SSH into Kubernetes pod without public IP access

In this guide we’ll demonstrate how to SSH into a Kubernetes pod without any external tools or services bridging between the pod and the web. All that’s required is a locally installed kubectl which is configured to communicate with the cluster.

Photo by Jaye Haych on Unsplash

Generate SSH keys

The first thing we’ll need to do is generate a private-public SSH key-pair. For this we run ssh-keygen and follow the instructions. For the rest of this guide I’ll assume that the key files are ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, and that they are not passphrase protected.

Install and configure openssh-server on the pod

The next thing we’ll need to do is install and configure openssh-server on the target pod. To do this we’ll run a bash terminal within the pod:

kubectl exec -it $pod -c $container -- bash

Then we’ll install openssh-server:

apt update && apt upgrade -y && apt install -y openssh-server

Once that’s installed, we’ll want to set the SSH connection port to something which kubectl port-forward will later be able to access and control. Let’s say port 2300. To configure that, we’ll need to find the # Port 22 line within the default etc/ssh/sshd_config file, and replace it with the chosen port number — in our case 2300. A convenient shortcut is to run the following sed command:

sed -i -e 's/# Port 22/Port 2300/g' /etc/ssh/sshd_config

We’ll also need to ensure that /root/.ssh actually exists on the pod. To do this, run:

mkdir -p /root/.ssh

Configure openssh-server on the pod to accept our local SSH key

Type exit to end the remote bash session. Now we need to configure the pods openssh-server to accept the SSH key-pair we created earlier. To do this, we’ll first use kubectl cp to copy the ~/.ssh/id_rsa.pub file to the pod, and then add it to the list of authorized keys:

First copy the public key file:

kubectl cp ~/.ssh/id_rsa.pub $pod:/root/.ssh/id_rsa.pub -c $container

Then add it to ~/.ssh/authorized_keys on the pod:

kubectl exec -it $pod -c $container -- bash -c "cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys"

Finally… we can start the SSH server on the pod:

kubectl exec -it $pod -c $container -- bash -c "service ssh start"

The final piece — port forwarding

Use port forwarding to access the SSH connection port on the pod from the local machine by running

kubectl port-forward $pod 2300:2300

Now you can just run

ssh <container-user>@localhost -p 2300

And you’re in.