As a data engineer I often have to do stuff with kubernetes.
Sometimes I’m lucky and get a client that uses some cloud hosted solution, but often they’ll have some mega kubernetes cluster running on something that is only accessible via some bastion host via a vpn connection.
Which is secure and good of course, but also gives me a lot of headaches to access the cluster from my local machine.
The hard part of ssh is 99% of the time remembering how to do it again, since I don’t create tunnels / proxies on a daily basis.
So this article is more for me then anyone in particular, but maybe it helps someone, which will increase the effectiveness :-)
[ Developer ] → [ Bastion ] → [ Open Shift Cluster ]
The Developer (me) on their macbook wants to connect to the Open Shift Cluster. Using fancy
oc commands and such. Unfortunately there is this bastion in the way.
First we’ll define access to this bastion in some ssh config
Normally you can create ssh config that jumps via that bastion to the specified server like so (with some more config)
oc command doesn’t look at ssh config when connecting to the API unfortunately.
So we need to setup a tunnel to the openshift api. The downside is that this tunnel is always on and hard so manage using standard ssh.
A cool trick is to add a
ControlPath to the bastion, making tunnels easier to manage
(make sure the directory exists :-)
Now we can create a tunnel
ssh -fNTML 6443:api-access.for.openshift.cluster.com:6443 client-bastion
-fRun in the background before command execution.
-NDon’t execute any commands
-TDisable pseudo-tty allocation.
-MPut control socket in master mode
-LDo the port forwarding (listening)
Now we can actually manage this connection more easily
ssh -TO check client-bastion to check the tunnel status
ssh -TO exit client-bastion to close the tunnel
Make life even easier to create some aliases in your
alias ocproxy-up='ssh -fNTML 6443:api-access.for.openshift.cluster.coml:6443 client-bastion'
alias ocproxy-status='ssh -TO check client-bastion'
alias ocproxy-down='ssh -TO exit client-bastion'
Now you can just
Login into openshift (don’t add the
--server , oc connects to your localhost:6443 now)
oc login --token=sha256~....
and do some open shift commands
Don’t forget to close the tunnel