Comment on page
Grant access to a private network
In some cases, your cluster sits in a private network. Although this is a very good practice, it means additional steps needs to be taken in order to allow our products to connect to your cluster.
Before following this guide, make sure that there is a way to reach your private network from a machine that is publicly exposed. This machine is commonly called a bastion host and it controls all access to your private network.
We will walk you through the creation of a specific user on the bastion host that will be used by our products to reach your cluster.
Following content assumes that your bastion is a Linux machine and
ssh-keygenbinary is installed on it.
Next commands needs to be executed on your bastion with superuser privileges. Make sure you have the permissions to perform such commands or use
sudocommand if it’s available.
This command will create a new
useradd --system --create-home kubolabs
useradd --disabled-password --system kubolabs
This command will generate a SSH key pair that will be used by our products to authenticate on your bastion.
ssh-keygen -t rsa -b 4096 -C "kubolabs" -N "" -q -f kubolabs-key
If the command is successful, two files would have been generated in the current directory:
kubolabs-key: private key file
kubolabs-key.pub: public key file
Make sure to store
kubolabs-keyfile somewhere safe and do not share it publicly nor without encryption.
This command will add the SSH public key that we just created to the list of
kubolabs’s authorized SSH keys.
cat kubolabs-key.pub | tee -a /home/kubolabs/.ssh/authorized_keys
chown -R kubolabs:kubolabs /home/kubolabs/.ssh
chmod 0700 /home/kubolabs/.ssh
chmod 0644 /home/kubolabs/.ssh/authorized_keys
Anyone in possession of the private key will be allowed to connect on your bastion as
This command will make sure that the public key authentication is enabled.
grep -E '^PubkeyAuthentication' /etc/ssh/sshd_config
If public key authentication is enabled, command output will be the following:
If the output is either:
You must enable it:
sed -i=backup 's/#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
If something went wrong with this command, a backup of the original file is available at
This step is only required if your bastion is filtering the allowed incoming IPs. If you are not sure, ask your administrator.
Add the following IP to the list of authorized networks: 126.96.36.199.