Skip to content
This repository has been archived by the owner on Jul 21, 2022. It is now read-only.

openshift/sre-ssh-proxy-container

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits
container
container
 
 
hack
hack
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
OWNERS
OWNERS
 
 
README.md
README.md
 
 
project.mk
project.mk
 
 
standard.mk
standard.mk
 
 

Repository files navigation

sre-ssh-proxy-container

This is a container that runs a non-interactive, unprivileged OpenSSH daemon; primarily intended for tunneling over SSH to reach a Kubernetes or OpenShift cluster's API server in a context where the API server is not directly accessible.

The client can either establish a SOCKS proxy with ssh and use the proxy to forward kubectl or oc commands by way of an HTTPS_PROXY environment variable, or directly configure the client host's route tables with a tool like sshuttle.

Development

To build a local image: make

To push the image to a remote repository: make push

Use environment variables to override the default repository and image name:

  • IMAGE_REGISTRY (default is "quay.io")
  • IMAGE_REPOSITORY (default is "openshift-sre")
  • IMAGE_NAME (default is "sre-ssh-proxy")

To run the image locally: make local

This runs the OpenSSH daemon in a container, publishes its listening port to host port 2222, and mounts both a temporary RSA host key and your own ~/.ssh/authorized_keys file.

Usage

The container's entry point is /opt/start-sshd.sh and the OpenSSH daemon listens on port 22221. The startup script generates a single user named sre-user1. The container requires at least one private host key file to be mounted, as well as a mounted directory for authorized keys files. These locations are communicated to the container through environment variables:

SSH_HOST_*_KEY

Environment variable names of the form SSH_HOST_*_KEY (e.g. SSH_HOST_RSA_KEY) must point to the location of a private host key file within the container. The startup script looks for these environment variables and adds a HostKey directive for each found variable to the OpenSSH daemon's configuration file (e.g. HostKey $SSH_HOST_RSA_KEY). The OpenSSH daemon requires at least one valid host key to start.

AUTHORIZED_KEYS_DIR

This variable must point to the directory within the container where authorized keys files are mounted. The startup script verifies that this is a valid directory path before launching the OpenSSH daemon.

Note that multiple authorized keys files are allowed, even in subdirectories of AUTHORIZED_KEYS_DIR. The OpenSSH daemon uses the AuthorizedKeysCommand directive instead of AuthorizedKeysFile. The command, running as sre-user, recursively searches for and prints to standard output all regular files under AUTHORIZED_KEYS_DIR (with duplicate keys removed).

All files under AUTHORIZED_KEYS_DIR must adhere to the authorized_keys file format.

1 TODO: Consider making the port number and user name configurable through additional environment variables.

About

SSHD container for SRE

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

4 stars

Watchers

46 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 7

Languages