You can SSH to a workload cluster node as the vmware-system-user using a password.
You can connect to a cluster node as the vmware-system-user user with a password. The password is stored as a secret named CLUSTER-NAME-ssh-password. The password is base64 encoded in .data.ssh-passwordkey. You can provide the password over an SSH session. See Get TKG Cluster Secrets Using Kubectl.
Prerequisites
To route SSH connections to the appropriate workload network, deploy a Linux jump host VM in the vSphere environment where
Workload Management is enabled. See
Create a Linux Jump Host VM.
Note: Deploying a jump host VM is a hard requirement if you are using vDS networking and you want to connect to cluster nodes using SSH. You can also use this approach with NSX networking if you prefer to use a password instead of a private key to connect over SSH.
Procedure
- Get the IP address of the jump host VM, the user name, and the password.
- Connect to the Supervisor.
- Switch context to the vSphere Namespace where the target TKG cluster is provisioned.
kubectl config use-context VSPHERE-NAMESPACE
- Get the IP address of the target cluster node.
List the nodes.
kubectl get virtualmachines
Describe the nodes to get the IP address of the target node.
kubectl describe virtualmachines
- View the
TKG-CLUSTER-NAME-ssh-password
- Get the ssh-passwordkey for the target cluster.
kubectl get secrets TKG-CLUSTER-NAME-ssh-password -o yaml
The ssh-passwordkey is returned, for example.
apiVersion: v1
data:
ssh-passwordkey: RU1pQllLTC9TRjVFV0RBcCtmd1zwOTROeURYSWNGeXNReXJhaXRBUllYaz0=
- Decode the ssh-passwordkey.
The secret is Base64 encoded. To decode it: on Linux use
base64 --decode (or
base64 -d); on MacOS, use
base64 --Decode (or
base64 -D); on Windows, use an
online tool.
echo <ssh-passwordkey> | base64 --decode
- SSH to the target cluster node as the
vmware-system-user.
ssh vmware-system-user@TKG-CLUSTER-NODE-IP-ADDRESS
- Log in using the password you decoded.
