The API server certificate of a Container Service for Kubernetes (ACK) cluster contains the Subject Alternative Name (SAN) field. By default, this field includes the cluster's domain name, IP address, and the elastic IP address (EIP) and private IP address of the Server Load Balancer (SLB) instance associated with the API server. If you need proxy-based or cross-domain access to the API server, add custom SANs to the certificate when you create a cluster or after the cluster exists.
Prerequisites
Before you begin, ensure that you have:
-
An ACK managed cluster, ACK dedicated cluster, or ACK Serverless cluster. For more information, see Create an ACK dedicated cluster, Create an ACK managed cluster, or Create an ACK Serverless cluster.
Default SANs
The API server certificate SAN field contains the following values by default:
| Type | Value |
|---|---|
| Domain name | The cluster's local domain name |
| IP address | The cluster's IP address |
| EIP | The elastic IP address of the SLB instance associated with the API server |
| Private IP address | The private IP address of the SLB instance associated with the API server |
SAN is an extension to the X.509 standard that lets you associate additional values — IP addresses, domain names, URIs, or email addresses — with an SSL certificate by adding them to the subjectAltName field.
Supported operations by cluster type
The operations available to you depend on your cluster type:
| Cluster type | Set SANs at create time | Update SANs on existing cluster |
|---|---|---|
| ACK managed cluster | Supported | Supported |
| ACK dedicated cluster | Supported | Not supported |
| ACK Serverless cluster | Not supported | Supported |
Customize SANs when creating a cluster
The following procedure uses an ACK managed cluster as an example. The steps apply to other supported cluster types.
On the Create Cluster page, click Show Advanced Options. In the Custom Certificate SANs field, enter the SANs to add to the API server certificate. You can enter IP addresses, domain names, or URIs that comply with the conventions. Separate multiple values with commas (,).
The following figure shows two domain names and an IP address entered in the Custom Certificate SANs field.
For complete cluster creation steps, see Create an ACK managed cluster.
Update SANs on an existing cluster
Updating the custom SANs of the API server certificate may cause the API server to restart. Perform this operation during off-peak hours to minimize disruption to workloads that depend on the API server.
-
Log on to the ACK console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, find the cluster and click its name. In the left-side pane, click Cluster Information.
-
On the cluster details page, click the Basic Information tab. In the Network section, click Edit to the right of Custom Certificate SANs.
-
In the Update Custom SAN dialog box, configure the Custom Certificate SANs parameter and click OK.
What's next
Use API server audit logs to record and trace operations performed by users on the cluster. For more information, see Work with cluster auditing.