initial commit
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 2m21s
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 2m21s
This commit is contained in:
commit
4dbcde381f
20 changed files with 1151 additions and 0 deletions
82
k8s/README.md
Normal file
82
k8s/README.md
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
# Kubernetes deployment
|
||||
|
||||
These manifests deploy `k8s-mgmt-pod` as a single-replica bastion deployment inside its own namespace.
|
||||
|
||||
## Before you apply
|
||||
|
||||
1. Build and publish the image.
|
||||
2. Replace the placeholder image in `deployment.yaml` with a pinned tag or digest.
|
||||
3. Create the real `k8s-mgmt-pod-auth` Secret instead of applying `secret.yaml.example`.
|
||||
|
||||
## Create the Secret
|
||||
|
||||
Public-key path:
|
||||
|
||||
```bash
|
||||
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
|
||||
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
|
||||
--from-literal=USER_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
|
||||
--from-literal=ADMIN_PASSWORD='' \
|
||||
--from-literal=USER_PASSWORD=''
|
||||
```
|
||||
|
||||
Password path:
|
||||
|
||||
```bash
|
||||
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
|
||||
--from-literal=ADMIN_SSH_PUBKEY='' \
|
||||
--from-literal=USER_SSH_PUBKEY='' \
|
||||
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
|
||||
--from-literal=USER_PASSWORD='change-this-user-password'
|
||||
```
|
||||
|
||||
Mixed key-plus-password path:
|
||||
|
||||
```bash
|
||||
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
|
||||
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
|
||||
--from-literal=USER_SSH_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIexample user@example" \
|
||||
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
|
||||
--from-literal=USER_PASSWORD='change-this-user-password'
|
||||
```
|
||||
|
||||
With that configuration, both `admin` and `user` can authenticate with either their SSH key or their password.
|
||||
|
||||
Resolution order is per user:
|
||||
|
||||
1. If a public key is supplied, key-based login is enabled.
|
||||
2. If a password is also supplied, password login is enabled too.
|
||||
3. If only a public key is supplied, password login is locked for that user.
|
||||
4. If neither is supplied, the container generates and logs a random password for that user.
|
||||
|
||||
## Apply
|
||||
|
||||
```bash
|
||||
kubectl apply -k k8s/
|
||||
```
|
||||
|
||||
If you prefer individual files, apply `namespace.yaml`, `serviceaccount.yaml`, `rbac.yaml`, `deployment.yaml`, `service.yaml`, and `networkpolicy.yaml` after creating the real Secret.
|
||||
|
||||
## Safe local access
|
||||
|
||||
Port-forward the service instead of exposing it externally by default:
|
||||
|
||||
```bash
|
||||
kubectl -n k8s-mgmt-pod port-forward svc/k8s-mgmt-pod 2222:22 3000:3000
|
||||
```
|
||||
|
||||
Then connect with:
|
||||
|
||||
```bash
|
||||
ssh admin@localhost -p 2222
|
||||
```
|
||||
|
||||
Or open `http://localhost:3000/ssh` in a browser.
|
||||
|
||||
## RBAC note
|
||||
|
||||
The included Role is the most security-sensitive part of this deployment. It is namespace-scoped and avoids `cluster-admin`, but it still grants broad read/write access to common namespaced resources so `lfk` remains usable as a management tool. In particular, access to `secrets`, `pods/exec`, and workload mutation verbs may be too broad for your environment and should be reduced wherever possible.
|
||||
|
||||
## Bastion note
|
||||
|
||||
This pod is a privileged operational entry point into the cluster. Treat it like a bastion: restrict who can reach it, monitor access, rotate credentials, and avoid using it as a general-purpose workstation.
|
||||
Loading…
Add table
Add a link
Reference in a new issue