Connect to the Kubernetes Pod via SSH from outside the cluster

SSH is a protocol based on UNIX, used to access remote machines or virtual machines (VM)

By definition, Pod is similar to VM in that it allows containers to behave as if they are running on isolated VMs. If you are in a cluster-the easiest way is to use the kubectl exec command

But is it possible to connect to the K8 Pod via SSH from outside the cluster?

How to reliably access K8 Pod?

By definition, Pod is ephemeral in nature, and service is a stable abstraction of a group of Pods. Therefore, K8 Pod can be accessed reliably through the service

What is the appropriate service type to access pods from outside the Kubernetes cluster?

ClusterIP, NodePort and LoadBalancer are three possible service types

However, ClusterIP can never access the service from outside the cluster, so it is not an option

The NodePort service provides a cluster-wide port that can be accessed through cluster nodes. But considering that nodes are also short-lived in nature, NodePort is not a stable way to access Pod

The LoadBalancer service is the only service type suitable for accessing Pod from outside the Kubernetes cluster, because this service type provides an external IP address that can be bound to a public load balancer, such as Google's HTTPS load balancer

The following is a fragment of the service that LoadBalancer opens the SSH port for communication

namespace: default
  labels:
    app: my-example
spec:
  type: LoadBalancer
  ports:
  # If there are multiple ports, then each port sub-section needs a name and a protocol (as needed)
  -port: 8080
    targetPort: 8080
    name: http
  -port: 22
    targetPort: 22
    name: ssh
    protocol: TCP
  selector:
    app: my-example

How to enable Pod as SSH server?

In order to connect to the Pod via SSH, the Pod should install an SSH server. This can be provided by installing OpenSSH Server as part of the Docker image bound to the Pod

The following commands should be included in the Dockerfile associated with the container bound to the Pod.
Therefore, even if the Pod is short-lived, every time openssh-server recreates the Pod and configures SSH with the default user, the Pod will be functional

apt-get update
apt-get -y install openssh-server
useradd testuser
passwd testuser
service ssh restart

How do we connect to the K8 Pod via SSH from outside the Kubernetes cluster?

In view of the fact that Pod can be accessed through the service, and can be accessed through the service of the LoadBalancer public load balancer service; users can connect to the K8 Pod via SSH from outside the Kubernetes cluster by executing the following classic ssh command

ssh -f testuser@{ip}

Alternative method — SSH keys instead of user credentials

If you need to use an SSH key as an authentication mechanism, you can mount the client's public SSH key as a secret to the Pod.

This will ensure that the client's public key can be used as an authorization key in the Pod, and then the client can connect by authenticating the authorization key on the Pod with the client's private key