Grant access to a private network

In some cases, your cluster sits in a private network. Although this is a very good practice, it means additional steps needs to be taken in order to allow our products to connect to your cluster.

Before following this guide, make sure that there is a way to reach your private network from a machine that is publicly exposed. This machine is commonly called a bastion host and it controls all access to your private network.

We will walk you through the creation of a specific user on the bastion host that will be used by our products to reach your cluster.

📝 Prerequisites

Following content assumes that your bastion is a Linux machine and ssh-keygen binary is installed on it.

Next commands needs to be executed on your bastion with superuser privileges. Make sure you have the permissions to perform such commands or use sudo command if it’s available.

👤 Create a new user

This command will create a new kubolabs system user.

useradd --system --create-home kubolabs

useradd --disabled-password --system kubolabs

🔐 Generate SSH keys

This command will generate a SSH key pair that will be used by our products to authenticate on your bastion.

ssh-keygen -t rsa -b 4096 -C "kubolabs" -N "" -q -f kubolabs-key

If the command is successful, two files would have been generated in the current directory:

kubolabs-key: private key file
kubolabs-key.pub: public key file

Make sure to store kubolabs-key file somewhere safe and do not share it publicly nor without encryption.

🛂 Authorize SSH key to authenticate

This command will add the SSH public key that we just created to the list of kubolabs’s authorized SSH keys.

mkdir /home/kubolabs/.ssh/
cat kubolabs-key.pub | tee -a /home/kubolabs/.ssh/authorized_keys
chown -R kubolabs:kubolabs /home/kubolabs/.ssh
chmod 0700 /home/kubolabs/.ssh
chmod 0644 /home/kubolabs/.ssh/authorized_keys

Anyone in possession of the private key will be allowed to connect on your bastion as kubolabs user.

✅ Check public key authentication is enabled

This command will make sure that the public key authentication is enabled.

grep -E '^PubkeyAuthentication' /etc/ssh/sshd_config

If public key authentication is enabled, command output will be the following:

PubkeyAuthentication yes

If the output is either:

#PubkeyAuthentication yes

Or:

PubkeyAuthentication no

You must enable it:

sed -i=backup 's/#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config

If something went wrong with this command, a backup of the original file is available at /etc/ssh/sshd_config.backup.

👮 Allow access from our products

This step is only required if your bastion is filtering the allowed incoming IPs. If you are not sure, ask your administrator.

Add the following IP to the list of authorized networks: 34.141.253.143.

PreviousGenerate Kubernetes credentials NextFAQ

Last updated 2 years ago