Kops: Add support for multiple ssh keys
It would be a great addition to be able to create more than one public key that works on the nodes brought up by kops. The current setup is to have a secret with the admin ssh key, it would be great to be able to add new sshpublickey secrets with a different name as and have kops add them to the authorized_keys during node installation.
eg: Create a new keykops create secret --name <clustername> sshpublickey <username>, and add it by using the EC2 userdata scripts, while keeping the admin key as the "official" key in the AWS console.
bcorijn
All 34 comments
@bcorijn This is great feature indeed.
edbergavera
on 12 Apr 2017
I am currently exploring kubernetes and have set up a deployment on azure container service.
One thing i am trying to figure out is how to add another SSH public key so a colleague can administer it as well as me (it automatically added mine during setup).
Can i assume from this issue that it is not possible to do this yet?
GuyHarwood
on 28 Apr 2017
Any workaround for this?
bhack
on 8 Aug 2017
bhack, there is no workaround for this as of this time. This is because the
way AWS works that it is tied to 1 ssh key. The only solution is to rotate
the keys using kops secret command. This will replace the old instances
with newer ones with the new ssh key.
On Tue, Aug 8, 2017 at 8:54 AM, bhack notifications@github.com wrote:
Any workaround for this?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/kops/issues/2348#issuecomment-320819835,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABhWefNvtzwtoVyW973H2cAn-4QTrEqkks5sV7HcgaJpZM4M7GLx
.
--
Eduardo D. Bergavera, Jr.
Linux Admin
Email: [email protected]
OpenID: https://launchpad.net/~edbergavera
Github: https://github.com/edbergavera
edbergavera
on 8 Aug 2017
Why? Is it not simply adding the ssh key to the authorized key file on the node?
bhack
on 8 Aug 2017
That will work but you have to manually do this everytime you add a new
node or if rolling update replaces existing nodes with new ones.
On Tue, 8 Aug 2017 at 9:46 AM bhack notifications@github.com wrote:
Why? Is it not simply adding the ssh key to the authorized key file on the
node?—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/kops/issues/2348#issuecomment-320826668,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABhWeY-UkP4ZPsI8Lk-cuGkMmnw8ef39ks5sV73ggaJpZM4M7GLx
.>
Eduardo D. Bergavera, Jr.
Linux Admin
Email: [email protected]
OpenID: https://launchpad.net/~edbergavera
Github: https://github.com/edbergavera
edbergavera
on 8 Aug 2017
Can an hook overwrite the authorized key file?
bhack
on 8 Aug 2017
I haven't taken a look at this but looks promising though.
On Tue, Aug 8, 2017 at 12:17 PM, bhack notifications@github.com wrote:
Can an hook overwrite the authorized key file?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/kops/issues/2348#issuecomment-320845695,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABhWeXptDcwWOSTngz46qIAcMpQM1eCHks5sV-FngaJpZM4M7GLx
.
--
Eduardo D. Bergavera, Jr.
Linux Admin
Email: [email protected]
OpenID: https://launchpad.net/~edbergavera
Github: https://github.com/edbergavera
edbergavera
on 8 Aug 2017
Yes but another obstacle is behind the corner https://github.com/kubernetes/kops/issues/2690
bhack
on 8 Aug 2017
@bhack a (dirty) workaround that might work for you:
Since kops spawns Kubernetes clusters, you could use a DaemonSet to update you /home/defaultuser/.authorized_keys... since DaemonSets run on all nodes, it automates the process of putting you Team members' public SSH keys on your Kubernetes nodes.
I understand it might not be convenient to have this DaemonSet running all the time, but if you don't mind getting really hacky, you can also run your script as an initContainer for another DaemonSet you're already deploying (node-problem-detector for instance). This way, it won't stay up until its job is done...
elafarge
on 28 Aug 2017
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Prevent issues from auto-closing with an /lifecycle frozen comment.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale
fejta-bot
on 3 Jan 2018
Still interested in this.
/remove-lifecycle stale
kenden
on 4 Jan 2018
another way to hack this (not tested though) is to have a user-data to pull the right set of keys from somewhere online like S3 bucket.
This is not ideal but it might help
fredleger
on 23 Mar 2018
Following https://github.com/kubernetes/kops/blob/master/docs/security.md#ssh-access , public keys are already available on S3 through the folder pki/ssh/public/<username>/<hash_of_pub>. The contents of the file is the public key.
It could be an easy enhancement to build a cloud-init script, launch configuration or something that could pull the key from there. Of course it would still not be live-reload of keys if you add a new one, etc, but at least it's better than nothing.
guilhermeblanco
on 25 Apr 2018
What about a file which simply holds multiple public keys. I tried to deploy this right now, but it only uses the first line (first key). Can you simply allow to use a file that holds multiple public keys?
cytopia
on 8 May 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 6 Aug 2018
it's a cool feature to have
/remove-lifecycle stale
voron
on 24 Aug 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 18 Jan 2019
/remove-lifecycle stale
This is being worked on in #5978 🙏
tsuna
on 18 Jan 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 18 Apr 2019
/remove-lifecycle stale
legal90
on 18 Apr 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 17 Jul 2019
/remove-lifecycle stale
legal90
on 18 Jul 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 16 Oct 2019
/remove-lifecycle stale
legal90
on 16 Oct 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 14 Jan 2020
/remove-lifecycle stale
cytopia
on 14 Jan 2020
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 13 Apr 2020
Related/alternative: #8830
yurrriq
on 13 Apr 2020
/remove-lifecycle stale
yurrriq
on 13 Apr 2020
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 12 Jul 2020
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 11 Aug 2020
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
fejta-bot
on 10 Sep 2020
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 10 Sep 2020
Related issues
thejsj
·
4Comments
owenmorgan
·
3Comments
yetanotherchris
·
3Comments
argusua
·
5Comments
RXminuS
·
5Comments
Most helpful comment
Still interested in this.
/remove-lifecycle stale