Version 1.1. This version is no longer supported. For more information see the version support policy.

Using SSH to connect to a cluster node

This page describes how to get a Secure Shell (SSH) into a GKE On-Prem cluster node.

Overview

To SSH into a user or admin cluster node, you download an SSH key from the cluster's control plane. Then, you use the key to get a shell into a cluster node.

After you download the SSH key, consider saving the SSH key in a secrets/credential management system (such as HashiCorp Vault). If you want to SSH into a cluster node in the future, and the API server is down, you will need the saved SSH key.

Getting the IP addresses of your cluster nodes

User cluster

Get the IP addresses of your user cluster nodes:

kubectl --kubeconfig [USER_CLUSTER_KUBECONFIG] get nodes --output wide

where [USER_CLUSTER_KUBECONFIG] is the path of your user cluster's kubeconfig file.

Admin cluster

Get the IP addresses of your admin cluster nodes:

kubectl --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] get nodes --output wide

where [ADMIN_CLUSTER_KUBECONFIG] is the path of your admin cluster's kubeconfig file.

In the command output, note the INTERNAL-IP field. These are the node IP addresses.

Using SSH to connect to a user cluster node

Get the SSH key for a user cluster:
```
kubectl --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] get secrets -n [USER_CLUSTER_NAME] ssh-keys -o yaml \
| grep ssh.key: | awk '{ print $NF }' | base64 -d > \
~/.ssh/[USER_CLUSTER_NAME].key && chmod 600 ~/.ssh/[USER_CLUSTER_NAME].key
```
where:
- [ADMIN_CLUSTER_KUBECONFIG] is the path of your admin cluster's kubeconfig file.
- [USER_CLUSTER_NAME] is the name of your user cluster.
Note: Consider saving the SSH key in a credential management system. If the user cluster's Kubernetes API server is down, you aren't able to download the SSH key.

The preceding command performs the following steps:
- From the admin cluster, get the ssh.key field of a Secret named ssh-keys in the [USER_CLUSTER_NAME] namespace.
- Base64 decode the key.
- Store the decoded key in the file ~/.ssh/[USER_CLUSTER_NAME].key.
- Set appropriate access permissions for the key file.
Use the key to SSH into a user cluster node:
```
ssh -i ~/.ssh/[USER_CLUSTER_NAME].key ubuntu@[NODE_IP]
```
where [NODE_IP] is the internal IP address of a node in your user cluster, which you gathered previously.

Using SSH to connect to an admin cluster node

Get the SSH key for the admin cluster:
```
kubectl --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] get secrets -n kube-system sshkeys -o yaml \
| grep vsphere_tmp: | awk '{ print $NF }' | base64 -d > \
~/.ssh/admin-cluster.key && chmod 600 ~/.ssh/admin-cluster.key
```
where [ADMIN_CLUSTER_KUBECONFIG] is the path of the admin cluster's kubeconfig file.

Note: Consider saving the SSH key in a credential management system. If the admin cluster's Kubernetes API server is down, you aren't able to download the SSH key.

The preceding command performs the following steps:
- From the admin cluster, get the vsphere_tmp field of a Secret named sshkeys in the kube-system namespace.
- Base64 decode the vsphere_tmp field, which is the key.
- Store the decoded key in the file ~/.ssh/admin-cluster.key.
- Set appropriate access permissions for the key file.
Use the key to SSH into an admin cluster node:
```
ssh -i ~/.ssh/admin-cluster.key ubuntu@[NODE_IP]
```
where [NODE_IP] is the internal IP address of a node in the admin cluster, which you gathered previously.