AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Kubectl ssh tunnel4/5/2023 ![]() MacOS: ssh-agent is present by default, but ssh-add does not persist across logins. Ubuntu was tested you might have different results on other distributions. Making that a user or system environment variable will be easiest. Windows (Pageant): You can use Pageant instead of OpenSSH, in which case it is necessary to set the environment variable SSH_AUTH_SOCK=pageant. From an admin PowerShell prompt, run Set-Service ssh-agent -StartupType "Automatic" and Start-Service ssh-agent. There is a Windows service, ssh-agent that is disabled by default, and needs to be re-enabled and set to automatic start. ![]() Windows (OpenSSH): The latest version(s) of Windows 10 include OpenSSH by default. If a key pair has already been set up, it can be used.Ĭonfigure ssh-agent on the local system with the private key file produced above. Password authentication is not supported by Docker and not possible with a DOCKER_HOST-based configuration. Use ssh-keygen or similar to get and configure a public/private key pair for SSH authentication. It is also possible to connect to the remote Docker engine directly using SSH tunneling, which you can read more about below. You may review the steps in the Dev Containers documentation. You can use the Remote - SSH and Dev Containers extensions together. We recommend using the Visual Studio Code Remote - SSH extension to connect to a remote machine running Docker engine. Configure IntelliSense for cross-compiling.Only the Kubernetes user on this host should be able to just read those files. You can now copy them in a folder that is secured and change the mode of both files to 400. Host1.pem is the public key and host1.key is the private key. You can create certificates on host1 by using OpenSSL for example that will generate 2 files: host1.pem and host1.key. So this address will need to use HTTPS and 2 steps are required to achieve this: First generate the SSL certificates on host1 and secondly use Kubelogin to use those newly generated certificates. In our case we wanted to use the Fully Qualified Domain Name (FQDN) of host1 as a URL and Redirect URI as this address is reachable from our Office Computer without the need of using an SSH Tunnel to host1. Kudos to Arnaud Berbier (our DevOps Delivery Manager with years of experience as Senior Consultant and Platform Solution Architect at dbi-services) for figuring out the last missing bit of information required in Kubelogin for activating HTTPS which is then indeed supported! He is the boss for a reason and it will cost me a bottle of rhum but that is very well deserved! An old GitHub issue on this topic even showed it was not supported. In my previous blog we thought only HTTP was available for Kubelogin and we didn’t find any clear information regarding HTTPS. A Production SolutionĪs in Azure we can set any Redirect URI as long as it is HTTPS, the ideal solution would be to use HTTPS in Kubelogin as well, so we could set any URL that could be useful in our cluster environment. ![]() This looks more like a testing solution than a production one so we kept pushing for a better solution. ![]() As host1 has no Graphical User Interface (GUI) we had to connect to it using an SSH Tunnel which is not great for our users as you have to keep this tunnel open while opening the Web Browser during the authentication process. By using HTTP we had no other option in Azure to set a different Redirect URI than localhost. This scenario was not satisfying for the following reasons. This token will be active for a period of time and finally RBAC rules are applied in order to control the actions this user can do on this cluster (step 9). If both match then Azure generates a token that is sent to the apiserver (steps 4,5,6,7,8). ![]() On the Office Computer we had to connect to host1 using an SSH Tunnel in order to be able to use a Web Browser from this computer to reach the URL configured in Kubelogin (steps 1,2,3).įrom this URL we are redirected to Azure in order to authenticate and if successful, the Redirect URI parameter is compared to what is used as URL in Kubelogin. Let’s quickly summarize it in order to understand why this solution is OK for testing but wasn’t satisfying enough as a production one. Summary of our first working scenarioīelow is a summary of the working scenario that used HTTP as URL in Kubelogin as covered in my previous blog: It is not a straight forward process and you have to explore several leads, do a lot of research and perform many tests in order to reach a satisfying solution that can be used on a production network. I’ve described all the steps of our research on this topic in order to give our readers a real idea of how implementing a new solution happens. In my previous blog I’ve detailed the tests we did regarding SSO in Kubernetes using Azure AD. ![]()
0 Comments
Read More
Leave a Reply. |