Posted by Jeremy Hess
August 30, 2022
In our effort to enable our users to manage and secure secrets across any tool and environment, we recently added the ability for Rancher Kubernetes Engine (RKE) clusters to authenticate directly with Akeyless. In this post, we will go through why this is important, how this makes your life easier, and walk you through the basics of Rancher authentication with Akeyless.
What is Rancher?
Rancher is probably the most well-known and widely used Kubernetes orchestration tool. When an organization starts to ramp up their Kubernetes cluster count, it becomes complex pretty quickly, especially when you are running K8s clusters in a number of cloud providers and on-prem. That’s why Rancher was created. And since it’s fully open source, Rancher has gained tremendous adoption.
Akeyless now supports and manages secrets for Rancher-created clusters.
Why Rancher Authentication is Important
Before we move forward, let’s quickly discuss the case of a Kubernetes cluster variation managed by Rancher. When you have a K8s cluster already running and you bring it into Rancher to be managed, you don’t need to authenticate Rancher with Akeyless — the communication continues using the already authenticated Kubernetes cluster.
In the case of a cluster created directly by the Rancher Kubernetes Engine (RKE), however, since Rancher sits a layer above Kubernetes, the Kubernetes API is not directly available to us. So, in order to make sure there are no configuration issues, we need to talk directly with Rancher.
How Does Rancher Authentication Work with Akeyless?
In order to actually interact with Rancher, we need to make sure that we have authenticated it with Akeyless in order to give it an ID. The first thing you need is the Akeyless Gateway installed on your environment with network access to your Kubernetes cluster. This also requires Kubernetes 1.21 or above.
For a Rancher-created cluster, you need to create a Rancher API Key and use your K8s Cluster CA certificate in order to talk with the Kubernetes API. The only entity that sees the credentials is the Akeyless Gateway which sits within your environment, and is therefore a trusted endpoint. These credentials are never shared with Akeyless or any other third party. Also, because this is not a native Kubernetes deployment, there is no need for a token reviewer.
Ready to Secure Your Rancher K8s Secrets with Akeyless?
The step-by-step instructions to authenticate with Rancher can be found in our docs under Kubernetes Authentication.