Comment on page

Grant access to a private network

In some cases, your cluster sits in a private network. Although this is a very good practice, it means additional steps needs to be taken in order to allow our products to connect to your cluster.
Before following this guide, make sure that there is a way to reach your private network from a machine that is publicly exposed. This machine is commonly called a bastion host and it controls all access to your private network.
We will walk you through the creation of a specific user on the bastion host that will be used by our products to reach your cluster.


Following content assumes that your bastion is a Linux machine and ssh-keygen binary is installed on it.
Next commands needs to be executed on your bastion with superuser privileges. Make sure you have the permissions to perform such commands or use sudo command if it’s available.

Create a new user

This command will create a new kubolabs system user.
useradd --system --create-home kubolabs
useradd --disabled-password --system kubolabs

Generate SSH keys

This command will generate a SSH key pair that will be used by our products to authenticate on your bastion.
ssh-keygen -t rsa -b 4096 -C "kubolabs" -N "" -q -f kubolabs-key
If the command is successful, two files would have been generated in the current directory:
  • kubolabs-key: private key file
  • public key file
Make sure to store kubolabs-key file somewhere safe and do not share it publicly nor without encryption.

Authorize SSH key to authenticate

This command will add the SSH public key that we just created to the list of kubolabs’s authorized SSH keys.
mkdir /home/kubolabs/.ssh/
cat | tee -a /home/kubolabs/.ssh/authorized_keys
chown -R kubolabs:kubolabs /home/kubolabs/.ssh
chmod 0700 /home/kubolabs/.ssh
chmod 0644 /home/kubolabs/.ssh/authorized_keys
Anyone in possession of the private key will be allowed to connect on your bastion as kubolabs user.

Check public key authentication is enabled

This command will make sure that the public key authentication is enabled.
grep -E '^PubkeyAuthentication' /etc/ssh/sshd_config
If public key authentication is enabled, command output will be the following:
PubkeyAuthentication yes
If the output is either:
#PubkeyAuthentication yes
PubkeyAuthentication no
You must enable it:
sed -i=backup 's/#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config
If something went wrong with this command, a backup of the original file is available at /etc/ssh/sshd_config.backup.

Allow access from our products

This step is only required if your bastion is filtering the allowed incoming IPs. If you are not sure, ask your administrator.
Add the following IP to the list of authorized networks: