Proxy & Tunneling for OpenShift

Tom Lous
2 min readJan 6, 2022

--

As a data engineer I often have to do stuff with kubernetes.
Sometimes I’m lucky and get a client that uses some cloud hosted solution, but often they’ll have some mega kubernetes cluster running on something that is only accessible via some bastion host via a vpn connection.
Which is secure and good of course, but also gives me a lot of headaches to access the cluster from my local machine.

The hard part of ssh is 99% of the time remembering how to do it again, since I don’t create tunnels / proxies on a daily basis.

So this article is more for me then anyone in particular, but maybe it helps someone, which will increase the effectiveness :-)

The setup

[ Developer ] → [ Bastion ] → [ Open Shift Cluster ]

The Developer (me) on their macbook wants to connect to the Open Shift Cluster. Using fancy oc commands and such. Unfortunately there is this bastion in the way.

First we’ll define access to this bastion in some ssh config

Host client-bastion
Hostname vpn-restricted.internal.domain.com
User linux_user_on_bastion
IdentityFile ~/.ssh/id_rsa

Problem

Normally you can create ssh config that jumps via that bastion to the specified server like so (with some more config)

Host client-openshift
Hostname api-access.for.openshift.cluster.com
ProxyJump client-bastion:22

But the oc command doesn’t look at ssh config when connecting to the API unfortunately.

Tunnel

So we need to setup a tunnel to the openshift api. The downside is that this tunnel is always on and hard so manage using standard ssh.
A cool trick is to add a ControlPath to the bastion, making tunnels easier to manage

Host client-bastion
Hostname vpn-restricted.internal.domain.com
User linux_user_on_bastion
IdentityFile ~/.ssh/id_rsa
ControlPath ~/.ssh/control/client-bastion.ctl

(make sure the directory exists :-)

Now we can create a tunnel

ssh -fNTML 6443:api-access.for.openshift.cluster.com:6443 client-bastion

-fRun in the background before command execution.
-NDon’t execute any commands
-TDisable pseudo-tty allocation.
-MPut control socket in master mode
-LDo the port forwarding (listening)

Manage

Now we can actually manage this connection more easily

ssh -TO check client-bastion to check the tunnel status

and ssh -TO exit client-bastion to close the tunnel

Make life even easier to create some aliases in your .bashrc / .zshrc

alias ocproxy-up='ssh -fNTML 6443:api-access.for.openshift.cluster.coml:6443 client-bastion'
alias ocproxy-status='ssh -TO check client-bastion'
alias ocproxy-down='ssh -TO exit client-bastion'

Finally

Now you can just

ocproxy-up

Login into openshift (don’t add the --server , oc connects to your localhost:6443 now)

oc login --token=sha256~....

and do some open shift commands

Don’t forget to close the tunnel

ocproxy-down

--

--

Tom Lous
Tom Lous

Written by Tom Lous

Freelance Data & ML Engineer | husband + father of 2 | #Spark #Scala #ZIO#BigData #ML #Kafka #Airflow #Kubernetes | Shodan Aikido

No responses yet