The kubernetes plugin for sshpiperd provides native kubernetes CRD integration and allow you manage sshpiper by kubectl get pipes and kubectl apply -f pipe.yaml
this plugin is inspired by the first version kubernetes plugin for v0 sshpiper by pockost
Start plugin with flag --all-namespaces or environment variable SSHPIPERD_KUBERNETES_ALL_NAMESPACES=true for cluster-wide usage, or it will listen to the namespace where it is in by default.
Start plugin with flag --kubeconfig or environment variable SSHPIPERD_KUBERNETES_KUBECONFIG=/path/to/kubeconfig to specify the kubeconfig file.
helm repo add sshpiper https://tg123.github.io/sshpiper-chart/
helm install my-sshpiper sshpiper/sshpiper --version 0.1.1
kubectl apply -f https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/kubernetes/crd.yaml
most parameters are the same as in yaml
A full sample can be found here
Pipe annotations can enable kubectl exec bridge mode (for pods without sshd):
sshpiper.com/kubectl_exec_cmd: "true"(orkubectl_exec_cmd) enables kubectl-exec upstream mode.- In kubectl-exec mode,
spec.to.hostis interpreted aspod,pod/container, ornamespace/pod/container. sshpiper.com/kubectl_sshd_cmd(orkubectl_sshd_cmd) overrides the default command (/bin/sh).
Note: When using kubectl-exec mode, the service account used by
sshpiperdmust have RBAC permissions togetpods andcreatepod exec sessions, otherwise kubectl exec will fail at runtime. For example:rules: - apiGroups: [""] resources: ["pods"] verbs: ["get"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"]
# sshpiper service
---
apiVersion: v1
kind: Service
metadata:
name: sshpiper
spec:
selector:
app: sshpiper
ports:
- protocol: TCP
port: 2222
---
apiVersion: v1
data:
server_key: |
<replace with you server key>
kind: Secret
metadata:
name: sshpiper-server-key
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sshpiper-deployment
labels:
app: sshpiper
spec:
replicas: 1
selector:
matchLabels:
app: sshpiper
template:
metadata:
labels:
app: sshpiper
spec:
serviceAccountName: sshpiper-account
containers:
- name: sshpiper
image: farmer1992/sshpiperd:latest
ports:
- containerPort: 2222
env:
- name: PLUGIN
value: "kubernetes"
- name: SSHPIPERD_SERVER_KEY
value: "/serverkey/ssh_host_ed25519_key"
- name: SSHPIPERD_LOG_LEVEL
value: "trace"
volumeMounts:
- name: sshpiper-server-key
mountPath: "/serverkey/"
readOnly: true
volumes:
- name: sshpiper-server-key
secret:
secretName: sshpiper-server-key
items:
- key: server_key
path: ssh_host_ed25519_key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sshpiper-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: ["sshpiper.com"]
resources: ["pipes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-sshpiper
subjects:
- kind: ServiceAccount
name: sshpiper-account
roleRef:
kind: Role
name: sshpiper-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sshpiper-account
Note: kubectl-exec mode requires RBAC access to
pods(get) andpods/exec(create) for the service account used bysshpiperd.
apiVersion: sshpiper.com/v1beta1
kind: Pipe
metadata:
name: pipe-password
spec:
from:
- username: "password_simple"
to:
host: host-password:2222
username: "user"
ignore_hostkey: true
ssh password_simple@piper_ip will pipe to user@host-password
ssh piper_ip -i <key in authorized_keys_data> will pipe to user@host-publickey and login with secret host-publickey-key
apiVersion: v1
data:
ssh-privatekey: |
<base64 encoded private key>
kind: Secret
metadata:
name: host-publickey-key
type: kubernetes.io/ssh-auth
---
apiVersion: sshpiper.com/v1beta1
kind: Pipe
metadata:
name: pipe-publickey
spec:
from:
- username: ".*" # catch all
username_regex_match: true
authorized_keys_data: "base64_authorized_keys_data"
to:
host: host-publickey:2222
username: "user"
private_key_secret:
name: host-publickey-key
ignore_hostkey: true