Connecting to a node over SSH
To connect to a Managed Service for Kubernetes cluster node over SSH:
-
Add the public key to the metadata when creating a Managed Service for Kubernetes node group.
Note
SSH connection using a login and password is disabled by default on Linux images that are used on Managed Service for Kubernetes nodes.
-
Configure security groups for the Managed Service for Kubernetes cluster.
Warning
Security group settings may prevent connection to the Managed Service for Kubernetes cluster.
For more information, see Connecting to a VM via SSH.
Individual nodes in node groups are Yandex Compute Cloud virtual machines with automatically generated names. To configure nodes, follow the instructions below or other node group management guides.
Alert
Do not change node VM settings, including names, network interfaces, and SSH keys, using the Compute Cloud interfaces or SSH connections to the VM.
This can disrupt the operation of individual nodes, groups of nodes, and the whole Managed Service for Kubernetes cluster.
Create SSH key pairs
Prepare the keys for use with your Managed Service for Kubernetes cluster node. To do this:
-
Open the terminal.
-
Use the
ssh-keygen
command to create a new key:ssh-keygen -t ed25519
After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_ed25519
. Keys are created in the~/.ssh
directory.The public part of the key will be saved to a file named
<key name>.pub
.
-
Run
cmd.exe
orpowershell.exe
. -
Use the
ssh-keygen
command to create a new key. Run this command:ssh-keygen -t ed25519
After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_ed25519
. Keys are created in theC:\Users\<username>\.ssh\
directory.The public part of the key will be saved to a file named
<key name>.pub
.
Create keys using the PuTTY app:
-
Download
and install PuTTY. -
Make sure the directory where you installed PuTTY is included in
PATH
:- Right-click My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATH
and click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select Ed25519 as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Save the key in a text file in a single line. To do this, copy the public key from the text field to a text file named
id_ed25519.pub
.
Convert the public key to the metadata format
The credentials for connecting to the Managed Service for Kubernetes cluster nodes over SSH are the username and public key. These credentials are provided using metadata in a specific format.
The previously created public key has the following format:
<key_type> <public_key_body> <optional_comment>
Example:
ssh-ed25519 AAAAB3NzaC***********lP1ww ed25519-key-20190412
Create a file with credentials for connecting over SSH in the following format:
<username>:<key_type> <public_key_body> <username>
Example:
testuser:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser
This format is suitable for creating and updating a Managed Service for Kubernetes node group using the CLI, Terraform, and API interfaces, and for updating a node group using the management console. When creating a node group, separate Login and SSH key fields are used in the management console.
You can provide credentials for multiple users in one file.
Example:
testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1 testuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2
Create a node group and add the public key
- In the management console
, go to the folder page and select Managed Service for Kubernetes. - Select the Managed Service for Kubernetes cluster.
- In the left-hand panel, select Nodes manager.
- Click Create a node group.
- Set the node group parameters.
- Under Access, specify the information required to access the Managed Service for Kubernetes node:
- Enter the username into the Login field.
- In the SSH key field, paste the contents of the public key file.
- Click Create.
Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value
pairs.
Warning
The user-data
VM metadata key is not supported for user data transmission. Use the ssh-keys
key to provide parameters for SSH connections.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To create a Managed Service for Kubernetes node group and provide user credentials for connecting over SSH, run the following command:
yc managed-kubernetes node-group create \
--name <node_group_name> \
--cluster-name <cluster_name> \
--fixed-size <node_number_in_group> \
--network-interface security-group-ids=[<list_of_security_groups>],subnets=<subnet_name>,ipv4-address=nat \
--metadata-from-file ssh-keys=<credentials_file_path>
Where --metadata-from-file
is the parameter to transfer metadata to the node group as key=value
pairs. In ssh-keys
, specify the path to the file with credentials for connecting over SSH.
Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value
pairs.
Warning
The user-data
VM metadata key is not supported for user data transmission. Use the ssh-keys
key to provide parameters for SSH connections.
-
Create a Terraform configuration file describing the Managed Service for Kubernetes node group by following the steps described in Creating a node group.
-
In the node group description, set the
ssh-keys
metadata key value for theinstance_template.metadata
parameter:resource "yandex_kubernetes_node_group" "<node_group_name>" { cluster_id = yandex_kubernetes_cluster.<cluster_name>.id ... instance_template { metadata = { "ssh-keys" = file("<credentials_file_path>") ... } ... } ... }
-
Make sure the configuration files are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value
pairs.
Warning
The user-data
VM metadata key is not supported for user data transmission. Use the ssh-keys
key to provide parameters for SSH connections.
To provide multiple credentials for connecting over SSH, convert the contents of the credentials file to a single line by separating the credentials from each other with a sequence of special CRLF characters (\r\n
). You cannot use multiline messages in an API request with a JSON body.
Example of converted credentials:
testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1\r\ntestuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2
Use the create REST API method for the NodeGroup resource or the NodeGroupService/Create gRPC API call.
Credentials for connecting over SSH are provided in the nodeTemplate.metadata
parameter in ssh-keys
.
For more information about creating a Managed Service for Kubernetes node group and parameters to provide, see Creating a node group.
Update node group keys
To change the credentials for connecting over SSH to a Managed Service for Kubernetes node group, update its metadata.
Warning
The credentials for connecting over SSH will be completely overwritten. You will not be able to connect to the Managed Service for Kubernetes cluster nodes using the previous credentials.
Warning
After you change the metadata using the management consoleReconciling
: all the group's nodes will be recreated for the changes to take effect.
- In the management console
, go to the folder page and select Managed Service for Kubernetes. - Select the Managed Service for Kubernetes cluster.
- In the left-hand panel, select Nodes manager.
- On the Node group tab, select the node group in which you want to update the credentials.
- In the top panel, click
Edit. - Open Metadata.
- Replace the current value of
ssh-keys
with the contents of the credentials file. - Click Save.
-
View the description of the CLI command for adding and updating the Managed Service for Kubernetes node group metadata:
yc managed-kubernetes node-group add-metadata --help
-
Run this command:
yc managed-kubernetes node-group add-metadata \ --name <node_group_name> \ --metadata-from-file ssh-keys=<credentials_file_path>
You can request the name of a node group with a list of node groups in the folder.
-
Open the Terraform configuration file describing the Managed Service for Kubernetes node group.
For more information about creating this file, see Creating a node group.
-
In the node group description, change the value of the
ssh-keys
metadata key for theinstance_template.metadata
parameter:resource "yandex_kubernetes_node_group" "<node_group_name>" { cluster_id = yandex_kubernetes_cluster.<cluster_name>.id ... instance_template { metadata = { "ssh-keys" = file("<credentials_file_path>") ... } ... } ... }
-
Make sure the configuration files are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
-
To provide multiple credentials for connecting over SSH, convert the contents of the credentials file to a single line by separating the credentials from each other with a sequence of special CRLF characters (
\r\n
). You cannot use multiline messages in an API request with a JSON body.Example of converted credentials:
testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1\r\ntestuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2
-
Get all the existing metadata for the node group using the get REST API method for the NodeGroup resource, and provide the node group ID in the
nodeGroupId
request parameter.You can request the name of a node group with a list of node groups in the folder.
The metadata will be listed as
key=value
pairs in thenodeTemplate.metadata
field of the response. -
Use the update REST API method for the NodeGroup resource and include the following in the request:
-
Node group ID in the
nodeGroupId
parameter. -
updateMask
parameter set tonodeTemplate.metadata
.Warning
The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the
updateMask
parameter as a single comma-separated string. -
nodeTemplate.metadata
listing all existing node group metadata askey=value
pairs without modification.For
ssh-keys
, replace the current value with the created line with credentials.Example of listing metadata in a parameter
-
Existing metadata keys in a node group:
"nodeTemplate": { "metadata": { "ssh-keys": "<existing_credentials_in_single_line>", "<existing_key_1>": "<existing_value_1>", "<existing_key_2>": "<existing_value_2>" }, ... }
-
Metadata keys to provide in an API request:
"nodeTemplate": { "metadata": { "ssh-keys": "<new_credentials_in_single_line>", "<existing_key_1>": "<existing_value_1>", "<existing_key_2>": "<existing_value_2>" } }
Alert
Any metadata not listed in the
nodeTemplate.metadata
parameter will be deleted.Then the node group status will temporarily change to Reconciling: all the nodes in the group will be recreated for the changes to apply.
-
-
Get the public IP address of the node
To connect to a Managed Service for Kubernetes cluster node, specify the public IP address of a Managed Service for Kubernetes node. You can find it using one of the following methods.
- Open the Compute Cloud section in the folder where you created your Managed Service for Kubernetes cluster.
- In the left-hand panel, select
Instance groups. - Click the instance group with the name that matches the Managed Service for Kubernetes node group ID.
- In the window that opens, go to the List of VMs tab.
- Click the VM that you want to find the public address for.
- The public IP address is shown in the Network section in Public IPv4 address.
-
Find out the ID of the instance group that corresponds to the Managed Service for Kubernetes node group.
The ID is shown in the
INSTANCE GROUP ID
column.yc managed-kubernetes node-group list
Result:
+----------------------+----------------------+----------------+----------------------+---------------------+---------+------+ | ID | CLUSTER ID | NAME | INSTANCE GROUP ID | CREATED AT | STATUS | SIZE | +----------------------+----------------------+----------------+----------------------+---------------------+---------+------+ | cat684ojo3ir******** | cata9ertn6tc******** | test-nodegroup | cl17i6943n92******** | 2019-04-12 12:38:35 | RUNNING | 2 | +----------------------+----------------------+----------------+----------------------+---------------------+---------+------+
-
View the list of Managed Service for Kubernetes nodes that belong to this group.
The public IP address of the Managed Service for Kubernetes node is shown in the
IP
column after~
.yc compute instance-group list-instances cl17i6943n92********
Result:
+----------------------+---------------------------+--------------------------+---------------+----------------+ | INSTANCE ID | NAME | IP | STATUS | STATUS MESSAGE | +----------------------+---------------------------+--------------------------+---------------+----------------+ | ef31h24k03pg******** | cl17i6943n92********-itif | 10.0.0.27~84.201.145.251 | RUNNING [53m] | | | ef37ddhg9i7j******** | cl17i6943n92********-ovah | 10.0.0.22~84.201.149.184 | RUNNING [53m] | | +----------------------+---------------------------+--------------------------+---------------+----------------+
-
Install kubectl
and configure it to work with the created cluster. -
Run this command:
kubectl get nodes -o wide
Result:
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME cl17i6943n92********-itif Ready <none> 31m v1.13.3 10.0.0.27 84.201.145.251 Ubuntu 18.04.1 LTS 4.15.0-29-generic docker://18.6.2 cl17i6943n92********-ovah Ready <none> 31m v1.13.3 10.0.0.22 84.201.149.184 Ubuntu 18.04.1 LTS 4.15.0-29-generic docker://18.6.2
The public IP address is listed in the
EXTERNAL-IP
column.
Connect to the node
You can connect to a Managed Service for Kubernetes node over SSH once it is started (with the RUNNING
status). To do this, use ssh
in Linux or macOS, or PuTTY
In the terminal, run the following command, specifying the username and public IP address of the node:
ssh <username>@<node_public_IP_address>
If you provided SSH connection credentials when you created the node group using the management console, use the username you specified in the Login field.
If you provided SSH connection credentials when you created the node group using the CLI, Terraform, API, or updated the credentials, use the username that you specified in the SSH connection credentials file.
If this is your first time connecting to a Managed Service for Kubernetes node, you may get an unknown host warning:
The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?
Type yes
in the terminal and press Enter.
In Windows, a connection is established using the PuTTY application.
- Run the Pageant application.
- Right-click the pageant icon in the task bar.
- In the context menu, select Add key.
- Select a PuTTY-generated private key in
.ppk
format. If a password is set for the key, enter it.
- Run PuTTY.
-
In the Host Name (or IP address) field, enter the public IP address of the VM you want to connect to. Set the port to
22
and connection type to SSH. -
In the tree on the left, select Connection - SSH - Auth.
-
Set the Allow agent forwarding option.
-
In the Private key file for authentication field, select the file with the private key.
-
Go back to the Sessions menu. In the Saved sessions field, enter any session name and click Save. The session settings are saved under the specified name. You can use this session profile to connect using Pageant.
-
Click Open. If connecting to the Managed Service for Kubernetes node for the first time, you may get an unknown host warning:
Click Yes. A terminal window will open prompting you to enter the username of the user on whose behalf the connection is being established.
Enter the username:
- If you provided SSH connection credentials when you created the node group using the management console, enter the username you specified in the Login field.
- If you provided SSH connection credentials when you created the node group using the CLI, Terraform, API, or updated the credentials, enter the username that you specified in the SSH connection credentials file.
Click Enter. If all the settings are correct, the connection with the server will be established.
-
If you saved the session profile in PuTTY, you can use Pageant to establish a connection in the future:
- Right-click the pageant icon in the task bar.
- Select the Saved sessions menu item.
- In the saved sessions list, select the session you need.