Illumina Innovates with Rancher and Kubernetes
hostname
string
ingress.tls.source
letsEncrypt.email
letsEncrypt.environment
privateCA
bool
additionalTrustedCAs
addLocal
antiAffinity
auditLog.destination
auditLog.hostPath
hostPath
auditLog.level
int
auditLog.maxAge
auditLog.maxBackups
auditLog.maxSize
busyboxImage
debug
extraEnv
list
imagePullSecrets
ingress.extraAnnotations
map
ingress.configurationSnippet
proxy
noProxy
resources
rancherImage
rancherImageTag
tls
systemDefaultRegistry
useBundledSystemChart
false
Enabling the API Audit Log.
You can collect this log as you would any container log. Enable the Logging service under Rancher Tools for the System Project on the Rancher server cluster.
System
--set auditLog.level=1
By default enabling Audit Logging will create a sidecar container in the Rancher pod. This container (rancher-audit-log) will stream the log to stdout. You can collect this log as you would any container log. When using the sidecar as the audit log destination, the hostPath, maxAge, maxBackups, and maxSize options do not apply. It’s advised to use your OS or Docker daemon’s log rotation features to control disk space use. Enable the Logging service under Rancher Tools for the Rancher server cluster or System Project.
rancher-audit-log
stdout
maxAge
maxBackups
maxSize
Set the auditLog.destination to hostPath to forward logs to volume shared with the host system instead of streaming to a sidecar container. When setting the destination to hostPath you may want to adjust the other auditLog parameters for log rotation.
Available as of v2.2.0
You can set extra environment variables for Rancher server using extraEnv. This list uses the same name and value keys as the container manifest definitions. Remember to quote the values.
name
value
--set 'extraEnv[0].name=CATTLE_TLS_MIN_VERSION' --set 'extraEnv[0].value=1.0'
To set a different TLS configuration, you can use the CATTLE_TLS_MIN_VERSION and CATTLE_TLS_CIPHERS environment variables. For example, to configure TLS 1.0 as minimum accepted TLS version:
CATTLE_TLS_MIN_VERSION
CATTLE_TLS_CIPHERS
See TLS settings for more information and options.
local
By default Rancher server will detect and import the local cluster it’s running on. User with access to the local cluster will essentially have “root” access to all the clusters managed by Rancher server.
If this is a concern in your environment you can set this option to “false” on your initial install.
Note: This option is only effective on the initial Rancher install. See Issue 16522 for more information.
--set addLocal="false"
To customize or use a different ingress with Rancher server you can set your own Ingress annotations.
Example on setting a custom certificate issuer:
--set ingress.extraAnnotations.'certmanager\.k8s\.io/cluster-issuer'=ca-key-pair
Available as of v2.0.15, v2.1.10 and v2.2.4
Example on setting a static proxy header with ingress.configurationSnippet. This value is parsed like a template so variables can be used.
--set ingress.configurationSnippet='more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};'
Rancher requires internet access for some functionality (helm charts). Use proxy to set your proxy server.
Add your IP exceptions to the noProxy list. Make sure you add the Service cluster IP range (default: 10.43.0.1⁄16) and any worker cluster controlplane nodes. Rancher supports CIDR notation ranges in this list.
controlplane
--set proxy="http://<username>:<password>@<proxy_url>:<proxy_port>/" --set noProxy="127.0.0.0/8\,10.0.0.0/8\,172.16.0.0/12\,192.168.0.0/16"
If you have private registries, catalogs or a proxy that intercepts certificates, you may need to add additional trusted CAs to Rancher.
--set additionalTrustedCAs=true
Once the Rancher deployment is created, copy your CA certs in pem format into a file named ca-additional.pem and use kubectl to create the tls-ca-additional secret in the cattle-system namespace.
ca-additional.pem
kubectl
tls-ca-additional
cattle-system
kubectl -n cattle-system create secret generic tls-ca-additional --from-file=ca-additional.pem
For details on installing Rancher with a private registry, see:
We recommend configuring your load balancer as a Layer 4 balancer, forwarding plain 80/tcp and 443/tcp to the Rancher Management cluster nodes. The Ingress Controller on the cluster will redirect http traffic on port 80 to https on port 443.
You may terminate the SSL/TLS on a L7 load balancer external to the Rancher cluster (ingress). Use the --set tls=external option and point your load balancer at port http 80 on all of the Rancher cluster nodes. This will expose the Rancher interface on http port 80. Be aware that clients that are allowed to connect directly to the Rancher cluster will not be encrypted. If you choose to do this we recommend that you restrict direct access at the network level to just your load balancer.
--set tls=external
Note: If you are using a Private CA signed certificate, add --set privateCA=true and see Adding TLS Secrets - Using a Private CA Signed Certificate to add the CA cert for Rancher.
--set privateCA=true
Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly.
Host
X-Forwarded-Proto
X-Forwarded-Port
X-Forwarded-For
1800 seconds
30 seconds
Rancher will respond 200 to health checks on the /healthz endpoint.
200
/healthz
This NGINX configuration is tested on NGINX 1.14.
Note: This NGINX configuration is only an example and may not suit your environment. For complete documentation, see NGINX Load Balancing - HTTP Load Balancing.
IP_NODE1
IP_NODE2
IP_NODE3
FQDN
/certs/fullchain.pem
/certs/privkey.pem
worker_processes 4; worker_rlimit_nofile 40000; events { worker_connections 8192; } http { upstream rancher { server IP_NODE_1:80; server IP_NODE_2:80; server IP_NODE_3:80; } map $http_upgrade $connection_upgrade { default Upgrade; '' close; } server { listen 443 ssl http2; server_name FQDN; ssl_certificate /certs/fullchain.pem; ssl_certificate_key /certs/privkey.pem; location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://rancher; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close. proxy_read_timeout 900s; proxy_buffering off; } } server { listen 80; server_name FQDN; return 301 https://$server_name$request_uri; } }