Merge pull request #83751 from zr-msft/aks-refactor-ssh

GitHubber17 · web-flow · commit 8e3480c441e2 · 2019-08-01T13:28:09.000-07:00
[AKS] refactored ssh doc
diff --git a/articles/aks/ssh.md b/articles/aks/ssh.md
@@ -6,149 +6,133 @@ author: mlearned
 
 ms.service: container-service
 ms.topic: article
-ms.date: 05/24/2019
+ms.date: 07/31/2019
 ms.author: mlearned
 
-#Customer intent: As a cluster operator, I want to learn how to use SSH to connect to VMs in an AKS cluster to perform maintenance or troubleshoot a problem.
+#Customer intent: As a cluster operator, I want to learn how to use SSH to connect to virtual machines in an AKS cluster to perform maintenance or troubleshoot a problem.
 ---
 
 # Connect with SSH to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting
 
-Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access AKS nodes using SSH, including Windows Server nodes (currently in preview in AKS). You can also [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp]. For security purposes, the AKS nodes are not exposed to the internet.
+Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access AKS nodes using SSH, including Windows Server nodes (currently in preview in AKS). You can also [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp]. For security purposes, the AKS nodes aren't exposed to the internet. To SSH to the AKS nodes, you use the private IP address.
 
 This article shows you how to create an SSH connection with an AKS node using their private IP addresses.
 
 ## Before you begin
 
 This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli] or [using the Azure portal][aks-quickstart-portal].
 
-You also need the Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+By default, SSH keys are obtained, or generated, then added to nodes when you create an AKS cluster. This article shows you how to specify different SSH keys than the SSH keys used when you created your AKS cluster. The article also shows you how to determine the private IP address of your node and connect to it using SSH. If you don't need to specify a different SSH key, then you may skip the step for adding the SSH public key to the node.
 
-## Add your public SSH key
+This article also assumes you have an SSH key. You can create an SSH key using [macOS or Linux][ssh-nix] or [Windows][ssh-windows]. If you use PuTTY Gen to create the key pair, save the key pair in an OpenSSH format rather than the default PuTTy private key format (.ppk file).
 
-By default, SSH keys are obtained, or generated, then added to nodes when you create an AKS cluster. If you need to specify different SSH keys than those used when you created your AKS cluster, add your public SSH key to the Linux AKS nodes. If needed, you can create an SSH key using [macOS or Linux][ssh-nix] or [Windows][ssh-windows]. If you use PuTTY Gen to create the key pair, save the key pair in an OpenSSH format rather than the default PuTTy private key format (.ppk file).
+You also need the Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
-> [!NOTE]
-> SSH keys can currently only be added to Linux nodes using the Azure CLI. If you use Windows Server nodes, use the SSH keys provided when you created the AKS cluster and skip to the step on [how to get the AKS node address](#get-the-aks-node-address). Or, [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp].
+## Configure virtual machine scale set-based AKS clusters for SSH access
 
-The steps to get the private IP address of the AKS nodes is different based on the type of AKS cluster you run:
+To configure your virtual machine scale set-based for SSH access, find the name of your cluster's virtual machine scale set and add your SSH public key to that scale set.
 
-* For most AKS clusters, follow the steps to [get the IP address for regular AKS clusters](#add-ssh-keys-to-regular-aks-clusters).
-* If you use any preview features in AKS that use virtual machine scale sets, such as multiple node pools or Windows Server container support, [follow the steps for virtual machine scale set-based AKS clusters](#add-ssh-keys-to-virtual-machine-scale-set-based-aks-clusters).
+Use the [az aks show][az-aks-show] command to get the resource group name of your AKS cluster, then the [az vmss list][az-vmss-list] command to get the name of your scale set.
 
-### Add SSH keys to regular AKS clusters
+```azurecli-interactive
+CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
+SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query [0].name -o tsv)
+```
 
-To add your SSH key to a Linux AKS node, complete the following steps:
+The above example assigns the name of the cluster resource group for the *myAKSCluster* in *myResourceGroup* to *CLUSTER_RESOURCE_GROUP*. The example then uses *CLUSTER_RESOURCE_GROUP* to list the scale set name and assign it to *SCALE_SET_NAME*.  
 
-1. Get the resource group name for your AKS cluster resources using [az aks show][az-aks-show]. The cluster name is assigned to the variable named *CLUSTER_RESOURCE_GROUP*. Replace *myResourceGroup* with the name of your Resource Group where you AKS Cluster is located:
+> [!NOTE]
+> SSH keys can currently only be added to Linux nodes using the Azure CLI. If you want to connect to a Windows Server node using SSH, use the SSH keys provided when you created the AKS cluster and skip the next set of commands for adding your SSH public key. You will still need the IP address of the node you wish to troubleshoot, which is shown in the final command of this section. Alternatively, you can [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp] instead of using SSH.
 
-    ```azurecli-interactive
-    CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
-    ```
+To add your SSH keys to the nodes in a virtual machine scale set, use the [az vmss extension set][az-vmss-extension-set] and [az vmss update-instances][az-vmss-update-instances] commands.
 
-1. List the VMs in the AKS cluster resource group using the [az vm list][az-vm-list] command. These VMs are your AKS nodes:
+```azurecli-interactive
+az vmss extension set  \
+    --resource-group $CLUSTER_RESOURCE_GROUP \
+    --vmss-name $SCALE_SET_NAME \
+    --name VMAccessForLinux \
+    --publisher Microsoft.OSTCExtensions \
+    --version 1.4 \
+    --protected-settings "{\"username\":\"azureuser\", \"ssh_key\":\"$(cat ~/.ssh/id_rsa.pub)\"}"
+
+az vmss update-instances --instance-ids '*' \
+    --resource-group $CLUSTER_RESOURCE_GROUP \
+    --name $SCALE_SET_NAME
+```
 
-    ```azurecli-interactive
-    az vm list --resource-group $CLUSTER_RESOURCE_GROUP -o table
-    ```
+The above example uses the *CLUSTER_RESOURCE_GROUP* and *SCALE_SET_NAME* variables from the previous commands. The above example also uses *~/.ssh/id_rsa.pub* as the location for your SSH public key.
 
-    The following example output shows the AKS nodes:
+> [!NOTE]
+> By default, the username for the AKS nodes is *azureuser*.
 
-    ```
-    Name                      ResourceGroup                                  Location
-    ------------------------  ---------------------------------------------  ----------
-    aks-nodepool1-79590246-0  MC_myResourceGroupAKS_myAKSClusterRBAC_eastus  eastus
-    ```
+After you add your SSH public key to the scale set, you can SSH into a node virtual machine in that scale set using its IP address. View the private IP addresses of the AKS cluster nodes using the [kubectl get command][kubectl-get].
 
-1. To add your SSH keys to the node, use the [az vm user update][az-vm-user-update] command. Provide the resource group name and then one of the AKS nodes obtained in the previous step. By default, the username for the AKS nodes is *azureuser*. Provide the location of your own SSH public key location, such as *~/.ssh/id_rsa.pub*, or paste the contents of your SSH public key:
+```console
+kubectl get nodes -o wide
+```
 
-    ```azurecli-interactive
-    az vm user update \
-      --resource-group $CLUSTER_RESOURCE_GROUP \
-      --name aks-nodepool1-79590246-0 \
-      --username azureuser \
-      --ssh-key-value ~/.ssh/id_rsa.pub
-    ```
+The follow example output shows the internal IP addresses of all the nodes in the cluster, including a Windows Server node.
 
-### Add SSH keys to virtual machine scale set-based AKS clusters
+```console
+$ kubectl get nodes -o wide
 
-To add your SSH key to a Linux AKS node that's part of a virtual machine scale set, complete the following steps:
+NAME                                STATUS   ROLES   AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                    KERNEL-VERSION      CONTAINER-RUNTIME
+aks-nodepool1-42485177-vmss000000   Ready    agent   18h   v1.12.7   10.240.0.4    <none>        Ubuntu 16.04.6 LTS          4.15.0-1040-azure   docker://3.0.4
+aksnpwin000000                      Ready    agent   13h   v1.12.7   10.240.0.67   <none>        Windows Server Datacenter   10.0.17763.437
+```
 
-1. Get the resource group name for your AKS cluster resources using [az aks show][az-aks-show]. The cluster name is assigned to the variable named *CLUSTER_RESOURCE_GROUP*. Replace *myResourceGroup* with the name of your Resource Group where you AKS Cluster is located:
+Record the internal IP address of the node you wish to troubleshoot.
 
-    ```azurecli-interactive
-    CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
-    ```
+To access your node using SSH, follow the steps in [Create the SSH connection](#create-the-ssh-connection).
 
-1. Next, get the virtual machine scale set for your AKS cluster using the [az vmss list][az-vmss-list] command. The virtual machine scale set name is assigned to the variable named *SCALE_SET_NAME*:
+## Configure virtual machine availability set-based AKS clusters for SSH access
 
-    ```azurecli-interactive
-    SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query [0].name -o tsv)
-    ```
+To configure your virtual machine availability set-based AKS cluster for SSH access, find the name of your cluster's Linux node, and add your SSH public key to that node.
 
-1. To add your SSH keys to the nodes in a virtual machine scale set, use the [az vmss extension set][az-vmss-extension-set] command. The cluster resource group and virtual machine scale set name are provided from the previous commands. By default, the username for the AKS nodes is *azureuser*. If needed, update the location of your own SSH public key location, such as *~/.ssh/id_rsa.pub*:
+Use the [az aks show][az-aks-show] command to get the resource group name of your AKS cluster, then the [az vm list][az-vm-list] command to list the virtual machine name of your cluster's Linux node.
 
-    ```azurecli-interactive
-    az vmss extension set  \
-        --resource-group $CLUSTER_RESOURCE_GROUP \
-        --vmss-name $SCALE_SET_NAME \
-        --name VMAccessForLinux \
-        --publisher Microsoft.OSTCExtensions \
-        --version 1.4 \
-        --protected-settings "{\"username\":\"azureuser\", \"ssh_key\":\"$(cat ~/.ssh/id_rsa.pub)\"}"
-    ```
+```azurecli-interactive
+CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
+az vm list --resource-group $CLUSTER_RESOURCE_GROUP -o table
+```
 
-1. Apply the SSH key to the nodes using the [az vmss update-instances][az-vmss-update-instances] command:
+The above example assigns the name of the cluster resource group for the *myAKSCluster* in *myResourceGroup* to *CLUSTER_RESOURCE_GROUP*. The example then uses *CLUSTER_RESOURCE_GROUP* to list the virtual machine name. The example output shows the name of the virtual machine: 
 
-    ```azurecli-interactive
-    az vmss update-instances --instance-ids '*' \
-        --resource-group $CLUSTER_RESOURCE_GROUP \
-        --name $SCALE_SET_NAME
-    ```
+```
+Name                      ResourceGroup                                  Location
+------------------------  ---------------------------------------------  ----------
+aks-nodepool1-79590246-0  MC_myResourceGroupAKS_myAKSClusterRBAC_eastus  eastus
+```
 
-## Get the AKS node address
+To add your SSH keys to the node, use the [az vm user update][az-vm-user-update] command.
 
-The AKS nodes are not publicly exposed to the internet. To SSH to the AKS nodes, you use the private IP address. In the next step, you create a helper pod in your AKS cluster that lets you SSH to this private IP address of the node. The steps to get the private IP address of the AKS nodes is different based on the type of AKS cluster you run:
+```azurecli-interactive
+az vm user update \
+    --resource-group $CLUSTER_RESOURCE_GROUP \
+    --name aks-nodepool1-79590246-0 \
+    --username azureuser \
+    --ssh-key-value ~/.ssh/id_rsa.pub
+```
 
-* For most AKS clusters, follow the steps to [get the IP address for regular AKS clusters](#ssh-to-regular-aks-clusters).
-* If you use any preview features in AKS that use virtual machine scale sets, such as multiple node pools or Windows Server container support, [follow the steps for virtual machine scale set-based AKS clusters](#ssh-to-virtual-machine-scale-set-based-aks-clusters).
+The above example uses the *CLUSTER_RESOURCE_GROUP* variable and the node virtual machine name from previous commands. The above example also uses *~/.ssh/id_rsa.pub* as the location for your SSH public key. You could also use the contents of your SSH public key instead of specifying a path.
 
-### SSH to regular AKS clusters
+> [!NOTE]
+> By default, the username for the AKS nodes is *azureuser*.
 
-View the private IP address of an AKS cluster node using the [az vm list-ip-addresses][az-vm-list-ip-addresses] command. Provide your own AKS cluster resource group name obtained in a previous [az-aks-show][az-aks-show] step:
+After you add your SSH public key to the node virtual machine, you can SSH into that virtual machine using its IP address. View the private IP address of an AKS cluster node using the [az vm list-ip-addresses][az-vm-list-ip-addresses] command.
 
 ```azurecli-interactive
 az vm list-ip-addresses --resource-group $CLUSTER_RESOURCE_GROUP -o table
 ```
 
-The following example output shows the private IP addresses of the AKS nodes:
+The above example uses the *CLUSTER_RESOURCE_GROUP* variable set in the previous commands. The following example output shows the private IP addresses of the AKS nodes:
 
 ```
 VirtualMachine            PrivateIPAddresses
 ------------------------  --------------------
 aks-nodepool1-79590246-0  10.240.0.4
 ```
 
-### SSH to virtual machine scale set-based AKS clusters
-
-List the internal IP address of the nodes using the [kubectl get command][kubectl-get]:
-
-```console
-kubectl get nodes -o wide
-```
-
-The follow example output shows the internal IP addresses of all the nodes in the cluster, including a Windows Server node.
-
-```console
-$ kubectl get nodes -o wide
-
-NAME                                STATUS   ROLES   AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                    KERNEL-VERSION      CONTAINER-RUNTIME
-aks-nodepool1-42485177-vmss000000   Ready    agent   18h   v1.12.7   10.240.0.4    <none>        Ubuntu 16.04.6 LTS          4.15.0-1040-azure   docker://3.0.4
-aksnpwin000000                      Ready    agent   13h   v1.12.7   10.240.0.67   <none>        Windows Server Datacenter   10.0.17763.437
-```
-
-Record the internal IP address of the node you wish to troubleshoot. You will use this address in a later step.
-
 ## Create the SSH connection
 
 To create an SSH connection to an AKS node, you run a helper pod in your AKS cluster. This helper pod provides you with SSH access into the cluster and then additional SSH node access. To create and use this helper pod, complete the following steps:
@@ -160,17 +144,17 @@ To create an SSH connection to an AKS node, you run a helper pod in your AKS clu
     ```
 
     > [!TIP]
-    > If you use Windows Server nodes (currently in preview in AKS), add a node selector to the command to schedule the Debian container on a Linux node as follows:
+    > If you use Windows Server nodes (currently in preview in AKS), add a node selector to the command to schedule the Debian container on a Linux node:
     >
     > `kubectl run -it --rm aks-ssh --image=debian --overrides='{"apiVersion":"apps/v1","spec":{"template":{"spec":{"nodeSelector":{"beta.kubernetes.io/os":"linux"}}}}}'`
 
-1. The base Debian image doesn't include SSH components. Once the terminal session is connected to the container, install an SSH client using `apt-get` as follows:
+1. Once the terminal session is connected to the container, install an SSH client using `apt-get`:
 
     ```console
     apt-get update && apt-get install openssh-client -y
     ```
 
-1. In a new terminal window, not connected to your container, list the pods on your AKS cluster using the [kubectl get pods][kubectl-get] command. The pod created in the previous step starts with the name *aks-ssh*, as shown in the following example:
+1. Open a new terminal window, not connected to your container, list the pods on your AKS cluster using the [kubectl get pods][kubectl-get] command. The pod created in the previous step starts with the name *aks-ssh*, as shown in the following example:
 
     ```
     $ kubectl get pods
@@ -179,21 +163,21 @@ To create an SSH connection to an AKS node, you run a helper pod in your AKS clu
     aks-ssh-554b746bcf-kbwvf   1/1       Running   0          1m
     ```
 
-1. In the first step of this article, you added your public SSH key the AKS node. Now, copy your private SSH key into the pod. This private key is used to create the SSH into the AKS nodes.
+1. In an earlier step, you added your public SSH key to the AKS node you wanted to troubleshoot. Now, copy your private SSH key into the helper pod. This private key is used to create the SSH into the AKS node.
 
     Provide your own *aks-ssh* pod name obtained in the previous step. If needed, change *~/.ssh/id_rsa* to location of your private SSH key:
 
     ```console
     kubectl cp ~/.ssh/id_rsa aks-ssh-554b746bcf-kbwvf:/id_rsa
     ```
 
-1. Back in the terminal session to your container, update the permissions on the copied `id_rsa` private SSH key so that it is user read-only:
+1. Return to the terminal session to your container, update the permissions on the copied `id_rsa` private SSH key so that it is user read-only:
 
     ```console
     chmod 0600 id_rsa
     ```
 
-1. Now create an SSH connection to your AKS node. Again, the default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection as the SSH key is first trusted. You are then provided with the bash prompt of your AKS node:
+1. Create an SSH connection to your AKS node. Again, the default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection as the SSH key is first trusted. You are then provided with the bash prompt of your AKS node:
 
     ```console
     $ ssh -i id_rsa azureuser@10.240.0.4
