SSH with Kubernetes: Making Permissions Follow Dynamic Workloads.

SSH with Kubernetes: Making Permissions Follow Dynamic Workloads.

In the previous article of this series about managing Kubernetes, we explained how SSH clients can be authenticated using SSH certificates as opposed to simple public keys or passwords.

Introduction

In the previous article of this series about managing Kubernetes, we explained how SSH clients can be authenticated using SSH certificates as opposed to simple public keys or passwords.

In this post, we’ll take the next step and use SSH certificates to implement a simple and effective role-based access control, where SSH users are granted access NOT to specific servers, but to specific data or workloads. This style of access control is more compatible with the dynamic nature of datacenter-level work scheduling.

This blog post will teach you:

  • How to configure Kubernetes users to SSH into servers using Kubernetes labels instead of hostnames or IP addresses.
  • How to restrict SSH permissions based on Kubernetes labels and user identities.

Like this:

ssh [email protected]=db-master

Where db-master is a Kubernetes label dynamically applied to whatever machine is running the master PosgtreSQL instance.

Why SSH into Clusters?

If you believe that you don’t need to ever “SSH into a box”, perhaps this article isn’t for you. The promise of simply throwing (scheduling) your code onto an intelligent “mainframe” and have it run by itself is appealing, but the need to SSH into a machine is still a common requirement, even if just for automation tooling.

Sample Use Case

Suppose you are in charge of a small ops team which is tasked with the job of managing a Kubernetes application called “Cookbook”. This application consists of two types of Kubernetes pods:

  • Worker: these handle HTTP requests from the clients and provide CRUD access to the database of recipes. They are stateless, numerous, cheap and can be easily moved around.
  • Database: these pods are responsible for actually storing the recipes, manage backups, restore, etc. Let’s say PostgreSQL is used for it.

Your ops team is composed of only two people: Elliot and Darlene. Both are capable of administering the workers but only Darlene knows how to manage the PostgreSQL database.

Both Darlene and Elliot can assume the role of worker-admin but only Darlene can assume the role of dba. Given his lack of knowledge, perhaps you don’t even want to let Elliot access servers where “Database” pods are running.

This requires connecting SSH access permissions with Kubernetes. We are using Teleport Enterprise, the commercial version of our open source SSH server, for this tutorial.

Lets see how can this be done.

kubernetes

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

50+ Useful Kubernetes Tools for 2020 - Part 2

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

Kubernetes in the Cloud: Strategies for Effective Multi Cloud Implementations

This article explains how you can leverage Kubernetes to reduce multi cloud complexities and improve stability, scalability, and velocity.

Kubernetes vs Docker

Get Hands-on experience on Kubernetes and the best comparison of Kubernetes over the DevOps at your place at Kubernetes training

Typical flow for deploying applications to Kubernetes

Get Hands-on experience on Kubernetes and the best comparison of Kubernetes over the DevOps at your place at Kubernetes training

Microsoft Announces General Availability Of Bridge To Kubernetes

Microsoft announced the general availability of Bridge to Kubernetes, formerly known as Local Process with Kubernetes.