As a data engineer I often have to do stuff with kubernetes.
Sometimes I’m lucky and get a client that uses some cloud hosted solution, but often they’ll have some mega kubernetes cluster running on something that is only accessible via some bastion host via a vpn connection.
Which is secure and good of course, but also gives me a lot of headaches to access the cluster from my local machine.
The hard part of ssh is 99% of the time remembering how to do it again, since I don’t create tunnels / proxies on a daily basis.
So this article is more for me then anyone in particular, but maybe it helps someone, which will increase the effectiveness :-)
The setup
[ Developer ] → [ Bastion ] → [ Open Shift Cluster ]
The Developer (me) on their macbook wants to connect to the Open Shift Cluster. Using fancy oc
commands and such. Unfortunately there is this bastion in the way.
First we’ll define access to this bastion in some ssh config
Host client-bastion
Hostname vpn-restricted.internal.domain.com
User linux_user_on_bastion
IdentityFile ~/.ssh/id_rsa
Problem
Normally you can create ssh config that jumps via that bastion to the specified server like so (with some more config)
Host client-openshift
Hostname api-access.for.openshift.cluster.com
ProxyJump client-bastion:22
But the oc
command doesn’t look at ssh config when connecting to the API unfortunately.
Tunnel
So we need to setup a tunnel to the openshift api. The downside is that this tunnel is always on and hard so manage using standard ssh.
A cool trick is to add a ControlPath
to the bastion, making tunnels easier to manage
Host client-bastion
Hostname vpn-restricted.internal.domain.com
User linux_user_on_bastion
IdentityFile ~/.ssh/id_rsa
ControlPath ~/.ssh/control/client-bastion.ctl
(make sure the directory exists :-)
Now we can create a tunnel
ssh -fNTML 6443:api-access.for.openshift.cluster.com:6443 client-bastion
-f
Run in the background before command execution.-N
Don’t execute any commands-T
Disable pseudo-tty allocation.-M
Put control socket in master mode-L
Do the port forwarding (listening)
Manage
Now we can actually manage this connection more easily
ssh -TO check client-bastion
to check the tunnel status
and ssh -TO exit client-bastion
to close the tunnel
Make life even easier to create some aliases in your .bashrc
/ .zshrc
alias ocproxy-up='ssh -fNTML 6443:api-access.for.openshift.cluster.coml:6443 client-bastion'
alias ocproxy-status='ssh -TO check client-bastion'
alias ocproxy-down='ssh -TO exit client-bastion'
Finally
Now you can just
ocproxy-up
Login into openshift (don’t add the --server
, oc connects to your localhost:6443 now)
oc login --token=sha256~....
and do some open shift commands
Don’t forget to close the tunnel
ocproxy-down