Like exposing a local webserver via a public domain name, with automatic HTTPS,Įven if behind a NAT or other restricted network. Primarily targeted toward self-hosters and developers who want to do things By customizing the Docker image to include common tools like kubectl, DevOps teams can rely on the bastion host having any required tools for common administration tasks.The purpose of this list is to track and compare tunneling solutions. ConclusionĪ bastion host running OpenSSH on your Kubernetes cluster provides you with a single, secure entry point for administration and debugging tasks. Replace the image property in the Kubernetes YAML file with: image: yourdockerregistry/openssh-server:latestĪfter the new SSH server pods are created using your custom image, kubectl and its configuration file are ready to use without first downloading them. t yourdockerregistry/openssh-server:latest You then build the custom Docker image with the following command, where yourdockerregistry is replaced with the name of a Docker registry you have the ability to push images to: docker build. TokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token' > /opt/kubeconfigĬp /opt/kubeconfig /config/.kube/config' > /etc/cont-init.d/100-kubeconfig Install -o root -g root -m 0755 kubectl /usr/local/bin/kubectlĬertificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt\n\ RUN curl -LO "$(curl -L -s )/bin/linux/amd64/kubectl" & \ Save the following to a file called Dockerfile: FROM lscr.io/linuxserver/openssh-server:latest This ensures the files are available in the container when it's first started. Building a custom OpenSSH Docker imageĭownloading kubectl and copying the configuration file is easy enough, but the ephemeral nature of Kubernetes pods means eventually the container will be deleted and recreated, forcing you to download and configure kubectl again.Ī better solution is baking kubectl and its configuration file into a custom Docker image. You can now run kubectl from your SSH session and interact with the parent cluster, providing a convenient and secure environment for cluster administration. TokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token To configure kubectl to use these files, save the following file to ~/.nfig: apiVersion: v1Ĭertificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt Sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectlīy default, pods have a number of files mounted under /var/run/secrets/kubernetes.io/serviceaccount that let the pod interact with the host cluster. Download and install kubectl with the commands: curl -LO "$(curl -L -s )/bin/linux/amd64/kubectl" To do anything useful with the cluster, you need to download kubectl and configure it to access the cluster from within the pod. You then have an interactive session inside the pod on the Kubernetes cluster. You can then SSH into the external IP address with the command: ssh -p 2222 On my local Kubernetes cluster, this command returned: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE You can then find the IP address or hostname of the load balancer service with the command: kubectl get service my-ssh-svc Save the YAML above to a file called ssh.yaml and apply it with the command: kubectl apply -f ssh.yaml Refer to the Docker Hub documentation for examples showing how to use key files for authentication. A more robust solution is to use key files for authentication. Note that, for convenience, this SSH server allows password access, the example YAML file embeds an insecure example password, and allows sudo access. Image: lscr.io/linuxserver/openssh-server:latest It then deploys an instance of the linuxserver/openssh-server image, inheriting the permissions of the service account, and exposes it via a load balancer service: apiVersion: v1 The YAML file shown below creates a service account with a role and role-binding granting access to common resources in the current namespace. SSH servers have long been used to provide remote access to Linux servers, and it's relatively easy to host an SSH server as a Kubernetes pod. In this post, I explain how to host an OpenSSH server in a Kubernetes cluster to perform administrative tasks. Often the bastion host exposes a well known remote access service, like RDP or SSH, which teams can assume have been widely vetted and are trustworthy. This single point of entry lets security teams closely monitor and control network access to the private network. Jump boxes or bastion hosts are a common networking strategy to expose a single secure entry point to the public internet, to access a private network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |