You can SSH to a Tanzu Kubernetes cluster node as the vmware-system-user using a private key.

You can connect through SSH to any Tanzu Kubernetes cluster node as the vmware-system-user user. The secret that contains the SSH private key is named CLUSTER-NAME-ssh. For more information, see Tanzu Kubernetes Cluster Secrets.

To connect to a Tanzu Kubernetes cluster node over SSH, you create jump box vSphere Pod on the Supervisor Cluster.
Note: These instructions assume that you are using a Linux host.
Note: This task requires the use of NSX-T Data Center for the Workload Management environment. If you are using vDS networking, see SSH to Tanzu Kubernetes Cluster Nodes as the System User Using a Password.

Procedure

  1. Connect to the Supervisor Cluster.
  2. Create an environment variable named NAMESPACE whose value is the name of the Supervisor Namespace.
    export NAMESPACE=YOUR-SUPERVISOR-NAMESPACE
  3. Switch context to the Supervisor Namespace where the Tanzu Kubernetes cluster is provisioned.
    kubectl config use-context $NAMESPACE
  4. Run the following kubectl command to view the YOUR-CLUSTER-NAME-ssh secret object.
    kubectl get secrets
  5. Create a jump box pod using the following jumpbox.yaml pod spec. Replace the values for namespace and secretName with values that match your environment.
    apiVersion: v1
    kind: Pod
    metadata:
      name: jumpbox
      namespace: YOUR-NAMESPACE                     #REPLACE YOUR-NAMESPACE
    spec:
      containers:
      - image: "photon:3.0"
        name: jumpbox
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "yum install -y openssh-server; mkdir /root/.ssh; cp /root/ssh/ssh-privatekey /root/.ssh/id_rsa; chmod 600 /root/.ssh/id_rsa; while true; do sleep 30; done;" ]
        volumeMounts:
          - mountPath: "/root/ssh"
            name: ssh-key
            readOnly: true
      volumes:
        - name: ssh-key
          secret:
            secretName: YOUR-CLUSTER-NAME-ssh         #REPLACE YOUR-CLUSTER-NAME
    
  6. Provision the jump box pod by applying the jumpbox.yaml spec.
    kubectl apply -f jumpbox.yaml
  7. Verify that the pod is created by running the kubectl get pods command.
    NAME      READY   STATUS    RESTARTS   AGE
    jumpbox   1/1     Running   0          3h9m
    
  8. Create an environment variable with the IP address of the target cluster node by running the following set of commands.
    1. Get the name of the target virtual machine.
      kubectl get virtualmachines
    2. Create an environment variable named VMNAME whose value is the name of the target node.
      export VMNAME=NAME-OF-THE-VIRTUAL-MACHINE
    3. Create an environment variable named VMIP whose value is the IP address of the target node VM.
      export VMIP=$(kubectl -n $NAMESPACE get virtualmachine/$VMNAME -o jsonpath='{.status.vmIp}')
  9. SSH to the cluster node using the jump box pod by running the following command.
    kubectl exec -it jumpbox  /usr/bin/ssh vmware-system-user@$VMIP
  10. Confirm the authenticity of the host by entering yes.
    The authenticity of host '10.249.0.999 (10.249.0.999)' can't be established.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.249.0.999' (ECDSA) to the list of known hosts.
    Welcome to Photon 3.0
     
  11. Confirm that you are logged into the target node as the vmware-system-user.
    For example, the following output indicates that you are logged into a control plane node as the system user.
    vmware-system-user@tkgs-cluster-1-control-plane-66tbr [ ~ ]$
    
  12. Perform the desired operations on the node. Note that you may need to use sudo or sudo su to perform certain operations, such as restarting kubelet.
  13. When done, type exit to log out of the SSH session on the node.