k8s-mgmt-pod/k8s/README.md
Michael Trip 5584dc1f29
All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 1m35s
Update SSH port from 22 to 2222 in Dockerfile, entrypoint, and Kubernetes configurations
2026-06-23 15:48:15 +02:00

82 lines
No EOL
2.9 KiB
Markdown

# Kubernetes deployment
These manifests deploy `k8s-mgmt-pod` as a single-replica bastion deployment inside its own namespace.
## Before you apply
1. Build and publish the image.
2. Replace the placeholder image in `deployment.yaml` with a pinned tag or digest.
3. Create the real `k8s-mgmt-pod-auth` Secret instead of applying `secret.yaml.example`.
## Create the Secret
Public-key path:
```bash
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
--from-literal=USER_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
--from-literal=ADMIN_PASSWORD='' \
--from-literal=USER_PASSWORD=''
```
Password path:
```bash
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
--from-literal=ADMIN_SSH_PUBKEY='' \
--from-literal=USER_SSH_PUBKEY='' \
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
--from-literal=USER_PASSWORD='change-this-user-password'
```
Mixed key-plus-password path:
```bash
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
--from-literal=USER_SSH_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIexample user@example" \
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
--from-literal=USER_PASSWORD='change-this-user-password'
```
With that configuration, both `admin` and `user` can authenticate with either their SSH key or their password.
Resolution order is per user:
1. If a public key is supplied, key-based login is enabled.
2. If a password is also supplied, password login is enabled too.
3. If only a public key is supplied, password login is locked for that user.
4. If neither is supplied, the container generates and logs a random password for that user.
## Apply
```bash
kubectl apply -k k8s/
```
If you prefer individual files, apply `namespace.yaml`, `serviceaccount.yaml`, `rbac.yaml`, `deployment.yaml`, `service.yaml`, and `networkpolicy.yaml` after creating the real Secret.
## Safe local access
Port-forward the service instead of exposing it externally by default:
```bash
kubectl -n k8s-mgmt-pod port-forward svc/k8s-mgmt-pod 2222:2222 3000:3000
```
Then connect with:
```bash
ssh admin@localhost -p 2222
```
Or open `http://localhost:3000/ssh` in a browser.
## RBAC note
The included Role is the most security-sensitive part of this deployment. It is namespace-scoped and avoids `cluster-admin`, but it still grants broad read/write access to common namespaced resources so `lfk` remains usable as a management tool. In particular, access to `secrets`, `pods/exec`, and workload mutation verbs may be too broad for your environment and should be reduced wherever possible.
## Bastion note
This pod is a privileged operational entry point into the cluster. Treat it like a bastion: restrict who can reach it, monitor access, rotate credentials, and avoid using it as a general-purpose workstation.