All checks were successful
Build k8s-mgmt-pod image / Build & Push (push) Successful in 1m35s
82 lines
No EOL
2.9 KiB
Markdown
82 lines
No EOL
2.9 KiB
Markdown
# Kubernetes deployment
|
|
|
|
These manifests deploy `k8s-mgmt-pod` as a single-replica bastion deployment inside its own namespace.
|
|
|
|
## Before you apply
|
|
|
|
1. Build and publish the image.
|
|
2. Replace the placeholder image in `deployment.yaml` with a pinned tag or digest.
|
|
3. Create the real `k8s-mgmt-pod-auth` Secret instead of applying `secret.yaml.example`.
|
|
|
|
## Create the Secret
|
|
|
|
Public-key path:
|
|
|
|
```bash
|
|
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
|
|
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
|
|
--from-literal=USER_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
|
|
--from-literal=ADMIN_PASSWORD='' \
|
|
--from-literal=USER_PASSWORD=''
|
|
```
|
|
|
|
Password path:
|
|
|
|
```bash
|
|
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
|
|
--from-literal=ADMIN_SSH_PUBKEY='' \
|
|
--from-literal=USER_SSH_PUBKEY='' \
|
|
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
|
|
--from-literal=USER_PASSWORD='change-this-user-password'
|
|
```
|
|
|
|
Mixed key-plus-password path:
|
|
|
|
```bash
|
|
kubectl -n k8s-mgmt-pod create secret generic k8s-mgmt-pod-auth \
|
|
--from-literal=ADMIN_SSH_PUBKEY="$(cat ~/.ssh/id_ed25519.pub)" \
|
|
--from-literal=USER_SSH_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIexample user@example" \
|
|
--from-literal=ADMIN_PASSWORD='change-this-admin-password' \
|
|
--from-literal=USER_PASSWORD='change-this-user-password'
|
|
```
|
|
|
|
With that configuration, both `admin` and `user` can authenticate with either their SSH key or their password.
|
|
|
|
Resolution order is per user:
|
|
|
|
1. If a public key is supplied, key-based login is enabled.
|
|
2. If a password is also supplied, password login is enabled too.
|
|
3. If only a public key is supplied, password login is locked for that user.
|
|
4. If neither is supplied, the container generates and logs a random password for that user.
|
|
|
|
## Apply
|
|
|
|
```bash
|
|
kubectl apply -k k8s/
|
|
```
|
|
|
|
If you prefer individual files, apply `namespace.yaml`, `serviceaccount.yaml`, `rbac.yaml`, `deployment.yaml`, `service.yaml`, and `networkpolicy.yaml` after creating the real Secret.
|
|
|
|
## Safe local access
|
|
|
|
Port-forward the service instead of exposing it externally by default:
|
|
|
|
```bash
|
|
kubectl -n k8s-mgmt-pod port-forward svc/k8s-mgmt-pod 2222:2222 3000:3000
|
|
```
|
|
|
|
Then connect with:
|
|
|
|
```bash
|
|
ssh admin@localhost -p 2222
|
|
```
|
|
|
|
Or open `http://localhost:3000/ssh` in a browser.
|
|
|
|
## RBAC note
|
|
|
|
The included Role is the most security-sensitive part of this deployment. It is namespace-scoped and avoids `cluster-admin`, but it still grants broad read/write access to common namespaced resources so `lfk` remains usable as a management tool. In particular, access to `secrets`, `pods/exec`, and workload mutation verbs may be too broad for your environment and should be reduced wherever possible.
|
|
|
|
## Bastion note
|
|
|
|
This pod is a privileged operational entry point into the cluster. Treat it like a bastion: restrict who can reach it, monitor access, rotate credentials, and avoid using it as a general-purpose workstation. |