|
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 44s
- Add K8S_RUNTIME_ENV_PROFILE and KUBERNETES_SECRETS_DIR variables in entrypoint.sh - Implement service account kubeconfig installation and environment variable persistence - Update deployment.yaml to include fsGroup and fsGroupChangePolicy in securityContext - Modify container ports and resource limits for better management |
||
|---|---|---|
| .. | ||
| deployment.yaml | ||
| kustomization.yaml | ||
| namespace.yaml | ||
| networkpolicy.yaml | ||
| rbac.yaml | ||
| README.md | ||
| secret.yaml.example | ||
| service.yaml | ||
| serviceaccount.yaml | ||
Kubernetes deployment
These manifests deploy k8s-mgmt-pod as a single-replica bastion deployment inside its own namespace.
Before you apply
- Build and publish the image.
- Replace the placeholder image in
deployment.yamlwith a pinned tag or digest. - Create the real
k8s-mgmt-pod-authSecret instead of applyingsecret.yaml.example.
Create the Secret
Public-key path:
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
--from-literal=USER_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
--from-literal=ADMIN_PASSWORD='' \
--from-literal=USER_PASSWORD=''
Password path:
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
--from-literal=ADMIN_SSH_PUBKEY='' \
--from-literal=USER_SSH_PUBKEY='' \
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
--from-literal=USER_PASSWORD='change-this-user-password'
Mixed key-plus-password path:
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
--from-literal=USER_SSH_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIexample user@example" \
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
--from-literal=USER_PASSWORD='change-this-user-password'
With that configuration, both admin and user can authenticate with either their SSH key or their password.
Resolution order is per user:
- If a public key is supplied, key-based login is enabled.
- If a password is also supplied, password login is enabled too.
- If only a public key is supplied, password login is locked for that user.
- If neither is supplied, the container generates and logs a random password for that user.
Apply
kubectl apply -k k8s/
If you prefer individual files, apply namespace.yaml, serviceaccount.yaml, rbac.yaml, deployment.yaml, service.yaml, and networkpolicy.yaml after creating the real Secret.
Safe local access
Port-forward the service instead of exposing it externally by default:
kubectl -n k8s-mgmt-pod port-forward svc/k8s-mgmt-pod 2222:2222 3000:3000
Then connect with:
ssh admin@localhost -p 2222
Or open http://localhost:3000/ssh in a browser.
RBAC note
The included Role is the most security-sensitive part of this deployment. It is namespace-scoped and avoids cluster-admin, but it still grants broad read/write access to common namespaced resources so lfk remains usable as a management tool. In particular, access to secrets, pods/exec, and workload mutation verbs may be too broad for your environment and should be reduced wherever possible.
Bastion note
This pod is a privileged operational entry point into the cluster. Treat it like a bastion: restrict who can reach it, monitor access, rotate credentials, and avoid using it as a general-purpose workstation.