![]() Permissions seems to be unworkable - see. ![]() Note a lot of the trouble here is because Kubernetes’ way of setting You may want to kill sshd once you do not need it any more. Portforward a random local port of your choice to that pod: kubectl port-forward my-pod 2222:22Ĭreate a useful alias for that pod (so that ssh won’t complain aboutĬhanging keys when you’d connect to localhost instead): $ cat /etc/hosts | grep my-podĬonnect to the pod via ssh: $ ssh -p 2222 key: authorized_keys path: authorized_keys - key: ssh_host_rsa_key path: ssh_host_rsa_key - key: ssh_host_rsa_key.pub path: ssh_host_rsa_key.pub - key: ssh_host_ecdsa_key path: ssh_host_ecdsa_key - key: ssh_host_ecdsa_key.pub path: ssh_host_ecdsa_key.pub - key: ssh_host_ed25519_key path: ssh_host_ed25519_key - key: ssh_host_ed25519_key.pub path: ssh_host_ed25519_key.pubĪpply that pod config and start sshd in the pod: $ kubectl exec my-pod - /usr/sbin/sshd SecretName: ssh-ingress # 0400 -> 256 defaultMode: 256 items: key: id_rsa path: id_rsa - key: id_rsa.pub path: id_rsa.pub - key: known_hosts path: known_hosts - name: ssh-ingress secret: It takes some learning, copy-pasting YAML blobs. All kubectl exec requests are funneled through the Kubernetes API server, which enforces RBAC rules. Kubernetes handles authorization natively, through RBAC. ![]() per-pod) design would fly here, because Kubernetes pods are ephemeral. SecretName: ssh-egress # 0400 -> 256 defaultMode: 256 items: Authorization story here is much nicer than in SSH No SSH-like (e.g. name: regcred-your-handle-here volumes: name: ssh-ingress # mountPath: "/root/.ssh-ingress" readOnly: true - name: ssh-egress mountPath: "/root/.ssh-egress" readOnly: true imagePullSecrets: bash - c - mkdir /root/.ssh & chmod go-rwx /root/.ssh & cp -aL /root/.ssh-egress/* /root/.ssh & cp -aL /root/.ssh-ingress/authorized_keys /root/.ssh & cp -aL /root/.ssh-ingress/ssh_host_*_key* /etc/ssh/ volumeMounts: image: your-image-URL-here name: my-pod # lifecycle: Therefore I’m using the somethingkey: | notation instead of the somethingkey: |. Note that for some reason my sshd will not recognize keys without a trailing newline. END OPENSSH PRIVATE KEY- ssh_host_ed25519_key.pub: | ssh-ed25519 AAAA. key contents here # generated with: ssh-keygen -N '' -t ed25519 ssh_host_ed25519_key: | -BEGIN OPENSSH PRIVATE KEY. END OPENSSH PRIVATE KEY- ssh_host_ecdsa_key.pub: | ecdsa-sha2-nistp256 AAAA. key contents here # generated with: ssh-keygen -N '' -t ecdsa ssh_host_ecdsa_key: | -BEGIN OPENSSH PRIVATE KEY. END OPENSSH PRIVATE KEY- ssh_host_rsa_key.pub: | ssh-rsa AAAA. your public key(s) here # generated with: ssh-keygen -N '' -t rsa ssh_host_rsa_key: | -BEGIN OPENSSH PRIVATE KEY. Name: ssh-ingress type: Opaque stringData:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |