Fabfiles and Kubernetes: Automating SSH with Kubernetes Nodes

• By Brandon Philips

While Kubernetes is ushering in a world where SSH is less necessary on a daily basis for deploying and managing applications, there are still instances when SSH is necessary for gathering statistics, debugging issues, and repairing configuration issues. So, while years from now there may not be a need to SSH and run one-off debugging sessions, the tools below are useful for quickly SSH'ing into machines in your Kubernetes cluster.

Kubernetes has a database of nodes in the cluster which can be queried with kubectl get nodes . This is a powerful database for automation and integration with existing tools. One powerful tool is the Fabric SSH utility, which is known as a fabfile.py .

Getting Started

Install the Fabric SSH utility and test it:

$ fab --version Fabric 1.13.1

Git clone this repo and move into the directory:

git clone https://github.com/coreos/fabric-kubernetes-nodes cd fabric-kubernetes-nodes

Fabric will use the fabfile.py from the root of this directory. So now Kubernetes Nodes and labels are integrated directly into fabric! Here is an example session using this integration:

$ kubectl label node ip-10-0-0-50.us-west-2.compute.internal my-special-label=true $ fab -u core -R my-special-label=true -- date [10.0.0.50] Executing task '<remainder>' [10.0.0.50] run: date [10.0.0.50] out: Thu Feb 16 06:54:37 UTC 2017 [10.0.0.50] out:</remainder>

Bastion or Gateway Hosts

Many configurations of Kubernetes, like CoreOS Tectonic, do not enable direct SSH access to machines in the cluster, and instead users must first access gateway or bastion hosts. If the Kubernetes cluster has this configuration, add the --gateway flag to the command and change the address type to InternalIP.

$ export FAB_KUBE_NODE_ADDRESS_TYPE=InternalIP $ fab --gateway=W.X.Y.Z -u core -R failure-domain.beta.kubernetes.io/zone=us-west-2a -- date [10.0.3.24] Executing task '<remainder>' [10.0.3.24] run: date [10.0.3.24] out: Mon May 1 02:50:13 UTC 2017 [10.0.3.24] out:</remainder> [10.0.60.15] Executing task '<remainder>' [10.0.60.15] run: date [10.0.60.15] out: Mon May 1 02:50:16 UTC 2017 [10.0.60.15] out:</remainder> Done. Disconnect

By default the fabfile will use the ExternalIP of nodes. However, it can be configured to use any IP address that a Node has available. The example above uses the common InternalIP field. To change this to a custom SpecialIP export the environment variable FAB_KUBE_NODE_ADDRESS_TYPE=SpecialIP .

To find out more about the Fabric integration with Kubernetes, check out the GitHub repository.

If you have any questions about Fabric or any other aspect of Kubernetes and other CoreOS open source projects, ask the team directly at CoreOS Fest! The Kubernetes and distributed systems conference takes place May 31 and June 1 in San Francisco - join us for two days of talks from the community on the latest developments in the open source container ecosystem. Register today.