Ansible access via bastion host


I set up k8s with Kubespray, Terraform and Openstack. It works in general, but…

…for deployments with a bastion host the documentation tells:

“if you chose to create a bastion host, this script will create contrib/terraform/openstack/k8s-cluster.yml with an ssh command for Ansible to be able to access your machines tunneling through the bastion’s IP address.”

This file does not exist. There is another one with a (I guess) similar content at ./terraform/group_vars/no-floating.yml. This file got the ansible_ssh_common_args line containing my bastion host IP.

But it seems that this file is not used anywhere in the playbook as my hosts behind the bastion are not reachable for Ansible. I can use a workaround and go on by configuring the ssh tunnel setup in my global .ssh/config, but this feels dirty and seems not to be the way it’s designed.

Did I miss a info, misunderstand the documentation or was this process altered and the documentation was not updated?


The documentation is bad there. You need to copy it into your inventory/${CLUSTER}/group_vars, and then it will be picked up correctly.

cp inventory/sample/group_vars/no-floating.yml inventory/$CLUSTER/group_vars/

It is terribly annoying that it is hardcoded to modifying sample, rather than just assuming that ${var.cluster_name} will be a reasonable guess. Not only is it confusing for the reason you state, it is also confusing from a version control point of view.


Also worth noting that you might not even need a Bastion host, as any host with a floating IP will do for the “bastion” feature. So unless you intend to lock down security groups in some different way, you can just use e.g. your (first?) master node as the way into the cluster.

1 Like

That worked, thank you! I will open a PR for the documentation. This should be fixed until it’s generated based on the cluster_name var.

1 Like

Yes, we want to separate admin and workload planes. That’s why we deploy the bastion for ssh&ansible and the k8s-master FIPs are used to access the services only.