Autoscaling RKE2 Clusters with Rancher
Installing and Configuring the Rancher Autoscaler
Every autoscaler has a set of configurations that need to be carefully set up; otherwise, autoscaling might not work as expected. Sometimes, it's difficult to troubleshoot the autoscaler if it's not working as expected. In our case, we will see the instructions to install and configure the Rancher Autoscaler for RKE2 clusters.
ℹ️ The cluster-autoscaler can be run inside the RKE2 cluster, on the Rancher server cluster, or on a completely separate machine. In our case, we are going to run it inside the RKE2 cluster.
Handling Self-Signed Certificates
If your Rancher Manager uses a self-signed SSL certificate, the cluster autoscaler will fail to connect with a TLS verification error. The Rancher cloud provider in the autoscaler does not support the Insecure or insecureSkipTLSVerify configuration options that other cloud providers have.
The solution is to build a custom autoscaler Docker image that includes your Rancher Manager's CA certificate in the system trust store. Since the base autoscaler image is distroless (no shell), we use a multi-stage build to:
- Extract the CA certificate from your Rancher Manager
- Use a Debian image to update the CA certificates bundle
- Copy the updated bundle into the final autoscaler image
This approach ensures the autoscaler trusts your self-signed certificate without modifying the autoscaler code or disabling TLS verification.
ℹ️ If your Rancher Manager uses a valid SSL certificate from a trusted CA (like Let's Encrypt), you can skip the custom image build and use the official
registry.k8s.io/autoscaling/cluster-autoscaler:v1.32.0image directly.💡 Production Recommendation: For production environments, consider using cert-manager with Let's Encrypt to provision valid SSL certificates for your Rancher Manager. This eliminates the need for custom images and follows security best practices. See the cert-manager documentation for installation instructions.
Installation Steps
Follow the steps below:
- Using Rancher UI, create a new API Key. This can be done by clicking on your avatar on the top right corner, then
API & KeysandAccounts and API keys. - Name it
rancher-autoscaler-apikeyor choose any other name. - Use the scope
No Scopefor this API key. Copy and save the bearer token generated safely.
SSH into the control plane node of the RKE2 cluster from Rancher UI. Go to the
Clusterpage, click on thedo-cluster, find thecontrolplanenode and the 3 dots on the right side, then click onSSH Shell.Run the following commands to set up the autoscaler. Replace
WORKSPACE_PUBLIC_IPwith the IP address of yourworkspaceserver,API_TOKENwith your Rancher API bearer token, and adjustCLUSTER_NAMEif different.
⚠️ Important: If your Rancher Manager uses a self-signed SSL certificate, you need to build a custom autoscaler image with the CA certificate included. The base autoscaler image uses a distroless container that doesn't trust self-signed certificates by default.
# This is the IP of the workspace server
export WORKSPACE_PUBLIC_IP=[CHANGE_ME]
# This is the Bearer token generated from the API key
# It should look like: token-xxxxx:yyyyyyy...
export API_TOKEN="[CHANGE_ME]"
# Change me if the cluster name is different
export CLUSTER_NAME="do-cluster"
# Your Docker Hub username (or private registry)
export DOCKER_USERNAME="[CHANGE_ME]"
# Symlink kubectl
ln -sf /var/lib/rancher/rke2/bin/kubectl \
/usr/local/bin/kubectl
# Add the kubeconfig to the bashrc
echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml" \
>> ~/.bashrc && source ~/.bashrc
# Extract the SSL certificate from the Rancher Manager
echo -n | \
openssl s_client -connect rancher.$WORKSPACE_PUBLIC_IP.sslip.io:443 \
-servername rancher.$WORKSPACE_PUBLIC_IP.sslip.io | \
openssl x509 > rancher-manager.crt
# Build a custom autoscaler image with the CA certificate
# The base image is distroless, so we use a multi-stage build
cat > Dockerfile <<'EOF'
# Stage 1: Use Debian to update CA certificates
FROM debian:bookworm-slim AS cert-builder
# Copy the custom CA certificate
COPY rancher-manager.crt /usr/local/share/ca-certificates/
# Update CA certificates (this creates /etc/ssl/certs/ca-certificates.crt)
RUN apt-get update && \
apt-get install -y ca-certificates && \
update-ca-certificates && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Stage 2: Use the original autoscaler image
FROM registry.k8s.io/autoscaling/cluster-autoscaler:v1.32.0
# Copy the updated CA bundle from the cert-builder stage
COPY --from=cert-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
EOF
# Install Docker if not already installed
if ! command -v docker &> /dev/null; then
curl -fsSL https://get.docker.com | sh
fi
# Build and push the custom image
docker build -t $DOCKER_USERNAME/cluster-autoscaler:v1.32.0-custom .
docker push $DOCKER_USERNAME/cluster-autoscaler:v1.32.0-custom
# Clean up the Dockerfile and certificate
rm Dockerfile rancher-manager.crt
# Create a secret with the API token
# IMPORTANT: The token must be the full bearer token from the API key
# NOT the access key. It should look like: token-xxxxx:yyyyyyy...
kubectl apply -f - <
apiVersion: v1
kind: Secret
metadata:
name: cluster-autoscaler-cloud-config
namespace: kube-system
type: Opaque
stringData:
cloud-config: |
url: https://rancher.$WORKSPACE_PUBLIC_IP.sslip.io
token: $API_TOKEN
clusterName: $CLUSTER_NAME
clusterNamespace: fleet-default
EOF
- Let's install the Rancher Autoscaler using Rancher UI in the RKE2 cluster. We will use version 9.45.0 of the autoscaler chart.
Use the following command to install the Cluster Autoscaler using helm CLI:
# Make sure you're still on the control plane node
# and have the environment variables set
# Install Helm if not already installed
if ! command -v helm &> /dev/null; then
HELM_VERSION="v3.16.4"
HELM_TAR="helm-${HELM_VERSION}-linux-amd64.tar.gz"
HELM_URL="https://get.helm.sh/${HELM_TAR}"
# Download and extract the Helm binary
curl -LO $HELM_URL
tar -zxvf $HELM_TAR
mv linux-amd64/helm /usr/local/bin/
# Clean up the downloaded files
rm -rf linux-amd64 $HELM_TAR
fi
# Add the Helm repository
helm repo add autoscaler https://kubernetes.github.io/autoscaler
helm repo update
# Install the cluster-autoscaler chart with your custom image
helm upgrade --install rancher-autoscaler autoscaler/cluster-autoscaler \
--version 9.45.0 \
--namespace kube-system \
--set autoDiscovery.clusterName=do-cluster \
--set cloudProvider=rancher \
--set cloudConfigPath=/config/cloud-config \
--set image.repository=$DOCKER_USERNAME/cluster-autoscaler \
--set image.tag=v1.32.0-custom \
--set extraVolumeMounts[0].name=cloud-config \
--set extraVolumeMounts[0].mountPath=/config \
--set extraVolumeMounts[0].readOnly=true \
--set extraVolumes[0].name=cloud-config \
--set extraVolumes[0].secret.secretName=cluster-autoscaler-cloud-config
If you want to do the same thing using the UI, follow these steps:
Go to the Cluster page, click on the do-cluster, then click on Apps, Repository, and use the following:
- Name: cluster-autoscaler
- Target: URL to an index generated by Helm
- URL: https://kubernetes.github.io/autoscaler/
- Go to Apps > Charts and search for cluster-autoscaler. Give the release a name, for example, rancher-autoscaler. Launch the installation in the kube-system namespace.
- Update the following values to configure the autoscaler before installing it. Important: Use your custom Docker image that includes the CA certificate.
[...]
image:
repository: your-dockerhub-username/cluster-autoscaler
tag: v1.32.0-custom
[...]
autoDiscovery:
# Use the RKE2 cluster name
# this is the target cluster name
# it's the same cluster where the autoscaler is installed
clusterName: do-cluster
[...]
cloudConfigPath: /config/cloud-config
# This can be aws, azure, gcp, etc.
# But we are using the rancher cloud provider
cloudProvider: rancher
[...]
extraVolumeMountsEnd-to-End Kubernetes with Rancher, RKE2, K3s, Fleet, Longhorn, and NeuVector
The full journey from nothing to productionEnroll now to unlock all content and receive all future updates for free.