Provide default SSH access to machines #416
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akutz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
cncf-cla: yes
|
/assign @figo |
akutz
force-pushed
the
feature/generate-default-ssh-key-pair
branch
from
5be4cf5 to
babf94b
Compare
|
Why is this needed? Accessing a machine via SSH would be an anti-pattern in most cases? |
Hi @moshloop, I disagree that this is anti-pattern. The CAPA provider uses AWS's native ability to inject SSH keys into machines to do the same. This is to enhance CAPV to support a default key pair for remote access. In another location you asked how this differs from
In other words, |
|
Hi @frapposelli / @ncdc , I'd love your opinions on this. Thanks! |
akutz
force-pushed
the
feature/generate-default-ssh-key-pair
branch
from
babf94b to
e23ef9f
Compare
Unless I am mistaken, CAPA specifies the SSH Key Name for AWS to inject, however, that Key refers to a public key only, the private key needs to be saved externally to AWS |
|
Hi @moshloop, That's correct, but the point is that it guarantees there's always SSH access if desired. This change doesn't inject a private key. It just generates a key pair to ensure there's always SSH access, even if someone neglected to add something to |
|
I'm torn on this one. SSH access may be nice, and if you forget to set the authorized keys, this is a nice fallback. On the other hand, we want to be moving away from storing secret data in resources other than How would you feel about generating a I'm also curious for @detiber's take since he predates me on the project. |
|
Hi @ncdc, I totally agree. I even brought this up in another conversation. The issue that I raised there is that
Again, I'd love to do this. I wouldn't even use a ref, just a well-known name (much like the kubeconfig secret). The issue is how that gets injected pre-pivot as well as how it is transferred as part of the pivot. |
k8s-ci-robot
added
the
needs-rebase
akutz
force-pushed
the
feature/generate-default-ssh-key-pair
branch
from
e23ef9f to
6eeb7e7
Compare
k8s-ci-robot
removed
the
needs-rebase
This patch introduces a new field to the ClusterProviderSpec: "SSHKeyPair". This field will automatically be populated with a public and private key that may be used to access machines deployed to the cluster.
akutz
force-pushed
the
feature/generate-default-ssh-key-pair
branch
from
6eeb7e7 to
97796d4
Compare
|
@randomvariable do you have any comments on this from a CIS perspective? |
|
The CIS benchmark for Kubernetes doesn't have anything to say on SSH access as it's a not related to Kubernetes itself. FWIW, if we haven't already for CAPA, we were definitely going to make SSH access optional in case people wanted to use other things like SSH certificates, LDAP or AWS SSM Session Manager. |
|
Should the generation of the key pair (if not provided) be delegated to |
|
|
|
@ncdc |
|
@akutz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@akutz: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
/close |
|
@akutz: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
This patch introduces a new field to the ClusterProviderSpec:
SSHKeyPair. This field will automatically be populated with a public and private key that may be used to access machines deployed to the cluster.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #413
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
Release note: