CODEWITHSUNDEEP
kuberneteskubectlssh-tunnelkops
Doron
Doron

Reputation: 3256

How do I use kubectl via an ssh tunnel to access my internal ELB over my kubernetes API?

I want to create a kubernetes cluster using KOPS that uses a private topology completely (all master/worker nodes are on private subnets, the API ELB is internal).

Once the cluster is created - how do I configure kubectl to use an ssh tunnel via my bastion server ?

Upvotes: 13

Views: 27639

Answers (3)

Eduardo Pinheiro
Eduardo Pinheiro

Reputation: 3779

Currently you can use SOCKS5 proxy .

On your client machine creates a socks proxy

this is establishing an SSH connection to the specified server and creating a dynamic port forwarding tunnel. You can create it in any available port.

# on your client machine
ssh -D 8002 -q -N [email protected]

# on another terminal on your client machine run
HTTPS_PROXY=socks5://localhost:8002 kubectl get pods

# ----- or ------
export HTTPS_PROXY=socks5://localhost:8002
kubectl get pods

You can also add it to your ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LRMEMMW2 # shortened for readability 
    server: https://<API_KUBE_CLUSTER_IP_ADRESS>:443  # the "Kubernetes API" server, in other words the IP address of kubernetes cluster api ip and port
    proxy-url: socks5://localhost:8002   # the "SSH SOCKS5 proxy" in the diagram above

Check the initial link for more information...

Upvotes: 9

ZedTuX
ZedTuX

Reputation: 3027

I found a way to make kubectl to run through an SSH tunnel, it's not ideal, but until I find something better, I posted it now.

First create the tunnel:

ssh -f [email protected] -L 6443:localhost:6443 -N

Then copy the ~/.kube/config file on your local machine and change the cluster server in order to point to 127.0.0.1 instead of the server URL or IP address.

As the certificates are made for the server where the master node has been created, you'll get the following error:

Unable to connect to the server: x509: certificate is valid for 10.96.0.1, 10.0.0.1, not 127.0.0.1

You have to pass the --insecure-skip-tls-verify=true flag:

kubectl --insecure-skip-tls-verify=true version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:44:30Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:09:21Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

I hope this helps, and I hope to find a better way to avoid this --insecure-skip-tls-verify=true flag.

Update

Since my comment, I found the Teleport project from Gravitational, which was initially an SSH tool to authenticate without passwords (you login once, with an OTP, and a certificate with a validity limited in time for your user is delivered and used to authenticated to the allowed servers.), is also Kubernetes compatible.

Basically you have to :

  1. deploy their binary and configure it (quite easy).
  2. login using tsh login --proxy https://yourserveripaddress:3080
  3. use kubectl to access your cluster.

The magic thing here is that Teleport will update your ~/.kube/config file in order to access your cluster.

It really works well and you should consider giving it a try.

In the case you're using Chef, I have made a cookbook for Teleport.

Upvotes: 10

Jakub Bujny
Jakub Bujny

Reputation: 4628

You can just use VPN over SSH what will be transparent for your kubectl, example tool: https://github.com/sshuttle/sshuttle which create VPN tunnel using SSH and iptables

Requirement is to have at least python 2.3 on bastion host.

Upvotes: 7

Related Questions