Skip to content

Instantly share code, notes, and snippets.

Last active February 4, 2023 12:56
What would you like to do?
Expose KubeAPI with Nginx


Can expose KubeAPI with NGINX Reverse Proxy on Kubespray cluster edition.

Make sure our FQDN has recorded on SAN KubeAPI Certificate

  • to make sure we can dump SAN information on openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
  • If SAN not yet on recorded cert, on Kubespray we can declare it in nano inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml in supplementary_addresses_in_ssl_keys section.

Create Nginx Block

  • Assume KubeAPI domain is will be resolve in
server {
    listen 6443;
    ssl on;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    location / {
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header host;
        proxy_ssl_certificate /etc/letsencrypt/live/;
        proxy_ssl_certificate_key /etc/letsencrypt/live/;


  • proxy_ssl_certificate we can get in /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • proxy_ssl_certificate_key we can get in /etc/kubernetes/pki/apiserver-kubelet-client.key
  • ssl_certificate we can get in /etc/kubernetes/pki/apiserver.crt
  • ssl_certificate_key we can get in /etc/kubernetes/pki/apiserver.key


  • If we use L7 like this, prox_ssl_certificate use client certificate, so RBAC with certificate will be not working with this technique.
  • Recommendation expose with L4 on Nginx (upstream Technique)
      server {
        listen       6443;


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment