tls-san workers

[frit0-rb]

Good afternoon,

I´m creating a DNS to locate the controllers, I see I need to add that dns to tls-san config in config.yaml in controllers, but I want to know if it necessary to add tls-san to workers too?

My kube-proxy pods don´t work well with out it.

Thanks

[brandond]

I´m creating a DNS to locate the controllers

I don't understand what you're trying to do. What specifically are you creating records for in DNS?

I want to know if it necessary to add tls-san to workers too

No, you cannot set tls-san on agents. The tls-san value only controls what is in the supervisor/apiserver certificate that is served on ports 9345 and 6443 on servers. The kubelet and kube-proxy serving certs are only valid for the node's hostname and IPs.

Are you perhaps trying to configure the TLS SANs used by ingress-nginx? I can't think of what you'd be doing with kube-proxy.

[frit0-rb]

Sorry @brandond let me explain

In the config file, in the case of the server parameter I putted a DNS record to point all controllers, like this:

{
  "node-label": [
    "cattle.io/os=linux",
    "rke.cattle.io/machine=5dbe810a-f09a-4939-94d0-8639b95b43ac"
  ],
  "private-registry": "/etc/rancher/rke2/registries.yaml",
  "protect-kernel-defaults": false,
  "server": "https://k8sc.example.lan:9345",
  "token": "4kb7v7gq6hf44wq445klwmc2krwxq66jcgkchlvdcgmtfwwqn2gtkg",
  "kubelet-arg": [
    "image-gc-high-threshold=75",
    "image-gc-low-threshold=60"
  ]
}

when I use a DNS without adding in tls-san that record, didn´t work. Thats main point. But I see like you telling me is not necessary to put in the worker right?

When I had told you to put that parameter in worker is because one of my workers didn´t create the kube-proxy pod from pod-manifest without that parameter.

I hope you can understand me

[brandond]

The servers should all have k8sc.example.lan in their tls-san value. That is not a valid option on agents; even if you do set it, it will just be ignored.