-
Notifications
You must be signed in to change notification settings - Fork 18
/
kubectl-ssh-jump
executable file
·394 lines (356 loc) · 10.8 KB
/
kubectl-ssh-jump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
#!/usr/bin/env bash
# vim: sw=2:
#
# A kubectl plugin to ssh into Kubernetes nodes using a SSH jump host Pod
#
[[ -n $DEBUG ]] && set -x -e
PLUGIN_DIR="${HOME}/.kube/kubectlssh"
PLUGIN_SSH_OPTIONS_FILE="${PLUGIN_DIR}/options"
MAX_POD_CREATION_TIME=10 # unit: second
SSH_AGENT_ENV_FILE="${PLUGIN_DIR}/sshagent-env"
SSH_AGENT_PID_FILE="${PLUGIN_DIR}/sshagent-pid"
help(){
echo "Usage: "
echo " kubectl ssh-jump <dest_node> [options]"
echo ""
options
}
options(){
cat <<"EOF"
Options:
<dest_node> Destination node name or IP address
dest_node must start from the following letters:
ASCII letters 'a' through 'z' or 'A' through 'Z',
the digits '0' through '9', or hyphen ('-').
NOTE: Setting dest_node as 'jumphost' allows to
ssh into SSH jump Pod as 'root' user
-u, --user <sshuser> SSH User name
-i, --identity <identity_file> Identity key file, or PEM(Privacy Enhanced Mail)
-p, --pubkey <pub_key_file> Public key file
-P, --port <port> SSH port for target node SSH server
Defaults to 22
-a, --args <args> Args to exec in ssh session
-n, --namespace <ns> Namespace for jump pod
--context <context> Kubernetes context
--pod-template <file> Path to custom sshjump pod definition
-l, --labels <key>=<val>[,...] Find a pre-existing sshjump pod using labels
--skip-agent Skip automatically starting SSH agent and adding
SSH Identity key into the agent before SSH login
(=> You need to manage SSH agent by yourself)
--cleanup-agent Clearning up SSH agent at the end
The agent is NOT cleaned up in case that
--skip-agent option is given
--cleanup-jump Clearning up sshjump pod at the end
Defaults to skip cleaning up sshjump pod
-v, --verbose Run ssh in verbose mode (=ssh -vvv)
-h, --help Show this message
Example:
Scenario1 - You have private & public SSH key on your side
$ kubectl ssh-jump -u myuser -i ~/.ssh/id_rsa -p ~/.ssh/id_rsa.pub hostname
Scenario2 - You have .pem file but you don't have public key on your side
$ kubectl ssh-jump -u ec2-user -i ~/.ssh/mykey.pem hostname
EOF
}
read_options(){
if [[ -f "${PLUGIN_SSH_OPTIONS_FILE}" ]]; then
source ${PLUGIN_SSH_OPTIONS_FILE}
fi
}
write_options(){
local sshuser="$1"
local identity="$2"
local pubkey="$3"
local port="$4"
cat << EOF > ${PLUGIN_SSH_OPTIONS_FILE}
sshuser=${sshuser}
identity=${identity}
pubkey=${pubkey}
port=${port}
EOF
}
get_node_list(){
echo "List of destination node..."
kubectl "${k_args[@]}" get no -o custom-columns=Hostname:.metadata.name,Internal-IP:'{.status.addresses[?(@.type=="InternalIP")].address}'
echo ""
}
get_openssh_verion_number() {
ssh -V 2>&1 | awk -F'[_,]' '{print $2+0}'
}
cleanup_sshjump_pod(){
echo "Clearning up SSH Jump host (Pod)..."
kubectl "${k_args[@]}" delete pod sshjump
}
check_and_start_agent(){
local identity="$1"
is_alive="no"
if [ -f ${SSH_AGENT_PID_FILE} ]; then
SSH_AGENT_PID=$(cat ${SSH_AGENT_PID_FILE})
source ${SSH_AGENT_ENV_FILE}
if [ ${SSH_AGENT_PID} -gt 0 ] && ps -p ${SSH_AGENT_PID} > /dev/null
then
echo "ssh-agent is already running"
is_alive="yes"
fi
fi
if [ "${is_alive}" = "no" ]; then
ssh-agent > ${SSH_AGENT_ENV_FILE}
agent_pid=$(cat ${SSH_AGENT_ENV_FILE} | grep 'echo Agent pid' |sed 's/echo Agent pid //; s/;//')
echo "Started ssh-agent: pid=${agent_pid}"
echo ${agent_pid} > ${SSH_AGENT_PID_FILE}
source ${SSH_AGENT_ENV_FILE}
ssh-add ${identity}
fi
}
cleanup_agent(){
echo "Killing ssh-agent..."
ssh-agent -k
if [ -f ${SSH_AGENT_PID_FILE} ]; then
rm ${SSH_AGENT_PID_FILE}
fi
if [ -f ${SSH_AGENT_ENV_FILE} ]; then
rm ${SSH_AGENT_ENV_FILE}
fi
}
create_jump_pod(){
local pod_template
if [[ -n "${jump_pod_template:-}" && -e "${jump_pod_template}" ]]; then
pod_template=$(<"${jump_pod_template}")
fi
if [[ -z "${pod_template}" ]]; then
pod_template=$(cat <<EOF
apiVersion: v1
kind: Pod
metadata:
name: sshjump
labels:
env: test
spec:
containers:
- name: sshjump
image: corbinu/ssh-server
ports:
- containerPort: 22
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
EOF
)
fi
echo "Creating SSH jump host (Pod)..."
echo "${pod_template}" | kubectl "${k_args[@]}" apply -f -
}
run_ssh_node(){
local destnode="$1"
local sshuser="$2"
local identity="$3"
local pubkey="$4"
local port="$5"
local sshargs="$6"
local pod_labels="$7"
local pod_name
if [[ -n "${pod_labels}" ]]; then
pods=($(kubectl "${k_args[@]}" get pods -l "${pod_labels}" -o custom-columns=:metadata.name --no-headers 2>/dev/null))
if [[ "${#pods[@]}" -eq 0 ]]; then
echo "Error: failed to find pods with labels ${pod_labels}" >&2
exit 1
fi
pod_name="${pods[0]}"
echo "Using SSH jump pod ${pod_name}..."
else
pod_name=sshjump
# Install an SSH Server if not yet installed
if ! kubectl "${k_args[@]}" get pod "${pod_name}" &>/dev/null; then
create_jump_pod
# Wait until sshjump gets ready
c=1
while [[ ${c} -le ${MAX_POD_CREATION_TIME} ]];
do
pod_status=$(kubectl "${k_args[@]}" get pod "${pod_name}" -o jsonpath='{.status.phase}')
if [[ "${pod_status}" == "Running" ]]; then
break
fi
(( c++ ))
sleep 1
done
fi
fi
local identity_sshjump=${identity}
local pubkey_sshjump=${pubkey}
if [ ! -f "${pubkey_sshjump}" ]; then
# Generate temp private/public key to ssh to the sshjump if the pubkey isn't given
identity_sshjump=${PLUGIN_DIR}/id_rsa_sshjump
pubkey_sshjump=${PLUGIN_DIR}/id_rsa_sshjump.pub
if [ ! -f "${pubkey_sshjump}" ]; then
echo "Generating nopass SSH pri/pub key to ssh to the sshjump ..."
ssh-keygen -t rsa -f ${identity_sshjump} -N '' > /dev/null
fi
fi
# Setup portforward
kubectl "${k_args[@]}" port-forward "${pod_name}" 2222:22 2>/dev/null &
pid_port_forward=$!
# Wait a bit for the port forwarding to get ready for connection handling for 2222
sleep 2
# Inject public SSH key to sshjump
cat ${pubkey_sshjump} | \
kubectl "${k_args[@]}" exec -i "${pod_name}" -- /bin/bash -c "cat > /root/.ssh/authorized_keys"
# Add default ssh option
sshargs="${sshargs} -o StrictHostKeyChecking=no"
# Add RSA workaround options if the local OpenSSH version >= 8.5
sshversion=$(get_openssh_verion_number)
if [ $(echo "${sshversion} >= 8.5" | bc) -eq 1 ]; then
sshargs="${sshargs} -o HostkeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa"
fi
if [ "${destnode}" = "sshjump" ]; then
ssh ${sshuser}@127.0.0.1 -p 2222 -i ${identity_sshjump} ${sshargs}
else
# Using the SSH Server as a jumphost (via port-forward proxy), ssh into the desired Node
ssh -i ${identity} -p ${port} ${sshuser}@${destnode} \
-o "ProxyCommand ssh [email protected] -p 2222 -i ${identity_sshjump} ${sshargs} \"nc %h %p\"" ${sshargs}
fi
# Stop port-forward
kill -3 ${pid_port_forward} 2>/dev/null
}
plugin_main() {
skip_agent=no
cleanup_jump=no
cleanup_agent=no
pod_labels=
sshargs=""
k_args=()
while [ $# -gt 0 ] ; do
nSkip=1
case $1 in
"-h" | "--help")
help
exit 0
;;
"-v" | "--verbose" )
sshargs="${sshargs} -vvv"
;;
"--cleanup-jump")
cleanup_jump=yes
;;
"--cleanup-agent")
cleanup_agent=yes
;;
"--skip-agent")
skip_agent=yes
;;
"-u" | "--user" )
c_sshuser=$2
nSkip=2
;;
"-i" | "--identity" )
c_identity=$2
nSkip=2
;;
"-p" | "--pubkey" )
c_pubkey=$2
nSkip=2
;;
"-P" | "--port")
c_port=$2
nSkip=2
;;
"-a" | "--args" )
sshargs="${sshargs} $2"
nSkip=2
;;
"-n" | "--namespace" | "--context")
k_args+=("$1" "$2")
nSkip=2
;;
"--pod-template")
jump_pod_template="$2"
nSkip=2
;;
"-l" | "--labels")
pod_labels="$2"
nSkip=2
;;
[0-9a-zA-Z-]*)
destnode=$1
;;
*)
help >&2
exit 1
;;
esac
shift $nSkip
done
if [[ "$(type kubectl &>/dev/null; echo $?)" -eq 1 ]]; then
echo "Error: missing kubectl command" >&2
echo "Please install kubectl (https://kubernetes.io/docs/tasks/tools/install-kubectl/)" >&2
exit 1
fi
if [ ! -n "${destnode}" ]; then
help >&2
echo ""
get_node_list
exit 1
fi
if [ "${destnode}" = "sshjump" ]; then
echo "Setting destination name as 'jumphost' allows to ssh into SSH jump Pod as 'root' user"
c_sshuser=root
fi
if [ ! -d ${PLUGIN_DIR} ]; then
mkdir -p ${PLUGIN_DIR}
fi
read_options
if [ ! -n "${c_sshuser}" ]; then
if [ ! -n "${sshuser}" ]; then
c_sshuser="${USER}" # default: Current executing user
fi
echo "using: sshuser=${sshuser}"
c_sshuser="${sshuser}"
fi
if [ ! -f "${c_identity}" ]; then
if [ ! -f "${identity}" ]; then
echo "Error: identity file is required" >&2
help >&2
exit 1
fi
echo "using: identity=${identity}"
c_identity="${identity}"
fi
if [ ! -f "${c_pubkey}" ]; then
# From v0.4.0 pubkey file is optional to support PEM scenario
# where you don't have public key on your side
#if [ ! -n "${pubkey}" ]; then
# help >&2
# exit 1
#fi
if [ -f "${pubkey}" ]; then
echo "using: pubkey=${pubkey}"
c_pubkey="${pubkey}"
fi
fi
if [ ! -n "${c_port}" ]; then
if [ ! -n "${port}" ]; then
port="22" # default: 22
fi
echo "using: port=${port}"
c_port="${port}"
fi
if [ "${sshargs}" != "" ]; then
echo "using: args=${sshargs}"
fi
if [ "${jump_pod_template}" != "" ]; then
echo "using: pod-template=${jump_pod_template}"
fi
# Caching current ssh options
write_options "${c_sshuser}" "${c_identity}" "${c_pubkey}" "${c_port}"
if [ "${skip_agent}" = "no" ]; then
check_and_start_agent ${c_identity}
fi
# SSH Logging into desitnation node via Jump host
run_ssh_node "${destnode}" "${c_sshuser}" "${c_identity}" "${c_pubkey}" "${c_port}" "${sshargs}" "${pod_labels}"
# Cleaning up resources if needed
if [[ "${cleanup_jump}" == "yes" && -z "${pod_labels}" ]]; then
cleanup_sshjump_pod
fi
if [[ "${skip_agent}" = "no" && "${cleanup_agent}" = "yes" ]]; then
cleanup_agent
fi
}
plugin_main "$@"