Connecting to a node via OS Login
OS Login is used instead of SSH keys to access Yandex Cloud virtual machines via SSH. With OS Login, you can connect to Managed Service for Kubernetes nodes.
Individual nodes in node groups are Yandex Compute Cloud virtual machines with automatically generated names. To configure nodes, follow the instructions below or other node group management guides.
Alert
Do not change node VM settings, including names, network interfaces, and SSH keys, using the Compute Cloud interfaces or SSH connections to the VM.
This can disrupt the operation of individual nodes, groups of nodes, and the whole Managed Service for Kubernetes cluster.
Configure your cluster node and then connect to it using one of the two methods:
Getting started
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Enable access via OS Login at the organization level.
-
Enable access to nodes from the internet for the node group containing the node you need to connect to.
-
Make sure the account you are using to connect to the node has one of these roles assigned:
compute.osLogin
: To access the node without sudo permissions.compute.osAdminLogin
: To access the node with sudo permissions.
Configure the node
Set up your cluster node for connection:
-
Make sure to enable external access for the node.
-
Activate node access via OS Login by changing the method of connecting to nodes.
Note
After the connection method is changed, the node group status will temporarily change to
Reconciling
: all the group's nodes will be recreated for the changes to take effect.Management consoleCLITerraformAPI-
Open the Managed Service for Kubernetes section in the folder containing the Managed Service for Kubernetes cluster whose node you need access to.
-
Click the name of the Managed Service for Kubernetes cluster.
-
Go to the Node group tab.
-
Select the required node group.
-
Click Edit in the top-right corner.
-
Select Access by OS Login.
Warning
If access via OS Login is enabled, access via SSH keys will be unavailable.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.To enable OS Login for all nodes in a node group:
-
View the description of the CLI command for adding and updating the Managed Service for Kubernetes node group metadata:
yc managed-kubernetes node-group add-metadata --help
-
Run this command:
yc managed-kubernetes node-group add-metadata \ --name <node_group_name> \ --metadata enable-oslogin=true
You can request the name of a node group with a list of node groups in the folder.
Warning
If access via OS Login is enabled, access via SSH keys will be unavailable.
-
Open the current Terraform configuration file describing the Managed Service for Kubernetes node group.
For more information about creating this file, see Creating a node group.
-
Add the
instance_template.metadata
parameter to the node group description, or change it if it already exists.In this parameter, specify the
enable-oslogin
metadata key with thetrue
value:resource "yandex_kubernetes_node_group" "<node_group_name>" { cluster_id = yandex_kubernetes_cluster.<cluster_name>.id ... instance_template { metadata = { "enable-oslogin" = "true" ... } ... } ... }
Warning
If access via OS Login is enabled, access via SSH keys will be unavailable.
-
Make sure the configuration files are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform
provider documentation.-
Get all the existing metadata for the node group using the get REST API method for the NodeGroup resource, and provide the node group ID in the
nodeGroupId
request parameter.You can request the name of a node group with a list of node groups in the folder.
The metadata will be listed as
key=value
pairs in thenodeTemplate.metadata
field of the response. -
Use the update API method and include the following in the request:
-
Node group ID in the
nodeGroupId
parameter. -
The
updateMask
parameter set tonodeTemplate.metadata
.Warning
This API method overrides all parameters of the object being modified that were not explicitly passed in the request to the default values. To avoid this, list the settings you want to change in the
updateMask
parameter (one line separated by commas). -
nodeTemplate.metadata
parameter listing all existing node group metadata askey=value
pairs without modification.For the
enable-oslogin
key, replace the current value withtrue
. If there is no such key, add it.Warning
If access via OS Login is enabled, access via SSH keys will be unavailable.
Example of listing metadata in a parameter
-
Existing metadata keys in a node group:
"nodeTemplate": { "metadata": { "enable-oslogin": "undefined", "<existing_key_1>": "<existing_value_1>", "<existing_key_2>": "<existing_value_2>" }, ... }
-
Metadata keys to provide in an API request:
"nodeTemplate": { "metadata": { "enable-oslogin": "true", "<existing_key_1>": "<existing_value_1>", "<existing_key_2>": "<existing_value_2>" } }
Alert
Any metadata not listed in the
nodeTemplate.metadata
parameter will be deleted.Then the node group status will temporarily change to Reconciling: all the nodes in the group will be recreated for the changes to apply.
-
-
-
Connect to the node using the CLI
-
View the description of the CLI command for connection to the node:
yc compute ssh --help
-
To find out the name of the node you need, get a list of cluster nodes.
yc managed-kubernetes node-group list-nodes --name <node_group_name>
Result example:
+----------------------+-----------------+---------------------------+-------------+--------+ | CLOUD INSTANCE | KUBERNETES NODE | RESOURCES | DISK | STATUS | +----------------------+-----------------+---------------------------+-------------+--------+ | fhmmh23ugigb******** | <node_name> | 4 100% core(s), 8.0 GB of | 64.0 GB ssd | READY | | RUNNING_ACTUAL | | memory | | | +----------------------+-----------------+---------------------------+-------------+--------+
-
Connect to the node:
yc compute ssh --name <node_name>
Connect to the node using the SSH
-
Export the OS Login certificate.
Note
The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the node.
-
Find out the public address of the node:
-
Get the node group ID:
yc managed-kubernetes node-group list
Result:
+------------------------------+----------------------+-----------+----------------------+---------------------+---------+------+ | ID | CLUSTER ID | NAME | INSTANCE GROUP ID | CREATED AT | STATUS | SIZE | +------------------------------+----------------------+-----------+----------------------+---------------------+---------+------+ | <node_group_ID> | cato4gqs0ave******** | ng-name | cl17a1c3mbau******** | 2024-02-08 04:25:06 | RUNNING | 1 | +------------------------------+----------------------+-----------+----------------------+---------------------+---------+------+
You will find the parameter you need in the
ID
column. -
View the list of Managed Service for Kubernetes nodes that belong to this group:
yc compute instance-group list-instances <node_group_ID>
Result:
+----------------------+---------------------------+----------------+-------------+----------------------+----------------+ | INSTANCE ID | NAME | EXTERNAL IP | INTERNAL IP | STATUS | STATUS MESSAGE | +----------------------+---------------------------+----------------+-------------+----------------------+----------------+ | fhm8nq5p7t0r******** | cl12kvrgj493rhrkimmb-**** | 84.201.156.211 | 10.128.0.36 | RUNNING_ACTUAL [25m] | | +----------------------+---------------------------+----------------+-------------+----------------------+----------------+
The public IP address of the Managed Service for Kubernetes node is listed in the
EXTERNAL IP
column.
-
-
Connect to the VM:
ssh -i <certificate_file_path> <username>@<node_public_IP_address>
Where:
<certificate_file_path>
: Path to the previously savedIdentity
file of the certificate. For example:/home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername
.<username>
: Organization user's name. It is specified at the end of the exported OS Login certificate's name. In the example above, it isorgusername
.<node_public_IP_address>
: Public IP address of the node obtained earlier.
If this is your first time connecting to the node, you will get an unknown host warning:
The authenticity of host '158.160.**.** (158.160.**.**)' can't be established. ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********. Are you sure you want to continue connecting (yes/no)?
Type
yes
in the terminal and press Enter.