The API server certificate of a Container Service for Kubernetes (ACK) cluster contains the Subject Alternative Name (SAN) field. By default, this field includes the cluster's local domain name, the private IP address and public elastic IP address (EIP) of the Server Load Balancer (SLB) instance associated with the API server, and the local service IP. If you access the API server through a proxy or a custom domain not covered by the default SANs, TLS verification fails. To prevent this, add your custom IP addresses, domain names, or URIs to the SAN field.
SAN customization support varies by cluster type:
| Cluster type | At creation time | For existing clusters |
|---|---|---|
| ACK managed cluster | Supported | Supported |
| ACK dedicated cluster | Supported | Not supported |
| ACK Serverless cluster | Not supported | Supported |
Prerequisites
Before you begin, ensure that you have:
An ACK managed cluster, ACK dedicated cluster, or ACK Serverless cluster. See Create an ACK managed cluster, Create an ACK dedicated cluster, or Create an ACK Serverless cluster
SAN overview
SAN is an extension to X.509. It allows you to associate various values with an SSL certificate by adding the values to the subjectAltName field. The values can be IP addresses, domain names, URIs, or email addresses.
Customize cluster API server certificate SANs
Customize SANs when creating a cluster
The following steps use an ACK managed cluster as an example. The procedure applies to other supported cluster types.
On the Create Cluster page, click Show Advanced Options. In the Custom Certificate SANs field, enter the SANs to add to the API server certificate. Separate multiple values with commas (,). Accepted value types: IP addresses, domain names, URIs, or email addresses.
Update SANs for an existing cluster
If you update or modify the custom SANs of the API server certificate for an existing cluster, the API server may restart during this process. We recommend that you perform this operation during off-peak hours.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster and click its name. In the left-side pane, click Cluster Information.
On the cluster details page, click the Basic Information tab. In the Network section, click Edit to the right of Custom Certificate SANs.
In the Update Custom SAN dialog box, configure the Custom Certificate SANs parameter and click OK.
What's next
Use API server audit logs to record and trace operations performed by different users. See Work with cluster auditing.