|
| 1 | +--- |
| 2 | +title: SSH into Azure Kubernetes Service (AKS) cluster nodes |
| 3 | +description: Learn how to create an SSH connection with an Azure Kubernetes Service (AKS) cluster nodes for troubleshooting and maintenance tasks. |
| 4 | +services: container-service |
| 5 | +author: iainfoulds |
| 6 | + |
| 7 | +ms.service: container-service |
| 8 | +ms.topic: article |
| 9 | +ms.date: 08/21/2018 |
| 10 | +ms.author: iainfou |
| 11 | +--- |
| 12 | + |
| 13 | +# SSH to Azure Kubernetes Service (AKS) cluster nodes |
| 14 | + |
| 15 | +Occasionally, you may need to access an Azure Kubernetes Service (AKS) node for maintenance, log collection, or other troubleshooting operations. For security purposes, the AKS nodes are not exposed to the internet. This article shows you how to create an SSH connection with an AKS node. |
| 16 | + |
| 17 | +## Reset the SSH keys |
| 18 | + |
| 19 | +If you did not specify SSH keys when you created your AKS cluster, you first need to reset the SSH keys for the Kubernetes nodes. To reset the SSH keys for your nodes, complete the following steps: |
| 20 | + |
| 21 | +1. Get the resource group name for your AKS cluster resources using [az aks show][az-aks-show]. Provide your own core resource group and AKS cluster name: |
| 22 | + |
| 23 | + ```azurecli |
| 24 | + az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv |
| 25 | + ``` |
| 26 | +
|
| 27 | +1. List the VMs in the AKS cluster resource group using the [az vm list][az-vm-list] command. These VMs are you AKS nodes: |
| 28 | +
|
| 29 | + ```azurecli |
| 30 | + az vm list --resource-group MC_myResourceGroup_myAKSCluster_eastus -o table |
| 31 | + ``` |
| 32 | +
|
| 33 | + The following example output shows the AKS nodes: |
| 34 | +
|
| 35 | + ``` |
| 36 | + Name ResourceGroup Location |
| 37 | + ------------------------ --------------------------------------------- ---------- |
| 38 | + aks-nodepool1-79590246-0 MC_myResourceGroupAKS_myAKSClusterRBAC_eastus eastus |
| 39 | + ``` |
| 40 | +
|
| 41 | +1. To update the SSH keys for your node, use the [az vm user update][az-vm-user-update] command. Provide the resource group name and then one of the AKS nodes obtained in the previous step. By default, the username for the AKS nodes is *azureuser*. Provide the location of your own SSH public key location, such as ~/.ssh/id_rsa.pub*, or paste the contents of your SSH public key: |
| 42 | +
|
| 43 | + ```azurecli |
| 44 | + az vm user update \ |
| 45 | + --resource-group MC_myResourceGroup_myAKSCluster_eastus \ |
| 46 | + --name aks-nodepool1-79590246-0 \ |
| 47 | + --username azureuser \ |
| 48 | + --ssh-key-value ~/.ssh/id_rsa.pub |
| 49 | + ``` |
| 50 | +
|
| 51 | +## Get the AKS node address |
| 52 | +
|
| 53 | +The AKS nodes are not publicly exposed to the internet. To SSH to the AKS nodes, you use their internal, private IP addresses. View the private IP address of an AKS cluster node using the [az vm list-ip-addresses][az-vm-list-ip-addresses] command. Provide your own AKS cluster resource group name obtained in a previous [az-aks-show][az-aks-show] step: |
| 54 | +
|
| 55 | +```azurecli |
| 56 | +az vm list-ip-addresses --resource-group MC_myAKSCluster_myAKSCluster_eastus -o table |
| 57 | +``` |
| 58 | + |
| 59 | +The following example output shows the private IP addresses the AKS nodes: |
| 60 | + |
| 61 | +``` |
| 62 | +VirtualMachine PrivateIPAddresses |
| 63 | +------------------------ -------------------- |
| 64 | +aks-nodepool1-79590246-0 10.240.0.4 |
| 65 | +``` |
| 66 | + |
| 67 | +## Create the SSH connection |
| 68 | + |
| 69 | +To get an SSH connection to an AKS node, you run a helper pod on the node. This helper pod provides you with SSH access into the cluster and then additional SSH node access. To create and use this helper pod, complete the following steps: |
| 70 | + |
| 71 | +1. Run a `debian` container image and attach a terminal session to it. This container is used to create an SSH session with any node in the AKS cluster: |
| 72 | + |
| 73 | + ```console |
| 74 | + kubectl run -it --rm aks-ssh --image=debian |
| 75 | + ``` |
| 76 | + |
| 77 | +1. The base Debian image doesn't include SSH components. Install an SSH client in the container with `apt-get` as follows: |
| 78 | + |
| 79 | + ```console |
| 80 | + apt-get update && apt-get install openssh-client -y |
| 81 | + ``` |
| 82 | + |
| 83 | +1. In a new terminal window, list the pods on your AKS cluster using the [kubectl get pods][kubectl-get] command. The pod created in the previous step starts with the name *aks-ssh*, as shown in the following example: |
| 84 | + |
| 85 | + ``` |
| 86 | + $ kubectl get pods |
| 87 | + |
| 88 | + NAME READY STATUS RESTARTS AGE |
| 89 | + aks-ssh-554b746bcf-kbwvf 1/1 Running 0 1m |
| 90 | + ``` |
| 91 | + |
| 92 | +1. In the first step of this article, you added your public SSH key the AKS node. Now, copy your private SSH key into the pod. This private key is then used to create the SSH into the AKS nodes. Provide your own *aks-ssh* pod name obtained in the previous step. If needed, change *~/.ssh/id_rsa* to location of your private SSH key: |
| 93 | + |
| 94 | + ```console |
| 95 | + kubectl cp ~/.ssh/id_rsa aks-ssh-554b746bcf-kbwvf:/id_rsa |
| 96 | + ``` |
| 97 | + |
| 98 | +1. Back in the terminal session to your help pod, update the permissions on the `id_rsa` private SSH key copied in the previous step so that it is user read-only: |
| 99 | + |
| 100 | + ```console |
| 101 | + chmod 0600 id_rsa |
| 102 | + ``` |
| 103 | + |
| 104 | +1. Now create an SSH connection to your AKS node. Again, the default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection as the SSH key is first trusted. You are then provided with the bash prompt of your AKS node: |
| 105 | + |
| 106 | + ```console |
| 107 | + |
| 108 | + |
| 109 | + ECDSA key fingerprint is SHA256:A6rnRkfpG21TaZ8XmQCCgdi9G/MYIMc+gFAuY9RUY70. |
| 110 | + Are you sure you want to continue connecting (yes/no)? yes |
| 111 | + Warning: Permanently added '10.240.0.4' (ECDSA) to the list of known hosts. |
| 112 | + |
| 113 | + Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1018-azure x86_64) |
| 114 | + |
| 115 | + * Documentation: https://help.ubuntu.com |
| 116 | + * Management: https://landscape.canonical.com |
| 117 | + * Support: https://ubuntu.com/advantage |
| 118 | + |
| 119 | + Get cloud support with Ubuntu Advantage Cloud Guest: |
| 120 | + http://www.ubuntu.com/business/services/cloud |
| 121 | + |
| 122 | + [...] |
| 123 | + |
| 124 | + azureuser@aks-nodepool1-79590246-0:~$ |
| 125 | + ``` |
| 126 | + |
| 127 | +## Remove SSH access |
| 128 | + |
| 129 | +When done, `exit` the SSH session and then `exit` the interactive container session. When this container session closes, the pod used for SSH access from the AKS cluster is deleted. |
| 130 | + |
| 131 | +## Next steps |
| 132 | + |
| 133 | +If you need additional troubleshooting data, you can [view the kubelet logs][view-kubelet-logs] or [view the Kubernetes master node logs][view-master-logs]. |
| 134 | + |
| 135 | +<!-- EXTERNAL LINKS --> |
| 136 | +[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get |
| 137 | + |
| 138 | +<!-- INTERNAL LINKS --> |
| 139 | +[az-aks-show]: /cli/azure/aks#az-aks-show |
| 140 | +[az-vm-list]: /cli/azure/vm#az-vm-list |
| 141 | +[az-vm-user-update]: /cli/azure/vm/user#az-vm-user-update |
| 142 | +[az-vm-list-ip-addresses]: cli/azure/vm#az-vm-list-ip-addresses |
| 143 | +[view-kubelet-logs]: kubelet-logs.md |
| 144 | +[view-master-logs]: view-master-logs.md |
0 commit comments