You can SSH to a workload cluster node as the vmware-system-user using a password.

You can connect to a cluster node as the vmware-system-user user with a password. The password is stored as a secret named CLUSTER-NAME-ssh-password. The password is base64 encoded in .data.ssh-passwordkey. You can provide the password over an SSH session. See Get TKG Cluster Secrets Using Kubectl.


To route SSH connections to the appropriate workload network, deploy a Linux jump host VM in the vSphere environment where Workload Management is enabled. See Create a Linux Jump Host VM.
Note: Deploying a jump host VM is a hard requirement if you are using vDS networking and you want to connect to cluster nodes using SSH. You can also use this approach with NSX networking if you prefer to use a password instead of a private key to connect over SSH.


  1. Get the IP address of the jump host VM, the user name, and the password.
  2. Connect to the Supervisor.
  3. Switch context to the vSphere Namespace where the target TKG cluster is provisioned.
    kubectl config use-context VSPHERE-NAMESPACE
  4. Get the IP address of the target cluster node.
    List the nodes.
    kubectl get virtualmachines
    Describe the nodes to get the IP address of the target node.
    kubectl describe virtualmachines
  5. View the TKG-CLUSTER-NAME-ssh-password secret.
    kubectl get secrets
  6. Get the ssh-passwordkey for the target cluster.
    kubectl get secrets TKG-CLUSTER-NAME-ssh-password -o yaml
    The ssh-passwordkey is returned, for example.
    apiVersion: v1
      ssh-passwordkey: RU1pQllLTC9TRjVFV0RBcCtmd1zwOTROeURYSWNGeXNReXJhaXRBUllYaz0=
  7. Decode the ssh-passwordkey.
    The secret is Base64 encoded. To decode it: on Linux use base64 --decode (or base64 -d); on MacOS, use base64 --Decode (or base64 -D); on Windows, use an online tool.
    echo <ssh-passwordkey> | base64 --decode
  8. SSH to the target cluster node as the vmware-system-user.
    ssh vmware-system-user@TKG-CLUSTER-NODE-IP-ADDRESS
  9. Log in using the password you decoded.