Architecture

Architecture

Caascad's Rancher architecture consists of a Rancher-Server located in your administrative zone and agents that run on your clusters.

Rancher Server: Includes all the software components used to manage the entire Rancher deployment.

Rancher Agents (Cluster Agents): Initiate connection with Rancher Server. It allows Rancher Server to contact managed clusters' Kubernetes API. Statistics, cluster health, as well as user access are proxied through this connection.

Available roles

Caascad provides you with global roles (caascad-rancher-viewer and caascad-rancher-admin) as well as cluster-scoped roles (caascad-rancher-viewer-<zone> and caascad-rancher-admin-<zone>). These roles are defined in Keycloak and are mapped by Rancher to native Kubernetes RBAC (see Caascad roles to learn more about available roles).

Security

The communication between controller (server) and agents is done using websockets over TLS.

Rancher agent is responsible for checking the server identity during TLS session establishment: Certificate Authorities used during the verification process are packed by Debian (based on Mozilla CA certificate store). Rancher server certificates are issued periodically (at least once every 3 months) by our provider ZeroSSL (Certificate Authority: USERTrust RSA Certification Authority).

Rancher server is responsible for verifying Rancher agent credentials in HTTP request headers when Rancher agent initiates a new websocket tunnel. The credentials used during authentication are stored in a Kubernetes secret (in cattle-system namespace) on initial Rancher agent deployment.