You can SSH to a workload cluster node as the vmware-system-user using a password.

You can connect to a cluster node as the vmware-system-user user with a password. The password is stored as a secret named CLUSTER-NAME-ssh-password or, if you use Windows, as an SSH private key secret. The password is base64 encoded. You can provide the password over an SSH session. See Get TKG Cluster Secrets Using Kubectl.

Prerequisites

To route SSH connections to the appropriate workload network, deploy a Linux jump host VM in the vSphere environment where Workload Management is enabled. See Create a Linux Jump Host VM.
Note: Deploying a jump host VM is a hard requirement if you are using vDS networking and you want to connect to cluster nodes using SSH. You can also use this approach with NSX networking if you prefer to use a password instead of a private key to connect over SSH.

Procedure

  1. Get the IP address of the jump host VM, the user name, and the password.
    See Create a Linux Jump Host VM.
  2. Connect to the Supervisor.
    See Connect to Supervisor as a vCenter Single Sign-On User with Kubectl.
  3. Switch context to the vSphere Namespace where the target TKG cluster is provisioned. 
    kubectl config use-context VSPHERE-NAMESPACE
  4. Get the IP address of the target cluster node.
    List the nodes. 
    kubectl get virtualmachines
    Describe the nodes to get the IP address of the target node. 
    kubectl describe virtualmachines
  5. View the secret. 
    kubectl get secrets
  6. Get the SSH password or, if you use Windows, SSH private key secret for the target cluster.
    Note: Since Windows node pool nodes do not allow a password based SSH mechanism, use the private key to SSH into the Windows nodes.
    • Get the SSH password.

      This command applies to Linux nodes.

      kubectl get secrets TKG-CLUSTER-NAME-ssh-password -o yaml
      The SSH password is returned, for example.
      apiVersion: v1
data:
  ssh-passwordkey: RU1pQllLTC9TRjVFV0RBcCtmd1zwOTROeURYSWNGeXNReXJhaXRBUllYaz0=
    • Get the base64 encoded private key.

      This command applies to Windows node,

      kubectl get secrets TKG-CLUSTER-NAME-ssh -o jsonpath='{.data.ssh-privatekey}'
  7. Decode the obtained SSH password or private key.
    • Decode the SSH password.
      The secret is Base64 encoded. To decode it: on Linux use base64 --decode (or base64 -d); on MacOS, use base64 --decode (or base64 -D); on Windows, use an online tool. 
      echo <ssh-passwordkey> | base64 --decode
    • Decode the private key.

      Use the same mechanism as you used for decoding the SSH password. Store the decoded SSH private key output to a file and set the permissions using chmod 400 filename.

  8. SSH to the target cluster node as the vmware-system-user.
    • With SSH password, use this command.
      ssh vmware-system-user@TKG-CLUSTER-NODE-IP-ADDRESS
    • With the private key, use the following command.
      ssh -i filename vmware-system-user@TKG-CLUSTER-NODE-IP-ADDRESS

      filename is the file where you stored the SSH private key.

  9. Log in using the password you decoded.