SSH Tunnel to Kubernetes Network, access internal component (say PostgreSQL)

Kubernetes is most widely used orchestration platform, it provides port forwarding feature to connect with application running in cluster, forward specific port which helps you greatly in development process.

This article will showcase a quick win to access internal application (Say PostgreSQL database) running inside the cluster, as it is generally catered by having VPN and network setup of your virtual private network. We have following assumption:

1. You are connected to Kubernetes API Server via kubectl CLI.
2. Database application is not exposed to internet.

We will use the Kubernetes port-forward feature to proxy SSHD server and add local user is added to ~/.ssh/authorized_keys

kubectl run  sshd --image circleci/sshd:0.1 --port 22
kubectl exec -it sshd -- mkdir -p /root/.ssh
kubectl cp --no-preserve=true ~/.ssh/id_rsa.pub sshd:/root/.ssh/authorized_keys
kubectl port-forward sshd 2222:22
# verify
ssh -o StrictHostKeyChecking=no -p 2222 root@127.0.0.1
Let’s break down each command:

Note: It is highly recommended to use passphrase for your SSH Key, study shows around 90% of ssh keys are without passphrase. SSH passphrase protect your private key from being used by someone who doesn’t know the passphrase.

~/.ssh/id_rsa.pub is your default SSH key pair, you can create a new SSH key pair for specific use (recommended) by running following command

# ssh-keygen -t rsa -b 4096 -C "you@example.com" -f /tmp/k8s_internal

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/k8s_internal
Your public key has been saved in /tmp/k8s_internal.pub
The key fingerprint is:
SHA256:S5RXbFfjFAX/6IerGSGw6jCANieqvdBg+LEHHye0JqE you@example.com
The key's randomart image is:
+---[RSA 4096]----+
|           .. .*=|
|         . .o +..|
|  . .   + .. . ..|
|.o o . . +     ..|
|E==.= . S . . . .|
|+++O + o . . o . |
|o + = . .   . o .|
|.o . +       o o |
|. o.  .     o..  |
+----[SHA256]-----+

Let’s break down each command:

kubectl run sshd --image circleci/sshd:0.1 --port 22

• This command creates a new pod named sshd using the Docker image circleci/sshd:0.1. The image contains an SSH server.
• It exposes port 22 on the pod, which is the default SSH port.

kubectl exec -it sshd -- mkdir -p /root/.ssh

• This command creates a .ssh directory in the /root directory of the sshd pod.
• The -it flag enables interactive mode for running the command.

kubectl cp --no-preserve=true ~/.ssh/id_rsa.pub sshd:/root/.ssh/authorized_keys

• This command copies the local user’s public SSH key (id_rsa.pub) from your local machine's ~/.ssh directory to the /root/.ssh/authorized_keys file inside the sshd pod.
• The --no-preserve=true flag ensures that any existing file with the same name is overwritten without prompting.

kubectl port-forward sshd 2222:22

• This command sets up port forwarding from your local machine’s port 2222 to port 22 on the sshd pod.
• This allows SSH traffic to be directed to the pod through your local machine.

Verification

ssh -o StrictHostKeyChecking=no -p 2222 root@127.0.0.1

• This command establishes an SSH connection to the sshd pod.
• -o StrictHostKeyChecking=no disables host key checking to avoid prompting for confirmation when connecting to a new SSH server.
• -p 2222 specifies the port to connect to, which is the port forwarded to the sshd pod.
• root@127.0.0.1 specifies the user (root) and the IP address (127.0.0.1) to connect to, which is your local machine because of the port forwarding.

Typical Usage

Connect internal PostgreSQL database via Pgadmin4 (open source management tool for PostgreSQL)

While adding new server in pgadmin you can add SSH Tunnel like this, you can leave the password blank for SSH Tunnel.