An ssh-bastion pod to make access to openshift clusters easy
-
Make sure that
ocis configured to talk to the cluster -
Optionally configure the namespace where the bastion will run:
export SSH_BASTION_NAMESPACE=openshift-ssh-bastionBy default
openshift-ssh-bastionis used. -
Run:
curl https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy/deploy.sh | bashThis will create a new pod running an sshd server. The sshd server is exposed via a k8s service backed by a loadbalancer(based on your cloud platform). The service hostname will provide access to the sshd server. (See below for how to get the hostname)
The sshd server is configured to allow login as user
coreusing the same private key that was used to create the cluster. -
SSH as the
coreuser to/through the bastion.- Use the
-Aoption (ForwardAgent) for your key to be automatically forwarded to the nodes from the bastion pod. - You can use a helper script to ssh directly to a node by the node's name (from
oc get node). This script uses ssh authentication forwarding so you can directly hop from the bastion to the cluster nodes.
If you need to use a non-default SSH key, you can:
- Export the
SSH_KEY_PATHenvironment variable to change its location. For example:export SSH_KEY_PATH=~/.ssh/my_kustom_cey.pem - Run something like
ssh-agentand add your key to that utility - Directly add or update the SSH keys in your OCP deployment see Update SSH Keys.
- Use the
-
The bastion address can be found by running:
oc get service --all-namespaces -l run=ssh-bastion -o go-template='{{ with (index (index .items 0).status.loadBalancer.ingress 0) }}{{ or .hostname .ip }}{{end}}'