You can SSH to a TKG cluster node as the vmware-system-user using a private key.

You can connect through SSH to any TKG cluster node as the vmware-system-user user. The secret that contains the SSH private key is named CLUSTER-NAME-ssh. See Get TKG Cluster Secrets Using Kubectl.

To connect to a TKG cluster node over SSH using a private key, you create a jump box vSphere Pod on Supervisor.


In this task you provision a vSphere Pod as a jump host for SSH connectivity. vSphere Pods require NSX networking for Supervisor. If you are using vDS networking for Supervisor,see SSH to TKG Service Cluster Nodes as the System User Using a Password.


  1. Connect to Supervisor.
  2. Create an environment variable named NAMESPACE whose value is the name of the vSphere Namespace where the target TKG cluster is provisioned.
  3. Switch context to the vSphere Namespace where the Tanzu Kubernetes cluster is provisioned.
    kubectl config use-context $NAMESPACE
  4. View the TKG-CLUSTER-NAME-ssh secret object.
    kubectl get secrets
  5. Create a Docker Hub registry credential secret.
    By default the image used to create the vSphere Pod (PhotonOS) is pulled from Docker Hub. You may need a credential secret to successfully pull the image. See Create Private Registry Credential Secret.
  6. Create a vSphere Pod using the following jumpbox.yaml.
    Replace the namespace value YOUR-NAMESPACE with the vSphere Namespace where the target cluster is provisioned. Replace the secretName value YOUR-CLUSTER-NAME-ssh with name of the target cluster.
    apiVersion: v1
    kind: Pod
      name: jumpbox
      namespace: YOUR-NAMESPACE     #REPLACE
      - image: "photon:3.0"
        name: jumpbox
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "yum install -y openssh-server; mkdir /root/.ssh; cp /root/ssh/ssh-privatekey /root/.ssh/id_rsa; chmod 600 /root/.ssh/id_rsa; while true; do sleep 30; done;" ]
          - mountPath: "/root/ssh"
            name: ssh-key
            readOnly: true
            memory: 2Gi
        - name: ssh-key
            secretName: YOUR-CLUSTER-NAME-ssh     #REPLACE 
        - name: regcred
  7. Deploy the pod by applying the jumpbox.yaml spec.
    kubectl apply -f jumpbox.yaml
    pod/jumpbox created
  8. Verify that the pod is running.
    kubectl get pods
    jumpbox   1/1     Running   0          3h9m
    Note: You should also see the jumpbox pod in vCenter in the vSphere Namespace.
  9. Create an environment variable with the IP address of the target cluster node by running the following set of commands.
    1. Get the name of the target virtual machine.
      kubectl get virtualmachines
    2. Create the environment variable VMNAME whose value is the name of the target node.
    3. Create the environment variable VMIP whose value is the IP address of the target node VM.
      export VMIP=$(kubectl -n $NAMESPACE get virtualmachine/$VMNAME -o jsonpath='{.status.vmIp}')
  10. SSH to the cluster node using the jump box pod by running the following command.
    kubectl exec -it jumpbox  /usr/bin/ssh vmware-system-user@$VMIP
    Important: It takes approximately 60 seconds to create the container and install the software. If you receive an "error executing command in container: container_linux.go:370: starting container process caused: exec: "/usr/bin/ssh": stat /usr/bin/ssh: no such file or directory," try the command again in a few seconds.
  11. Confirm the authenticity of the host by entering yes.
    The authenticity of host ' (' can't be established.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '' (ECDSA) to the list of known hosts.
    Welcome to Photon 3.0
  12. Confirm that you are logged into the target node as the vmware-system-user.
    For example, the following output indicates that you are logged into a control plane node as the system user.
    vmware-system-user@tkg-cluster-1-control-plane-66tbr [ ~ ]$
  13. Perform the desired operations on the node.
    Attention: You might need to use sudo or sudo su to perform certain operations on the node, such as restarting kubelet.
  14. When done, type exit to log out of the SSH session on the vSphere Pod.
  15. To delete the pod, run the command kubectl delete pod jumpbox.
    Caution: For security, consider deleting the jumpbox pod after you have done your work. If needed you can recreate it at a later time.