kubernetes

kubernetes plugin for sshpiperd

The kubernetes plugin for sshpiperd provides native kubernetes CRD integretion and allow you manage sshpiper by kubectl get pipes and kubectl apply -f pipe.yaml

this plugin is inpsired by the first version kubernetes plugin for v0 sshpier by pockost

Usage

Start plugin with flag --all-namespaces or environment variable SSHPIPERD_KUBERNETES_ALL_NAMESPACES=true for cluster-wide usage, or it will listen to the namespace where it is in by default.

Start plugin with flag --kubeconfig or environment variable SSHPIPERD_KUBERNETES_KUBECONFIG=/path/to/kubeconfig to specify the kubeconfig file.

Helm

helm repo add sshpiper https://tg123.github.io/sshpiper-chart/

helm install my-sshpiper sshpiper/sshpiper --version 0.1.1

Manually

Apply CRD definition

kubectl apply -f https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/kubernetes/crd.yaml

most parameters are the same as in yaml

A full sample can be found here

Create Service

# sshpiper service
---
apiVersion: v1
kind: Service
metadata:
  name: sshpiper
spec:
  selector:
    app: sshpiper
  ports:
    - protocol: TCP
      port: 2222
---
apiVersion: v1
data:
  server_key: |
    <replace with you server key>
kind: Secret
metadata:
  name: sshpiper-server-key
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sshpiper-deployment
  labels:
    app: sshpiper
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sshpiper
  template:
    metadata:
      labels:
        app: sshpiper
    spec:
      serviceAccountName: sshpiper-account
      containers:
      - name: sshpiper
        image: farmer1992/sshpiperd:latest
        ports:
        - containerPort: 2222
        env:
        - name: PLUGIN
          value: "kubernetes"
        - name: SSHPIPERD_SERVER_KEY
          value: "/serverkey/ssh_host_ed25519_key"
        - name: SSHPIPERD_LOG_LEVEL
          value: "trace"
        volumeMounts:
        - name: sshpiper-server-key
          mountPath: "/serverkey/"
          readOnly: true          
      volumes:
      - name: sshpiper-server-key
        secret:
          secretName: sshpiper-server-key
          items:
          - key: server_key
            path: ssh_host_ed25519_key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: sshpiper-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: ["sshpiper.com"]
  resources: ["pipes"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-sshpiper
subjects:
- kind: ServiceAccount
  name: sshpiper-account
roleRef:
  kind: Role
  name: sshpiper-reader
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sshpiper-account

Create Pipes

Create Password Pipe

apiVersion: sshpiper.com/v1beta1
kind: Pipe
metadata:
  name: pipe-password
spec:
  from:
  - username: "password_simple"
  to:
    host: host-password:2222
    username: "user"
    ignore_hostkey: true

ssh password_simple@piper_ip will pipe to user@host-password

Create Public Key Pipe

ssh piper_ip -i <key in authorized_keys_data> will pipe to user@host-publickey and login with secret host-publickey-key

apiVersion: v1
data:
  ssh-privatekey: |
    <base64 encoded private key>
kind: Secret
metadata:
  name: host-publickey-key
type: kubernetes.io/ssh-auth
---
apiVersion: sshpiper.com/v1beta1
kind: Pipe
metadata:
  name: pipe-publickey
spec:
  from:
  - username: ".*" # catch all    
    username_regex_match: true
    authorized_keys_data: "base64_authorized_keys_data"
  to:
    host: host-publickey:2222
    username: "user"
    private_key_secret:
      name: host-publickey-key
    ignore_hostkey: true