How to enable debug level logging for the kube-auth-api DaemonSet in Rancher provisioned Kubernetes clusters

Task

The kube-auth-api DaemonSet is deployed to controlplane nodes, in Rancher provisioned Kubernetes clusters, to provide user authentication functionality for the authorized cluster endpoint. When troubleshooting an issue with authorized cluster endpoint authentication, it may be helpful to analyze the kube-auth-api logs at debug level, and this article details how to enable debug logging.

Pre-requisites

• A Rancher instance
• A Rancher provisioned Kubernetes cluster, either a custom cluster or on nodes in an infrastructure provider using a Node Driver

Resolution

1. Navigate to the workloads view of the System project, within the Rancher UI, for the relevant Rancher provisioned cluster.

2. Locate the kube-api-auth DaemonSet, within the cattle-system namespace, click the three dots at the right side of the UI and select Edit Config, per the following screenshot:

   

3. Select the kube-api-auth container in the main tab.

4. Under the General section, scroll down until the Command section

5. In the Command section, enter /usr/bin/kube-api-auth, and --debug serve in the Arguments field, per the following screenshot, and click Save:

   

6. The kube-api-auth pod(s) will restart with the new debug logging configuration. Viewing the kube-api-auth logs you should now observe log messages with level=debug.

Further reading

• Rancher documentation on the kube-api-auth authentication webhook
• Rancher Server Architecture documentation