You can now run kubectl from your SSH session and interact with the parent cluster, providing a convenient and secure environment for cluster administration. TokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token To configure kubectl to use these files, save the following file to ~/.nfig: apiVersion: v1Ĭertificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt Sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectlīy default, pods have a number of files mounted under /var/run/secrets/kubernetes.io/serviceaccount that let the pod interact with the host cluster. Download and install kubectl with the commands: curl -LO "$(curl -L -s )/bin/linux/amd64/kubectl" To do anything useful with the cluster, you need to download kubectl and configure it to access the cluster from within the pod. You then have an interactive session inside the pod on the Kubernetes cluster. You can then SSH into the external IP address with the command: ssh -p 2222 On my local Kubernetes cluster, this command returned: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE You can then find the IP address or hostname of the load balancer service with the command: kubectl get service my-ssh-svc Save the YAML above to a file called ssh.yaml and apply it with the command: kubectl apply -f ssh.yaml Refer to the Docker Hub documentation for examples showing how to use key files for authentication. A more robust solution is to use key files for authentication. Note that, for convenience, this SSH server allows password access, the example YAML file embeds an insecure example password, and allows sudo access. Image: lscr.io/linuxserver/openssh-server:latest It then deploys an instance of the linuxserver/openssh-server image, inheriting the permissions of the service account, and exposes it via a load balancer service: apiVersion: v1 The YAML file shown below creates a service account with a role and role-binding granting access to common resources in the current namespace. SSH servers have long been used to provide remote access to Linux servers, and it's relatively easy to host an SSH server as a Kubernetes pod. In this post, I explain how to host an OpenSSH server in a Kubernetes cluster to perform administrative tasks. Often the bastion host exposes a well known remote access service, like RDP or SSH, which teams can assume have been widely vetted and are trustworthy. This single point of entry lets security teams closely monitor and control network access to the private network. Jump boxes or bastion hosts are a common networking strategy to expose a single secure entry point to the public internet, to access a private network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |