You can SSH to a TKG cluster node as the vmware-system-user
using a private key.
You can connect through SSH to any TKG cluster node as the vmware-system-user
user. The secret that contains the SSH private key is named CLUSTER-NAME-ssh
. See Get TKG Cluster Secrets Using Kubectl.
To connect to a TKG cluster node over SSH using a private key, you create a jump box vSphere Pod on Supervisor.
Procedure
- Connect to Supervisor.
- Create an environment variable named NAMESPACE whose value is the name of the vSphere Namespace where the target TKG cluster is provisioned.
export NAMESPACE=VSPHERE-NAMESPACE
- Switch context to the vSphere Namespace where the TKG cluster is provisioned.
kubectl config use-context $NAMESPACE
- View the
TKG-CLUSTER-NAME-ssh
secret object.
- Create a Docker Hub registry credential secret.
- Create a vSphere Pod using the following
jumpbox.yaml
.
Replace the
namespace
value
YOUR-NAMESPACE
with the
vSphere Namespace where the target cluster is provisioned. Replace the
secretName
value
YOUR-CLUSTER-NAME
-ssh with name of the target cluster.
apiVersion: v1
kind: Pod
metadata:
name: jumpbox
namespace: YOUR-NAMESPACE #REPLACE
spec:
containers:
- image: "photon:3.0"
name: jumpbox
command: [ "/bin/bash", "-c", "--" ]
args: [ "yum install -y openssh-server; mkdir /root/.ssh; cp /root/ssh/ssh-privatekey /root/.ssh/id_rsa; chmod 600 /root/.ssh/id_rsa; while true; do sleep 30; done;" ]
volumeMounts:
- mountPath: "/root/ssh"
name: ssh-key
readOnly: true
resources:
requests:
memory: 2Gi
volumes:
- name: ssh-key
secret:
secretName: YOUR-CLUSTER-NAME-ssh #REPLACE
imagePullSecrets:
- name: regcred
- Deploy the pod by applying the
jumpbox.yaml
spec.
kubectl apply -f jumpbox.yaml
- Verify that the pod is running.
NAME READY STATUS RESTARTS AGE
jumpbox 1/1 Running 0 3h9m
Note: You should also see the jumpbox pod in vCenter in the
vSphere Namespace.
- Create an environment variable with the IP address of the target cluster node by running the following set of commands.
- Get the name of the target virtual machine.
kubectl get virtualmachines
- Create the environment variable
VMNAME
whose value is the name of the target node.
export VMNAME=NAME-OF-THE-VIRTUAL-MACHINE
- Create the environment variable
VMIP
whose value is the IP address of the target node VM.
export VMIP=$(kubectl -n $NAMESPACE get virtualmachine/$VMNAME -o jsonpath='{.status.vmIp}')
- SSH to the cluster node using the jump box pod by running the following command.
kubectl exec -it jumpbox /usr/bin/ssh vmware-system-user@$VMIP
Important: It takes approximately 60 seconds to create the container and install the software. If you receive an "error executing command in container: container_linux.go:370: starting container process caused: exec: "/usr/bin/ssh": stat /usr/bin/ssh: no such file or directory," try the command again in a few seconds.
- Confirm the authenticity of the host by entering yes.
The authenticity of host '10.249.0.999 (10.249.0.999)' can't be established.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.249.0.999' (ECDSA) to the list of known hosts.
Welcome to Photon 3.0
- Confirm that you are logged into the target node as the
vmware-system-user
.
For example, the following output indicates that you are logged into a control plane node as the system user.
vmware-system-user@tkg-cluster-1-control-plane-66tbr [ ~ ]$
- Perform the desired operations on the node.
Attention: You might need to use
sudo
or
sudo su
to perform certain operations on the node, such as restarting kubelet.
- When done, type exit to log out of the SSH session on the vSphere Pod.
- To delete the pod, run the command
kubectl delete pod jumpbox
.
Caution: For security, consider deleting the jumpbox pod after you have done your work. If needed you can recreate it at a later time.