How to SSH into a Kubernetes Worker Node
Kubernetes is a very popular and widely deployed container management and orchestration platform, preferred by devops engineers worldwide today.
Usually Kubernetes clusters and their worker nodes are not exposed to the public Internet but the apps running in them are. Also admins typically setup a Bastion Host to SSH securely into their public/private cloud resources.
In this article, I’ll discuss how to configure SocketXP lightweight VPN solution to remote SSH access your private Kubernetes cluster worker nodes in your on-prem cloud or private cloud or public cloud (AWS, MS Azure, GCP, Digital Ocean etc.) or multi-cloud without setting up a Bastion Host.
Note: If you have any questions regarding the solution, please feel free to reach out to us at: firstname.lastname@example.org
You are expected to have access to a working Kubernetes Cluster with atleast one worker node in it.
Overall Strategy — In a nutshell
We’ll install SocketXP agent in your worker nodes. SocketXP agent will also establish a secure TLS VPN connection with the SocketXP Cloud Gateway. You could then, remote SSH into your Kubernetes worker nodes from the SocketXP Cloud Gateway Portal using your browser. No SSH client is required to SSH into your worker nodes.
Excited? Let’s get started!
Step 1: Download and Install
Download and install the SocketXP agent on your Kubernetes Worker Node.
Step 2: Get your Authentication Token
Sign up at https://portal.socketxp.com and get your authentication token.
Use the following command to authenticate you node with the SocketXP Cloud Gateway using the auth token.
Step 3: Create SocketXP TLS VPN Tunnel for Remote SSH Access
Use the following command to create a secure and private TLS tunnel VPN connection to the SocketXP Cloud Gateway.
$ socketxp connect tcp://127.0.0.1:22 --iot-device-name "kube-worker-node-001" TCP tunnel [test-user-gmail-com-34445] created. Access the tunnel using SocketXP agent in IoT Slave Mode
Where TCP port 22 is the default port at which the SocketXP agent would listen for SSH connections from any SSH clients. The “ — iot-device-id” represents a unique identifier assigned to the Kubernetes worker node within your organization. It could be any string value but it must be unique for each of your worker node.
SocketXP does not create any public TCP tunnel endpoints that can be connected and accessed by anyone in the internet using an SSH client. SocketXP TCP tunnel endpoints are not exposed to the internet and can be accessed only using the SocketXP agent (using the auth token of the user) or through the XTERM terminal in the SocketXP Portal page.
SocketXP also has the option to setup and use your private/public keys to remote SSH into your worker nodes.
You could now remote SSH into your Kubernetes worker node by clicking the terminal icon as shown in the screenshot below.
Next, you’ll will be prompted to provide your SSH login and password.
Once your credentials are authenticated with your SSH server you’ll be logged into your device’s shell prompt.
The screen capture below shows the “htop” shell command output from an SSH session created using the XTERM window in the SocketXP Portal page.
Configuring SocketXP agent to run in slave mode
This is an alternate method for SSH into your private worker node from a remote location using the SocketXP Remote SSH Access solution.
If you don’t want to access your IoT device or RPi from the browser(SocketXP Portal) and you want to access it using an SSH client (such as PuTTy) installed on your laptop or desktop, follow the instructions below.
First download and install the regular SocketXP agent software on your accessing device (such as a laptop running Windows or Mac OS). Next, configure the agent to run in slave mode using the command option “ — iot-slave” as shown in the example below. Also, specify the name of the private TCP tunnel you want to connect to, using the
$ socketxp connect tcp://localhost:3000 --iot-slave --iot-device-name "kube-worker-node-001"Listening for TCP connections at: Local URL -> tcp://localhost:3000 Accessing the IoT device from your laptop
Why this is important?:
SocketXP IoT Agent when run in Slave Mode acts like a localproxy server. It proxies all connections to a user-specified local port (10111 in the example above) in your laptop/PC to the SocketXP Cloud Gateway using a secure SSL/TLS tunnel. Also the SocketXP Agent authenticates itself with the SocketXP Cloud Gateway using your auth token. This ensures that only legitimate, authenticated users are permitted to access your private worker nodes. SocketXP ensures Zero-Trust security on all connected devices.
Now you can SSH access your Kubernetes Worker Node using the above SocketXP local endpoint, as shown below.
$ ssh -i ~/.ssh/test-user-private.key test-user@localhost -p 3000
You can also use PuTTY SSH client to remote SSH into your device using the same parameters show above. Similarly, you can use PuTTY or FileZilla to perform SFTP actions such as file upload and file download to your private Kubernetes Worker Nodes.
Please feel free to write to us at: email@example.com
This article was originally published at: https://www.socketxp.com/iot