Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Connecting to a node over SSH

Written by
Updated at November 21, 2024

To connect to a Managed Service for Kubernetes cluster node over SSH:

  • Add the public key to the metadata when creating a Managed Service for Kubernetes node group.

    Note

    SSH connection using a login and password is disabled by default on Linux images that are used on Managed Service for Kubernetes nodes.

  • Configure security groups for the Managed Service for Kubernetes cluster.

    Warning

    Security group settings may prevent connection to the Managed Service for Kubernetes cluster.

For more information, see Connecting to a VM via SSH.

Individual nodes in node groups are Yandex Compute Cloud virtual machines with automatically generated names. To configure nodes, follow the instructions below or other node group management guides.

Alert

Do not change node VM settings, including names, network interfaces, and SSH keys, using the Compute Cloud interfaces or SSH connections to the VM.

This can disrupt the operation of individual nodes, groups of nodes, and the whole Managed Service for Kubernetes cluster.

Create SSH key pairs

Prepare the keys for use with your Managed Service for Kubernetes cluster node. To do this:

  1. Open the terminal.

  2. Use the ssh-keygen command to create a new key:

    ssh-keygen -t ed25519

    After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_ed25519. Keys are created in the ~/.ssh directory.

    The public part of the key will be saved to a file named <key name>.pub.

  1. Run cmd.exe or powershell.exe.

  2. Use the ssh-keygen command to create a new key. Run this command:

    ssh-keygen -t ed25519

    After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_ed25519. Keys are created in the C:\Users\<username>\.ssh\ directory.

    The public part of the key will be saved to a file named <key name>.pub.

Create keys using the PuTTY app:

  1. Download and install PuTTY.

  2. Make sure the directory where you installed PuTTY is included in PATH:

    1. Right-click My computer. Click Properties.
    2. In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
    3. Under System variables, find PATH and click Edit.
    4. In the Variable value field, append the path to the directory where you installed PuTTY.

  3. Launch the PuTTYgen app.

  4. Select Ed25519 as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.

    ssh_generate_key

  5. In Key passphrase, enter a strong password. Enter it again in the field below.

  6. Click Save private key and save the private key. Do not share its key phrase with anyone.

  7. Save the key in a text file in a single line. To do this, copy the public key from the text field to a text file named id_ed25519.pub.

Convert the public key to the metadata format

The credentials for connecting to the Managed Service for Kubernetes cluster nodes over SSH are the username and public key. These credentials are provided using metadata in a specific format.

The previously created public key has the following format:

<key_type> <public_key_body> <optional_comment>

Example:

ssh-ed25519 AAAAB3NzaC***********lP1ww ed25519-key-20190412

Create a file with credentials for connecting over SSH in the following format:

<username>:<key_type> <public_key_body> <username>

Example:

testuser:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser

This format is suitable for creating and updating a Managed Service for Kubernetes node group using the CLI, Terraform, and API interfaces, and for updating a node group using the management console. When creating a node group, separate Login and SSH key fields are used in the management console.

You can provide credentials for multiple users in one file.

Example:

testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1
testuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2

Create a node group and add the public key

  1. In the management console, go to the folder page and select Managed Service for Kubernetes.
  2. Select the Managed Service for Kubernetes cluster.
  3. In the left-hand panel, select Nodes manager.
  4. Click Create a node group.
  5. Set the node group parameters.
  6. Under Access, specify the information required to access the Managed Service for Kubernetes node:
    • Enter the username into the Login field.
    • In the SSH key field, paste the contents of the public key file.
  7. Click Create.

Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value pairs.

Warning

The user-data VM metadata key is not supported for user data transmission. Use the ssh-keys key to provide parameters for SSH connections.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To create a Managed Service for Kubernetes node group and provide user credentials for connecting over SSH, run the following command:

yc managed-kubernetes node-group create \
  --name <node_group_name> \
  --cluster-name <cluster_name> \
  --fixed-size <node_number_in_group> \
  --network-interface security-group-ids=[<list_of_security_groups>],subnets=<subnet_name>,ipv4-address=nat \
  --metadata-from-file ssh-keys=<credentials_file_path>

Where --metadata-from-file is the parameter to transfer metadata to the node group as key=value pairs. In ssh-keys, specify the path to the file with credentials for connecting over SSH.

Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value pairs.

Warning

The user-data VM metadata key is not supported for user data transmission. Use the ssh-keys key to provide parameters for SSH connections.

  1. Create a Terraform configuration file describing the Managed Service for Kubernetes node group by following the steps described in Creating a node group.

  2. In the node group description, set the ssh-keys metadata key value for the instance_template.metadata parameter:

    resource "yandex_kubernetes_node_group" "<node_group_name>" {
  cluster_id = yandex_kubernetes_cluster.<cluster_name>.id
  ...
  instance_template {
    metadata = {
      "ssh-keys" = file("<credentials_file_path>")
      ...
    }
    ...
  }
  ...
}

  3. Make sure the configuration files are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value pairs.

Warning

The user-data VM metadata key is not supported for user data transmission. Use the ssh-keys key to provide parameters for SSH connections.

To provide multiple credentials for connecting over SSH, convert the contents of the credentials file to a single line by separating the credentials from each other with a sequence of special CRLF characters (\r\n). You cannot use multiline messages in an API request with a JSON body.

Example of converted credentials:

testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1\r\ntestuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2

Use the create REST API method for the NodeGroup resource or the NodeGroupService/Create gRPC API call.

Credentials for connecting over SSH are provided in the nodeTemplate.metadata parameter in ssh-keys.

For more information about creating a Managed Service for Kubernetes node group and parameters to provide, see Creating a node group.

Update node group keys

To change the credentials for connecting over SSH to a Managed Service for Kubernetes node group, update its metadata.

Warning

The credentials for connecting over SSH will be completely overwritten. You will not be able to connect to the Managed Service for Kubernetes cluster nodes using the previous credentials.

Warning

After you change the metadata using the management console, the node group status will temporarily change to Reconciling: all the group's nodes will be recreated for the changes to take effect.

  1. In the management console, go to the folder page and select Managed Service for Kubernetes.
  2. Select the Managed Service for Kubernetes cluster.
  3. In the left-hand panel, select Nodes manager.
  4. On the Node group tab, select the node group in which you want to update the credentials.
  5. In the top panel, click Edit.
  6. Open Metadata.
  7. Replace the current value of ssh-keys with the contents of the credentials file.
  8. Click Save.

  1. View the description of the CLI command for adding and updating the Managed Service for Kubernetes node group metadata:

    yc managed-kubernetes node-group add-metadata --help

  2. Run this command:

    yc managed-kubernetes node-group add-metadata \
  --name <node_group_name> \
  --metadata-from-file ssh-keys=<credentials_file_path>

    You can request the name of a node group with a list of node groups in the folder.

  1. Open the Terraform configuration file describing the Managed Service for Kubernetes node group.

    For more information about creating this file, see Creating a node group.

  2. In the node group description, change the value of the ssh-keys metadata key for the instance_template.metadata parameter:

    resource "yandex_kubernetes_node_group" "<node_group_name>" {
  cluster_id = yandex_kubernetes_cluster.<cluster_name>.id
  ...
  instance_template {
    metadata = {
      "ssh-keys" = file("<credentials_file_path>")
      ...
    }
    ...
  }
  ...
}

  3. Make sure the configuration files are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

  1. To provide multiple credentials for connecting over SSH, convert the contents of the credentials file to a single line by separating the credentials from each other with a sequence of special CRLF characters (\r\n). You cannot use multiline messages in an API request with a JSON body.

    Example of converted credentials:

    testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1\r\ntestuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2

  2. Get all the existing metadata for the node group using the get REST API method for the NodeGroup resource, and provide the node group ID in the nodeGroupId request parameter.

    You can request the name of a node group with a list of node groups in the folder.

    The metadata will be listed as key=value pairs in the nodeTemplate.metadata field of the response.

  3. Use the update REST API method for the NodeGroup resource and include the following in the request:

    • Node group ID in the nodeGroupId parameter.

    • updateMask parameter set to nodeTemplate.metadata.

      Warning

      The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    • nodeTemplate.metadata listing all existing node group metadata as key=value pairs without modification.

      For ssh-keys, replace the current value with the created line with credentials.

      Example of listing metadata in a parameter

      • Existing metadata keys in a node group:

        "nodeTemplate": {
    "metadata": {
        "ssh-keys": "<existing_credentials_in_single_line>",
        "<existing_key_1>": "<existing_value_1>",
        "<existing_key_2>": "<existing_value_2>"
    },
    ...
}

      • Metadata keys to provide in an API request:

        "nodeTemplate": {
    "metadata": {
        "ssh-keys": "<new_credentials_in_single_line>",
        "<existing_key_1>": "<existing_value_1>",
        "<existing_key_2>": "<existing_value_2>"
    }
}

      Alert

      Any metadata not listed in the nodeTemplate.metadata parameter will be deleted.

      Then the node group status will temporarily change to Reconciling: all the nodes in the group will be recreated for the changes to apply.

Get the public IP address of the node

To connect to a Managed Service for Kubernetes cluster node, specify the public IP address of a Managed Service for Kubernetes node. You can find it using one of the following methods.

  1. Open the Compute Cloud section in the folder where you created your Managed Service for Kubernetes cluster.
  2. In the left-hand panel, select Instance groups.
  3. Click the instance group with the name that matches the Managed Service for Kubernetes node group ID.
  4. In the window that opens, go to the List of VMs tab.
  5. Click the VM that you want to find the public address for.
  6. The public IP address is shown in the Network section in Public IPv4 address.

  1. Find out the ID of the instance group that corresponds to the Managed Service for Kubernetes node group.

    The ID is shown in the INSTANCE GROUP ID column.

    yc managed-kubernetes node-group list

    Result:

    +----------------------+----------------------+----------------+----------------------+---------------------+---------+------+
|          ID          |      CLUSTER ID      |      NAME      |  INSTANCE GROUP ID   |     CREATED AT      | STATUS  | SIZE |
+----------------------+----------------------+----------------+----------------------+---------------------+---------+------+
| cat684ojo3ir******** | cata9ertn6tc******** | test-nodegroup | cl17i6943n92******** | 2019-04-12 12:38:35 | RUNNING |    2 |
+----------------------+----------------------+----------------+----------------------+---------------------+---------+------+

  2. View the list of Managed Service for Kubernetes nodes that belong to this group.

    The public IP address of the Managed Service for Kubernetes node is shown in the IP column after ~.

    yc compute instance-group list-instances cl17i6943n92********

    Result:

    +----------------------+---------------------------+--------------------------+---------------+----------------+
|     INSTANCE ID      |           NAME            |            IP            |    STATUS     | STATUS MESSAGE |
+----------------------+---------------------------+--------------------------+---------------+----------------+
| ef31h24k03pg******** | cl17i6943n92********-itif | 10.0.0.27~84.201.145.251 | RUNNING [53m] |                |
| ef37ddhg9i7j******** | cl17i6943n92********-ovah | 10.0.0.22~84.201.149.184 | RUNNING [53m] |                |
+----------------------+---------------------------+--------------------------+---------------+----------------+

  1. Install kubectl and configure it to work with the created cluster.

  2. Run this command:

    kubectl get nodes -o wide

    Result:

    NAME                       STATUS  ROLES   AGE  VERSION  INTERNAL-IP  EXTERNAL-IP     OS-IMAGE            KERNEL-VERSION     CONTAINER-RUNTIME
cl17i6943n92********-itif  Ready   <none>  31m  v1.13.3  10.0.0.27    84.201.145.251  Ubuntu 18.04.1 LTS  4.15.0-29-generic  docker://18.6.2
cl17i6943n92********-ovah  Ready   <none>  31m  v1.13.3  10.0.0.22    84.201.149.184  Ubuntu 18.04.1 LTS  4.15.0-29-generic  docker://18.6.2

    The public IP address is listed in the EXTERNAL-IP column.

Connect to the node

You can connect to a Managed Service for Kubernetes node over SSH once it is started (with the RUNNING status). To do this, use ssh in Linux or macOS, or PuTTY in Windows.

In the terminal, run the following command, specifying the username and public IP address of the node:

ssh <username>@<node_public_IP_address>

If you provided SSH connection credentials when you created the node group using the management console, use the username you specified in the Login field.

If you provided SSH connection credentials when you created the node group using the CLI, Terraform, API, or updated the credentials, use the username that you specified in the SSH connection credentials file.

If this is your first time connecting to a Managed Service for Kubernetes node, you may get an unknown host warning:

The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

Type yes in the terminal and press Enter.

In Windows, a connection is established using the PuTTY application.

  1. Run the Pageant application.
    1. Right-click the pageant icon in the task bar.
    2. In the context menu, select Add key.
    3. Select a PuTTY-generated private key in .ppk format. If a password is set for the key, enter it.
  2. Run PuTTY.

    1. In the Host Name (or IP address) field, enter the public IP address of the VM you want to connect to. Set the port to 22 and connection type to SSH.

      ssh_add_ip

    2. In the tree on the left, select Connection - SSH - Auth.

    3. Set the Allow agent forwarding option.

    4. In the Private key file for authentication field, select the file with the private key.

      ssh_choose_private_key

    5. Go back to the Sessions menu. In the Saved sessions field, enter any session name and click Save. The session settings are saved under the specified name. You can use this session profile to connect using Pageant.

      ssh_save_session

    6. Click Open. If connecting to the Managed Service for Kubernetes node for the first time, you may get an unknown host warning:

      ssh_unknown_host_warning

      Click Yes. A terminal window will open prompting you to enter the username of the user on whose behalf the connection is being established.

      Enter the username:

      Click Enter. If all the settings are correct, the connection with the server will be established.

      ssh_login

If you saved the session profile in PuTTY, you can use Pageant to establish a connection in the future:

  1. Right-click the pageant icon in the task bar.
  2. Select the Saved sessions menu item.
  3. In the saved sessions list, select the session you need.
Previous
All guides
Next
Connecting to a node via OS Login