Skip to content

Instantly share code, notes, and snippets.

@djjudas21

djjudas21/README.md

Created June 23, 2021 10:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save djjudas21/35a4030ba7dac68e2b6221925fd00ce1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save djjudas21/35a4030ba7dac68e2b6221925fd00ce1 to your computer and use it in GitHub Desktop.
Download ZIP
Basic example of a minimal ssh bastion deployment
Raw
README.md

ssh

Simple ssh server deployment with persistent root user home directory and persistent ssh host keys

Currently no password auth

kubectl apply -f config.yaml -f deployment.yaml -f pvc.yaml -f service.yaml
Raw
config.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ssh-config
data:
sshd_config: |-
# $OpenBSD: ssh_config,v 1.34 2019/02/04 02:39:42 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
Raw
deployment.yaml
---
kind: "Deployment"
apiVersion: "apps/v1"
metadata:
name: sshd
namespace: sshd
spec:
replicas: 1
selector:
matchLabels:
app: sshd
template:
metadata:
labels:
app: sshd
spec:
containers:
- name: sshd
image: danielguerra/alpine-sshd:latest
tty: true
ports:
- containerPort: 22
volumeMounts:
- mountPath: /root
name: home
- mountPath: /etc/ssh
name: hostkeys
- mountPath: /etc/ssh/sshd_config
name: ssh-config
subPath: sshd_config
resources:
requests:
cpu: "10m"
memory: "128Mi"
volumes:
- name: home
persistentVolumeClaim:
claimName: home
- name: hostkeys
persistentVolumeClaim:
claimName: hostkeys
- name: ssh-config
configMap:
name: ssh-config
Raw
pvc.yaml
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: hostkeys
namespace: sshd
spec:
storageClassName: freenas-nfs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: home
namespace: sshd
spec:
storageClassName: freenas-nfs-csi
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
Raw
service.yaml
---
apiVersion: v1
kind: Service
metadata:
name: ssh
namespace: sshd
spec:
externalTrafficPolicy: Local
loadBalancerIP: 192.168.0.68
ports:
- name: ssh
port: 22
protocol: TCP
targetPort: 22
selector:
app: sshd
type: LoadBalancer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment