Create ssh jumpserver inside k8s cluster
The task
I need to access RDS instances inside a private VPC.
Limitations
- no ports should be exposed to world.
The basic concepts
AWS SSM could be an option, but I don’t need an extra instance to manage (and pay) just for this. If the solution goes inside a kubernetes cluster it became cloud agnostic and can be used on all providers (I currently have this need on gcloud also).
The solution
resource "kubernetes_namespace" "jumpserver" {
metadata {
name = "jumpserver"
}
}
resource "kubernetes_stateful_set" "jumpserver" {
metadata {
name = "jumpserver"
namespace = "jumpserver"
}
spec {
replicas = 1
selector {
match_labels = {
app = "jumpserver"
}
}
template {
metadata {
labels = {
app = "jumpserver"
}
}
spec {
volume {
name = "jumpserver-authorized-keys"
config_map {
name = "jumpserver-configs"
items {
key = "authorized_keys"
path = "keys"
}
}
}
container {
name = "jumpserver"
image = "linuxserver/openssh-server:latest"
env {
name = "USER_NAME"
value = "jumper"
}
env {
name = "PUBLIC_KEY_FILE"
value = "/keys/keys"
}
env {
name = "DOCKER_MODS"
value = "linuxserver/mods:openssh-server-ssh-tunnel"
}
volume_mount {
name = "jumpserver-authorized-keys"
mount_path = "/keys"
}
}
}
}
service_name = "jumpserver"
}
depends_on = [
kubernetes_namespace.jumpserver,
kubernetes_config_map.jumpserver_configs
]
}
resource "kubernetes_config_map" "jumpserver_configs" {
metadata {
name = "jumpserver-configs"
namespace = "jumpserver"
}
data = {
"authorized_keys" = <<-EOT
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQYXVrW9iS643IroLKcNUjHsJYhD/ERfiZSugryhPA1 tc@everywhere
EOT
}
depends_on = [
kubernetes_namespace.jumpserver,
]
}
Done!
Relax and grab a coffee…
Photo credit: PHOTOGRAPHY Toporowski on VisualHunt