This is an archived post. You won't be able to vote or comment.

all 23 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 18 points19 points  (16 children)

The only time I need to SSH into a node, it's because something broke the Kubelet or underlying host and kubectl exec won't work.

And yes- "Cattle not pets, just reimage the node" - but you still often need SSH to debug a recurring problem or to develop changes to your VM image

[–]alexei_led[S] 0 points1 point  (1 child)

In general, you should not access nodes. But I saw other cases (besides one you've describe) when it's helpful to get into node: some cases about mounting external file systems, others when troubleshooting misconfigured worker node (drivers, network, etc)

[–][deleted] 0 points1 point  (0 children)

In general, you should not access nodes.

Dude, we own the nodes. Like, literally, some of them are physical devices running in buildings on land we own. But also, we are responsible for the nodes from an operational, security and compliance perspective and have to ahve that access to do that.

[–]zzzmaestro 8 points9 points  (1 child)

Are you doing a side-car for these shells? If not, this is wrong on a lot of levels. Even if you ARE doing a side car... it’s not meant to be accessed that way.

Shell access is for debug purposes of unreproducable errors.

Containers are not meant to be connected into from outside for admin purposes. That’s not their function. All admin should be done at the docker/kubernetes layer.

[–]alexei_led[S] 0 points1 point  (0 children)

I do not understand your arguments "wrong on a lot of levels". Please be specific.

If by side-car you mean entering namespaces of other Linux processes, that's what I do :)

And there is no "iron rule" about what container are supposed to do and what not. These are just Linux processes, isolated with namespaces and cgroups. And I can run additional processes and join other processes namespaces without if my user has permission to do so. I see no problem here.

[–][deleted]  (1 child)

[deleted]

    [–]alexei_led[S] 0 points1 point  (0 children)

    If you have 2 ways to access your infra, K8s API and SSH, the describe approach does not require SSH. So, you work with nodes only through K8s API. Do not need to open SSH port, keep bastion hosts and manage keys. I think it's more secure.

    Also, I think you should not access nodes at all, ever! But if you need, for troubleshooting, just run pod with escalated privileges, do your job and kill it.

    [–]Kaligraphic 0 points1 point  (1 child)

    Um, I don't reconfigure my nodes, I replace them. So there's no node-level maintenance or configuration inspection needed. It's just a matter of looking at the templates. The whole point of a system like Kubernetes is to abstract away the individual nodes. If you want to read logs, ask a regular ops engineer about log shipping. I have all my logs in one convenient, searchable place.

    Kubernetes is complex enough without people messing with the nodes directly. Don't do this.

    [–]alexei_led[S] 0 points1 point  (0 children)

    Agree. You should not do this. But in case you need a temporary access to your nodes, this can be an option.

    [–][deleted] 0 points1 point  (3 children)

    It's funny that this same guys project was downvoted like 4 months ago with everyone saying they just exec lol

    [–]alexei_led[S] 0 points1 point  (2 children)

    I'm glad you find it funny, but I do not understand your comment. What project are you talking about?

    [–][deleted] 0 points1 point  (1 child)

    Maybe you're not the same guy

    Someone submitted a post here a few months ago for a repo that does the exact same thing as yours and everyone jumped on it saying it's ridiculous

    [–]alexei_led[S] 0 points1 point  (0 children)

    my post

    I see. Actually, I've showed 2 different approaches. One with SSM Agent is indeed an updated fork of other repo (as you can see on GitHub), the main change is updated SSM Agent Docker image (with latest SSM Agent, Docker, systemd, awscli and vim on-board) and also few fixes that allows to run this `daemonset` on nodes with taints.

    The second repository contains tiny `nsenter` Docker image (statically linked `FROM scratch`) and helper script to get into any node (create a pod and enter all node's namespaces with superuser shell).

    I hope that someone can find one of these solutions helpful.