwise an extra context which points to the IP address of each node in the control plane will be created.
+Please examine the kubeconfig file for a complete list of available contexts.
+
+>Example of using the FQDN context for an RKE cluster:
+>```
+kubectl --context rke-fqdn api-resources
+```
+>or node context without FQDN defined:
+>```
+kubectl --context rke-node1 api-resources
+```
+
+See [Cluster Options for Provisioning RKE in Rancher]({{< baseurl >}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/) and [RKE Config Options]({{< baseurl >}}/rke/v0.1.x/en/config-options/authentication/) for more information on user authentication in a cluster.
@@ -47,4 +47,6 @@ Alternatively, you can access your clusters by installing kubectl on your workst
        ```
 4. From your workstation, launch kubectl. Use it to interact with your kubernetes cluster.

+     For information on using cluster contexts, see [Kubeconfig Files]({{< baseurl >}}/rancher/v2.x/en//k8s-in-rancher/kubeconfig).
+
     For more information on using kubectl, see [Kubernetes Documentation: Overview of kubectl](https://kubernetes.io/docs/reference/kubectl/overview/).
@@ -12,3 +12,12 @@ authentication:
      - "10.18.160.10"
      - "my-loadbalancer-1234567890.us-west-2.elb.amazonaws.com"
 ```
+
+RKE also supports the webhook authentication strategy. You can enable both x509 and webhook strategies by using a `|` separator in the configuration. Contents of the webhook config file should be provided, see [Kubernetes webhook documentation](https://kubernetes.io/docs/reference/access-authn-authz/webhook/) for information on the file format. Additionally, a cache timeout for webhook authentication responses can be set.
+```yaml
+authentication:
+    strategy: x509|webhook
+    webhook:
+      config_file: "...."
+      cache_timeout: 5s
+```