In this guide we’ll demonstrate how to SSH into a Kubernetes pod without any external tools or services bridging between the pod and the web. All that’s required is a locally installed kubectl which is configured to communicate with the cluster.
Generate SSH keys
The first thing we’ll need to do is generate a private-public SSH key-pair. For this we run
ssh-keygen and follow the instructions. For the rest of this guide I’ll assume that the key files are ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, and that they are not passphrase protected.
Install and configure openssh-server on the pod
The next thing we’ll need to do is install and configure openssh-server on the target pod. To do this we’ll run a bash terminal within the pod:
kubectl exec -it $pod -c $container -- bash
Then we’ll install openssh-server:
apt install -y openssh-server
Once that’s installed, we’ll want to set the SSH connection port to something which
kubectl port-forward will later be able to access and control. Let’s say port 2300. To configure that, we’ll need to find the
# Port 22 line within the default
etc/ssh/sshd_config file, and replace it with the chosen port number — in our case 2300. A convenient shortcut is to run the following
sed -i -e 's/Port 2300/#Port 22/g' /etc/ssh/sshd_config
Configure openssh-server on the pod to accept our local SSH key
exit to end the remote bash session. Now we need to configure the pods openssh-server to accept the SSH key-pair we created earlier. To do this, we’ll first use
kubectl cp to copy the ~/.ssh/id_rsa.pub file to the pod, and then add it to the list of authorized keys:
First copy the public key file:
kubectl cp ~/.ssh/id_rsa.pub $pod:/root/.ssh/id_rsa.pub -c $container
Then add it to ~/.ssh/authorized_keys on the pod:
kubectl exec -it $pod -c $container -- bash -c "cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys"
Finally… we can start the SSH server on the pod:
kubectl exec -it $pod -c $container -- bash -c "service ssh start"
The final piece — port forwarding
Use port forwarding to access the SSH connection port on the pod from the local machine by running
kubectl port-porward $pod 2300:2300
Now you can just run
ssh <pod-user>@localhost -p 2300
And you’re in.