GitHub Repo
一个反向代理目标服务器的 proxy,客户端想请求某个 ssh 服务器,直接请求的是 sshpiper 服务,再经由 sshpiper 服务转发到对应的 ssh 服务器,相当于一个中间人。
一开始并不理解这种组件的用处,但实际用了之后感觉还是蛮有意思的。
设想有这样一种场景,你有多个 ssh 服务器,你可能要不停切换 ssh 服务器,这过程中有可能使用不同的 ssh 秘钥来连接。而且如果是想从公司外网连进来,ssh 服务器的端口要对外网开放,会有很大的安全隐患。
ssh 可以通过密码、秘钥两种方式鉴权连接,密码方式相对简单,我也主要是使用秘钥模式连接的,这里主要介绍秘钥连接。
完成整个连接过程,需要有两套秘钥(即两套公钥私钥),我们这里分别称为 PublicKey_X,PrivateKey_X,PublicKey_Y,PrivateKey_Y,其中:
PublicKey_X
PrivateKey_X
PublicKey_Y
PrivateKey_Y,其中:
PrivateKey_Y
.ssh/authorized_keys
客户端持 PrivateKey_X ssh 请求 sshpiper,sshpiper 使用 PublicKey_X 进行校验,校验之后 sshpiper 持 PrivateKey_Y 请求服务器,服务器持 PublicKey_Y 进行校验。
此处提及的 ssh 密钥,公钥均为 ssh-rsa XXXXXX 形式,私钥均为 pem 形式,即类似:-----BEGIN PRIVATE KEY----- 开头,-----END PRIVATE KEY----- 结尾
ssh-rsa XXXXXX
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
目标:运行一个可以通过 sshpiper 访问的 pod。
在 kubernetes Pod 中使用 sshpiper,先按照此处文档在集群中安装和部署 sshpiper 服务:
https://github.com/tg123/sshpiper/tree/master/plugin/kubernetes
我使用了手动安装,共两步:
启动 sshpiper 服务时,使用如下 yaml 配置:
# sshpiper service---apiVersion: v1kind: Servicemetadata: name: sshpiperspec: selector: app: sshpiper ports: - protocol: TCP port: 2222 targetPort: 2222 nodePort: 30022 type: NodePort---apiVersion: v1data: server_key: | # 此配置暂时没发现用处,直接使用官方提供的样例中的值即可 LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNCWUhWV01lNzVDZ3Rzdm5rOWlTekJFU3hSdjdMb3U3K0tVbndmb3VnNzcxZ0FBQUpEQnArS0d3YWZpCmhnQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQllIVldNZTc1Q2d0c3ZuazlpU3pCRVN4UnY3TG91NytLVW53Zm91Zzc3MWcKQUFBRUJKSDU3eTFaRTUxbVo2a2VsWUR0eDQ1ajBhZGdsUk5CY0pZOE94YTY4TEJWZ2RWWXg3dmtLQzJ5K2VUMkpMTUVSTApGRy9zdWk3djRwU2ZCK2k2RHZ2V0FBQUFEV0p2YkdsaGJrQjFZblZ1ZEhVPQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0Kkind: Secretmetadata: name: sshpiper-server-keytype: Opaque---apiVersion: apps/v1kind: Deploymentmetadata: name: sshpiper-deployment labels: app: sshpiperspec: replicas: 1 selector: matchLabels: app: sshpiper template: metadata: labels: app: sshpiper spec: serviceAccountName: sshpiper-account containers: - name: sshpiper imagePullPolicy: IfNotPresent image: farmer1992/sshpiperd:latest ports: - containerPort: 2222 env: - name: PLUGIN value: "kubernetes" - name: SSHPIPERD_SERVER_KEY value: "/serverkey/ssh_host_ed25519_key" - name: SSHPIPERD_LOG_LEVEL value: "trace" volumeMounts: - name: sshpiper-server-key mountPath: "/serverkey/" readOnly: true volumes: - name: sshpiper-server-key secret: secretName: sshpiper-server-key items: - key: server_key path: ssh_host_ed25519_key---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: sshpiper-readerrules:- apiGroups: [""] resources: ["secrets"] verbs: ["get"]- apiGroups: ["sshpiper.com"] resources: ["pipes"] verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: read-sshpipersubjects:- kind: ServiceAccount name: sshpiper-accountroleRef: kind: Role name: sshpiper-reader apiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: ServiceAccountmetadata: name: sshpiper-account
# sshpiper service
---
apiVersion: v1
kind: Service
metadata:
name: sshpiper
spec:
selector:
app: sshpiper
ports:
- protocol: TCP
port: 2222
targetPort: 2222
nodePort: 30022
type: NodePort
data:
server_key: | # 此配置暂时没发现用处,直接使用官方提供的样例中的值即可
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNCWUhWV01lNzVDZ3Rzdm5rOWlTekJFU3hSdjdMb3U3K0tVbndmb3VnNzcxZ0FBQUpEQnArS0d3YWZpCmhnQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQllIVldNZTc1Q2d0c3ZuazlpU3pCRVN4UnY3TG91NytLVW53Zm91Zzc3MWcKQUFBRUJKSDU3eTFaRTUxbVo2a2VsWUR0eDQ1ajBhZGdsUk5CY0pZOE94YTY4TEJWZ2RWWXg3dmtLQzJ5K2VUMkpMTUVSTApGRy9zdWk3djRwU2ZCK2k2RHZ2V0FBQUFEV0p2YkdsaGJrQjFZblZ1ZEhVPQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
name: sshpiper-server-key
type: Opaque
apiVersion: apps/v1
kind: Deployment
name: sshpiper-deployment
labels:
replicas: 1
matchLabels:
template:
serviceAccountName: sshpiper-account
containers:
- name: sshpiper
imagePullPolicy: IfNotPresent
image: farmer1992/sshpiperd:latest
- containerPort: 2222
env:
- name: PLUGIN
value: "kubernetes"
- name: SSHPIPERD_SERVER_KEY
value: "/serverkey/ssh_host_ed25519_key"
- name: SSHPIPERD_LOG_LEVEL
value: "trace"
volumeMounts:
- name: sshpiper-server-key
mountPath: "/serverkey/"
readOnly: true
volumes:
secret:
secretName: sshpiper-server-key
items:
- key: server_key
path: ssh_host_ed25519_key
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
name: sshpiper-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: ["sshpiper.com"]
resources: ["pipes"]
verbs: ["get", "list", "watch"]
kind: RoleBinding
name: read-sshpiper
subjects:
- kind: ServiceAccount
name: sshpiper-account
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ServiceAccount
sshpiper-server-key
sample.yaml
启动成功后如下图:
由于需要访问 ssh 服务,所有业务 Pod 的基础镜像需要运行 ssh 服务并暴露 ssh 接口。还需要将 PublicKey_Y 写入目标容器的 .ssh/authorized_keys 文件中。
这里我用官方使用的 lscr.io/linuxserver/openssh-server:latest 镜像,它提供了 PUBLIC_KEY 环境变量,在启动时自动将其中配置的 public_key 写入 .ssh/authorized_keys 文件中。
lscr.io/linuxserver/openssh-server:latest
PUBLIC_KEY
除此之外,亦可以通过设置 ConfigMap,将 public_key 挂载进容器的路径下。
apiVersion: apps/v1kind: Deploymentmetadata: name: host-publickeyspec: replicas: 3 selector: matchLabels: app: host-publickey template: metadata: labels: app: host-publickey spec: containers: - name: host-publickey image: lscr.io/linuxserver/openssh-server:latest imagePullPolicy: IfNotPresent ports: - containerPort: 2222 env: - name: USER_NAME value: "user" - name: PUBLIC_KEY value: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDgMF4AKRaRf3V2+6T7rluYW37t5TwuQDcdT966jKhKNHBkLHuT/YhBuWkpHuGR3Wh3S3zGAZ73vZ8zJHXsOPmBakkxPa9lqSHMj7Y0mN/0XvpcIHIdphzKUiEIP65N6OG2ZtYaZYti8wDNs1rW+V2Vx5IlOcT8IiNQ5FNvOozS9w=="---apiVersion: v1kind: Servicemetadata: name: host-publickeyspec: selector: app: host-publickey ports: - protocol: TCP port: 2222
name: host-publickey
replicas: 3
app: host-publickey
- name: host-publickey
image: lscr.io/linuxserver/openssh-server:latest
- name: USER_NAME
value: "user"
- name: PUBLIC_KEY
value: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDgMF4AKRaRf3V2+6T7rluYW37t5TwuQDcdT966jKhKNHBkLHuT/YhBuWkpHuGR3Wh3S3zGAZ73vZ8zJHXsOPmBakkxPa9lqSHMj7Y0mN/0XvpcIHIdphzKUiEIP65N6OG2ZtYaZYti8wDNs1rW+V2Vx5IlOcT8IiNQ5FNvOozS9w=="
USER_NAME
pipe 就是第一步安装中安装的 CRD。它负责定义 from 和 to 的相关信息,以及保存前面提到的 PublicKey_X 和 PrivateKey_Y
apiVersion: v1data: ssh-privatekey: | LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURnTUY0QUtSYVJmM1YyKzZUN3JsdVlXMzd0NVR3dVFEY2RUOTY2aktoS05IQmtMSHVUCi9ZaEJ1V2twSHVHUjNXaDNTM3pHQVo3M3ZaOHpKSFhzT1BtQmFra3hQYTlscVNITWo3WTBtTi8wWHZwY0lISWQKcGh6S1VpRUlQNjVONk9HMlp0WWFaWXRpOHdETnMxclcrVjJWeDVJbE9jVDhJaU5RNUZOdk9velM5d0lEQVFBQgpBb0dCQU5ZcG5rS3MvYUEwa0hQL1pOWUE5QU1SdEtseHlSR3R5bmkzNmQ5dnF2eG9KODJxS010dzhROUlIY3RvCmNyZXpPSzV0Y0Y1L0FldE1PNTdSZjgwUGlGaHNvenowWnJkU2dzNXNZa2N4aS9CQTNBa05UNXh4aVo0STQxOEoKRStVemZnVDFOT0Y5bnNzbWoxQWVnNlJ1d3RYbVJkWElRUm1wcEtVVjBNcENERGJoQWtFQStiTk0wQzhxaHFpeQpyVWg0VFpSUWhGc0FyRTMzL1NoVzNobU5pdUd0Qjc3QnVXSFBWVDlnaDFpV0Mwby9CV0FSZUlSR05WbUdhZGtTClUxZCswdk8wdVFKQkFPWFlUT1dLZEd6MWZKVGJNWDdnNUVsRmV0NVpEV3hwZFEzWWpiUEQzRDg2cDNaN1JrVHMKQ1RQdDd1VjVzZXpZZWJKK1B5SnI5WVEzOXBybm02S0xUUzhDUUhVZEpYL1hQMmpkSXNDblp0VnNKTCtQTnllWgpnaUNZbFBXaW9vSnJDbzdCWjNjZGF2TWV3SlY2ZFJWaWcyQndDSUd2K0lYNU1WUGYzZnA4NVJ6bjlQRUNRUURiClhvU1dHSDFpZVRLOGlEQkhYckhEMVJLZUlQU1U0bG9jS3ZHai8yMjQwMng5d3M2Z2ZYK1RGcWFLVW9vaytiKzkKUW8xVGR5TFBYUEo3aWs2YTVzVjFBa0VBN1FPc1lPZ0FXeFZzbCttdFBva3VkS3FUa2lYaDNVNFp5Si8zWDZ5YgpwVjVkQWtLQlRMdjVwMFdEQlcyVDB5UmpaMGNDME01ckkyMHI2ejdnWktCeFJnPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=kind: Secretmetadata: name: host-publickey-keytype: kubernetes.io/ssh-auth---apiVersion: sshpiper.com/v1beta1kind: Pipemetadata: name: pipe-publickey annotations: privatekey_field_name: ssh-privatekey # this is optional, default is ssh-privatekeyspec: from: - username: "test" authorized_keys_data: "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERThzZnBiOXkweVNRMTRsaWpQNnc5QWg2UEF6SC9hdGdXVDB5c3NZL29aSGJONDlwUHk4OWt1NC9ndmUwWEZOcE5HMGN2aThOQ3J5aDdNNDBZWnN1KzlXY1BpR2RXRnVuVG4xMGhWWmVQaGhTQk5WUVByMU16dy9MNHpTb3U2amozdWh4aHI1a3pNdi9pbWY1WFFHT2U5WEVKaTBoK29lbVlPUkxybUNvKzhWUFkvb29SL2tIY3J5L3ZuVVdoek1GYzNXMC9Pck80Q2ZvUlBnc1VabGREVnZmU0toUnlQQllISkJhaHUza0xLWC9VRk9ZRnRzd2lZTWtMWHpwY0JjSmJnUDE0RHFaNGIxZEhmZHp5MGZCYThyTVJFWEI5NHErNlhnV1cvRDlKbUQzaURQd2pRengySVRTZXRCSUlhYjlvYWkzRWd0TTdDQk13ZE5tdk5mQXQgNzYwNzUyNTgwQHFxLmNvbQo=" to: host: 10-244-3-30.default.pod.cluster.local:2222 username: "user" private_key_secret: name: host-publickey-key ignore_hostkey: true
ssh-privatekey: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUURnTUY0QUtSYVJmM1YyKzZUN3JsdVlXMzd0NVR3dVFEY2RUOTY2aktoS05IQmtMSHVUCi9ZaEJ1V2twSHVHUjNXaDNTM3pHQVo3M3ZaOHpKSFhzT1BtQmFra3hQYTlscVNITWo3WTBtTi8wWHZwY0lISWQKcGh6S1VpRUlQNjVONk9HMlp0WWFaWXRpOHdETnMxclcrVjJWeDVJbE9jVDhJaU5RNUZOdk9velM5d0lEQVFBQgpBb0dCQU5ZcG5rS3MvYUEwa0hQL1pOWUE5QU1SdEtseHlSR3R5bmkzNmQ5dnF2eG9KODJxS010dzhROUlIY3RvCmNyZXpPSzV0Y0Y1L0FldE1PNTdSZjgwUGlGaHNvenowWnJkU2dzNXNZa2N4aS9CQTNBa05UNXh4aVo0STQxOEoKRStVemZnVDFOT0Y5bnNzbWoxQWVnNlJ1d3RYbVJkWElRUm1wcEtVVjBNcENERGJoQWtFQStiTk0wQzhxaHFpeQpyVWg0VFpSUWhGc0FyRTMzL1NoVzNobU5pdUd0Qjc3QnVXSFBWVDlnaDFpV0Mwby9CV0FSZUlSR05WbUdhZGtTClUxZCswdk8wdVFKQkFPWFlUT1dLZEd6MWZKVGJNWDdnNUVsRmV0NVpEV3hwZFEzWWpiUEQzRDg2cDNaN1JrVHMKQ1RQdDd1VjVzZXpZZWJKK1B5SnI5WVEzOXBybm02S0xUUzhDUUhVZEpYL1hQMmpkSXNDblp0VnNKTCtQTnllWgpnaUNZbFBXaW9vSnJDbzdCWjNjZGF2TWV3SlY2ZFJWaWcyQndDSUd2K0lYNU1WUGYzZnA4NVJ6bjlQRUNRUURiClhvU1dHSDFpZVRLOGlEQkhYckhEMVJLZUlQU1U0bG9jS3ZHai8yMjQwMng5d3M2Z2ZYK1RGcWFLVW9vaytiKzkKUW8xVGR5TFBYUEo3aWs2YTVzVjFBa0VBN1FPc1lPZ0FXeFZzbCttdFBva3VkS3FUa2lYaDNVNFp5Si8zWDZ5YgpwVjVkQWtLQlRMdjVwMFdEQlcyVDB5UmpaMGNDME01ckkyMHI2ejdnWktCeFJnPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=
name: host-publickey-key
type: kubernetes.io/ssh-auth
apiVersion: sshpiper.com/v1beta1
kind: Pipe
name: pipe-publickey
annotations:
privatekey_field_name: ssh-privatekey # this is optional, default is ssh-privatekey
from:
- username: "test"
authorized_keys_data: "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERThzZnBiOXkweVNRMTRsaWpQNnc5QWg2UEF6SC9hdGdXVDB5c3NZL29aSGJONDlwUHk4OWt1NC9ndmUwWEZOcE5HMGN2aThOQ3J5aDdNNDBZWnN1KzlXY1BpR2RXRnVuVG4xMGhWWmVQaGhTQk5WUVByMU16dy9MNHpTb3U2amozdWh4aHI1a3pNdi9pbWY1WFFHT2U5WEVKaTBoK29lbVlPUkxybUNvKzhWUFkvb29SL2tIY3J5L3ZuVVdoek1GYzNXMC9Pck80Q2ZvUlBnc1VabGREVnZmU0toUnlQQllISkJhaHUza0xLWC9VRk9ZRnRzd2lZTWtMWHpwY0JjSmJnUDE0RHFaNGIxZEhmZHp5MGZCYThyTVJFWEI5NHErNlhnV1cvRDlKbUQzaURQd2pRengySVRTZXRCSUlhYjlvYWkzRWd0TTdDQk13ZE5tdk5mQXQgNzYwNzUyNTgwQHFxLmNvbQo="
to:
host: 10-244-3-30.default.pod.cluster.local:2222
username: "user"
private_key_secret:
ignore_hostkey: true
Piper 中所填写的 privateKey,
ssh username@sshpiper-ip -p 30022 -i private_key.pem
Pipe.spec.from.username_regex_match: true
private_key.pem
注意: 如果 Pipe.spec.to.host 填写的是 Service 路由,那么每次 ssh 时,进入的 Pod 可能时 Service 管理下的任何一个 Pod。 此处所填公钥私钥,均为其 base64 编码形式。
注意:
Pipe.spec.to.host
上面我使用 pod-ip-addres.namespace.pod.cluster-domain.example 方式作为 to.host 。创建 pipe 之后,通过命令 ssh test@sshpiperIP -p 30022 -i ~/.ssh/id_rsa
pod-ip-addres.namespace.pod.cluster-domain.example
to.host
ssh test@sshpiperIP -p 30022 -i ~/.ssh/id_rsa
authorized_keys
原文链接:https://www.cnblogs.com/ccwd/p/17558393.html
本站QQ群:前端 618073944 | Java 606181507 | Python 626812652 | C/C++ 612253063 | 微信 634508462 | 苹果 692586424 | C#/.net 182808419 | PHP 305140648 | 运维 608723728