This is a container that runs a non-interactive, unprivileged OpenSSH daemon; primarily intended for tunneling over SSH to reach a Kubernetes or OpenShift cluster's API server in a context where the API server is not directly accessible.
The client can either establish a SOCKS proxy with ssh and use the proxy to forward kubectl
or oc
commands by way of an HTTPS_PROXY
environment variable, or directly configure the client host's route tables with a tool like sshuttle.
To build a local image: make
To push the image to a remote repository: make push
Use environment variables to override the default repository and image name:
IMAGE_REGISTRY
(default is"quay.io"
)IMAGE_REPOSITORY
(default is"openshift-sre"
)IMAGE_NAME
(default is"sre-ssh-proxy"
)
To run the image locally: make local
This runs the OpenSSH daemon in a container, publishes its listening port to host port 2222, and mounts both a temporary RSA host key and your own ~/.ssh/authorized_keys
file.
The container's entry point is /opt/start-sshd.sh
and the OpenSSH daemon listens on port 22221. The startup script generates a single user named sre-user
1. The container requires at least one private host key file to be mounted, as well as a mounted directory for authorized keys files. These locations are communicated to the container through environment variables:
Environment variable names of the form SSH_HOST_*_KEY
(e.g. SSH_HOST_RSA_KEY
) must point to the location of a private host key file within the container. The startup script looks for these environment variables and adds a HostKey directive for each found variable to the OpenSSH daemon's configuration file (e.g. HostKey $SSH_HOST_RSA_KEY
). The OpenSSH daemon requires at least one valid host key to start.
This variable must point to the directory within the container where authorized keys files are mounted. The startup script verifies that this is a valid directory path before launching the OpenSSH daemon.
Note that multiple authorized keys files are allowed, even in subdirectories of AUTHORIZED_KEYS_DIR
. The OpenSSH daemon uses the AuthorizedKeysCommand directive instead of AuthorizedKeysFile. The command, running as sre-user
, recursively searches for and prints to standard output all regular files under AUTHORIZED_KEYS_DIR
(with duplicate keys removed).
All files under AUTHORIZED_KEYS_DIR
must adhere to the authorized_keys file format.
1 TODO: Consider making the port number and user name configurable through additional environment variables.