linux/mac 本地环境(使用sshuttle)通过sshd访问k8s内网
参考:提高开发效率:打通 K8s 与本地之间的网络 - 陪她去流浪
sshuttle:搭建基于 SSH 的简易 VPN - 早起搬砖 morning.work
分别生成公钥和私钥
K8S所在的服务器(推荐使用非root用户)和本地开发环境(linux/mac)执行
$ ssh-keygen
进入~/.ssh/目录查看
部署一个sshd服务,并暴露NodePort端口供本地客户端访问
本例中的sshd镜像在运行时会安装ptyhon,时间会比较长,为了省时间,
可以考虑先自己打个镜像,并推送到自己的仓库里,避免反复调试时等待python安装过程
vi dockerfile
FROM docker.io/panubo/sshd:latest
RUN apk add python2
# https://blog.csdn.net/qq_42533216/article/details/108225616
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
RUN apk upgrade
RUN apk del curl
RUN apk add curl
# https://github.com/panubo/docker-sshd/blob/main/Dockerfile
ENTRYPOINT ["/entry.sh"]
CMD ["/usr/sbin/sshd", "-D", "-e", "-f", "/etc/ssh/sshd_config"]
自己打个镜像
docker build -t my-sshd:latest .
docker tag
docker push
准备部署sshd服务
有镜像后,将yaml文件中的
image: panubo/sshd修改成本地仓库的镜像路径
删除容器中安装python的代码apk add python2
apiVersion: apps/v1
kind: Deployment
metadata:
name: sshd
labels:
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: sshd
app.kubernetes.io/instance: sshd
template:
metadata:
labels:
app.kubernetes.io/name: sshd
app.kubernetes.io/instance: sshd
spec:
hostname: pipeline
containers:
- name: sshd
image: panubo/sshd
imagePullPolicy: Always
env:
- name: SSH_ENABLE_ROOT
value: "true"
command:
- /bin/sh
- -c
args:
- |
set -euo pipefail
/entry.sh
echo 'ssh-rsa xxx远程K8S所在机器的公钥xxx= yourname@yourmachine' > /etc/ssh/keys/ssh_host_ecdsa_key.pub
echo '-----BEGIN OPENSSH PRIVATE KEY-----
b4BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
xxx远程K8S所在机器的私钥xxx
sAAAAhANr5qpUS1qt0Thpli78qrLD61kUki9V2+ss3KlTPmsW/AAAAEXJvb3RAZTY5NzVl
MjgyODE0AQIDBAUG
-----END OPENSSH PRIVATE KEY-----
' > /etc/ssh/keys/ssh_host_ecdsa_key
echo 'xxx本地开发环境机器的公钥xxx= yourname@yourmachine' >> /root/.ssh/authorized_keys
sed -i 's/GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config
sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config
apk add python2
/usr/sbin/sshd -D -e -f /etc/ssh/sshd_config
---
apiVersion: v1
kind: Service
metadata:
name: sshd
labels:
spec:
type: NodePort
ports:
- name: sshd
nodePort: 32222
port: 22
targetPort: 22
protocol: TCP
selector:
app.kubernetes.io/name: sshd
app.kubernetes.io/instance: sshd
部署应用,推荐部署在sshd-system系统空间下,避免其它用户的骚操作
kubectl create ns sshd-system
kubectl apply -f sshd.yaml -n sshd-system
本地开发环境~/.ssh/config添加ssh快捷登录记录
Host sshd
# 这是 K8s 所在机器某一节点
HostName youripxxx
# sshd 服务的 NodePort
Port 32222
User developer
# 客户端机器的 的私钥
IdentityFile ~/.ssh/sshd_id_ed25519
ssh 到 K8s 内部的 sshd 服务:
$ ssh sshd
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org/>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.
ssh:~#
开发环境机器安装sshuttle
git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle
./setup.py install
启动sshuttle服务
$ sshuttle -r sshd 0.0.0.0/0 --disable-ipv6
Connected to server.
换个窗口查看svc
$ kubectl get svc -A
找出各service所对应的ip,并将其配置到本地开发环境的hosts中
例如:
[root@master02 ~]# cat /etc/hosts
10.124.112.188 harbor-portal.harbor
刚部署的sshd服务如果与要访问service不在一个空间,则需要在域名后补齐空间(例如上例中的harbor就是一个空间名)
本地开发环境访问服务
$ curl harbor-portal.harbor
返回80端口对应的服务HTML代码
不要使用ping去访问这个service,根本就ping不通,sshd所在的pod与其它pod是一个网段可以ping通,但pod与service并不在一个网段
参考:Access Services Running on Clusters | Kubernetes
Access services, nodes, or pods using the Proxy Verb
Only works for HTTP/HTTPS.
Some clusters may allow you to ssh to a node in the cluster(本例是ssh到其中一个pod). From there you may be able to access cluster services. This is a non-standard method, and will work on some clusters but not others. Browsers and other tools may or may not be installed. Cluster DNS may not work(本例中需要自己配置本地host)
将其它机器添加到白名单中
复制出白名单
kubectl cp -n sshd-system sshd-5fffbbc7dd-bhv9g:/root/.ssh/authorized_keys authorized_keys
vi authorized_keys
在白名单中加入新的公钥
再将白名单复制到容器中
kubectl cp -n sshd-system authorized_keys sshd-5fffbbc7dd-bhv9g:/root/.ssh/authorized_keys
本地执行
ssh sshd
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org/>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.
pipeline:~#
其它参考
完美解决 Could not find a version that satisfies the requirement 安装包名字 (from versions: )-CSDN博客