See how to retrieve cluster.rkestate from controlplane node here: https://gist.github.com/superseb/e9f2628d1033cb20e54f6ee268683a7a
cluster.rkestatecat cluster.rkestate | jq -r '.currentState.certificatesBundle."kube-admin".config' > kube-admin-kubeconfig.yml
| #!/bin/bash | |
| if [ "$#" -eq 0 ]; then | |
| echo "No FQDN provided as first parameter, generating xip.io based on found external IP" | |
| FOUNDIP=$(docker run --rm --net=host appropriate/curl https://api.ipify.org) | |
| FQDN="minio.${FOUNDIP}.xip.io" | |
| else | |
| FQDN=$1 | |
| fi | |
| echo "Using FQDN: ${FQDN}" |
Various exploration/debug commmands for RKE2
Necessary binaries unpacked from image and symlinked in /usr/local/bin (only when using install.sh script)
-rwxr-xr-x 1 root root 151543800 Jul 22 06:22 rke2
| TMPDIR=$(mktemp -d $MKTEMP_BASEDIR) | |
| # k3s | |
| if $(command -v k3s >/dev/null 2>&1); then | |
| mkdir -p $TMPDIR/k3s/crictl | |
| mkdir -p $TMPDIR/k3s/logs | |
| mkdir -p $TMPDIR/k3s/podlogs | |
| mkdir -p $TMPDIR/k3s/kubectl | |
| k3s check-config > $TMPDIR/k3s/check-config 2>&1 | |
| k3s kubectl get nodes -o json > $TMPDIR/k3s/kubectl/nodes 2>&1 | |
| k3s kubectl version > $TMPDIR/k3s/kubectl/version 2>&1 |
This will describe how to identify clusters that are created by RKE, created by Rancher or managed by Rancher
Clusters created by RKE CLI have:
full-cluster-state in namespace kube-system (cluster-state before RKE v0.2.0)
kubectl -n kube-system get configmap full-cluster-state| { | |
| "K8sVersionServiceOptions": { | |
| "v1.10": { | |
| "etcd": null, | |
| "kubeapi": { | |
| "allow-privileged": "true", | |
| "anonymous-auth": "false", | |
| "bind-address": "0.0.0.0", | |
| "enable-admission-plugins": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction", | |
| "insecure-port": "0", |
This will only cover the part of installing Rancher on a RKE built cluster, see https://rancher.com/docs/rancher/v2.x/en/installation/ha/ how to get there.
Note: make sure kubeconfig is configured correctly
The commands are for Linux, if you are using Mac then you can use md5 instead of md5sum and base64 -D instead of base64 -d.
| #!/usr/bin/env bash | |
| CONTID=$(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') | |
| docker exec $CONTID kubectl get listenconfigs cli-config -o jsonpath={.caCerts} > /tmp/cacerts | |
| curl --cacert /tmp/cacerts https://localhost |
Ability to graph etcd metrics locally to identify issues
scrape_configs:
- job_name: etcd
static_configs:
# Configure CLUSTERID (can be found in UI)
CLUSTERID=c-tc6mc
# Get service account token, endpoint and ca certificate
docker exec $(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster | @base64d' | docker run -i oildex/jq:1.6 jq -r '.rootCACert | @base64d' > ca.crt
docker exec $(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster | @base64d' | docker run -i oildex/jq:1.6 jq -r '.serviceAccountToken' > token
docker exec $(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.clust