Updated on 2025-06-13 GMT+08:00

Custom SAN of the API Server Certificate

It specifies the custom Subject Alternative Name (SAN) in the server certificate of the cluster API server. It must comply with the SSL and X.509 standard formats.

A SAN is typically used by the client to verify the server validity in TLS handshakes. Specifically, the validity check includes whether the server certificate is issued by a CA trusted by the client and whether the SAN in the certificate matches the IP address or DNS domain name that the client actually accesses.

If the client cannot directly access the private IP address or EIP of the cluster, you can sign the IP address or DNS domain name that can be directly accessed by the client into the cluster server certificate to enable two-way authentication on the client to improve security. Typical use cases include DNAT access and domain name access.

Value Range

Unique values. They must comply with the IP address and domain name formats.

Default Value

None

Modifiable

Yes

Scope

CCE standard and CCE Turbo clusters

Suggestions

The typical domain name access scenarios are as follows:

  • Add the response domain name mapping when specifying the DNS domain name address in the host domain name configuration on the client, or configuring /etc/hosts on the client host.
  • Use domain name access in the intranet. DNS allows you to configure mappings between cluster EIPs and custom domain names. After an EIP is updated, continue to use two-way authentication and the domain name to access the cluster without downloading the kubeconfig.json file again.
  • Add A records on your own DNS servers.