Ansible access via bastion host

tbeitter · February 18, 2019, 1:40pm

Hello,

I set up k8s with Kubespray, Terraform and Openstack. It works in general, but…

…for deployments with a bastion host the documentation tells:

“if you chose to create a bastion host, this script will create contrib/terraform/openstack/k8s-cluster.yml with an ssh command for Ansible to be able to access your machines tunneling through the bastion’s IP address.”

This file does not exist. There is another one with a (I guess) similar content at ./terraform/group_vars/no-floating.yml. This file got the ansible_ssh_common_args line containing my bastion host IP.

But it seems that this file is not used anywhere in the playbook as my hosts behind the bastion are not reachable for Ansible. I can use a workaround and go on by configuring the ssh tunnel setup in my global .ssh/config, but this feels dirty and seems not to be the way it’s designed.

Did I miss a info, misunderstand the documentation or was this process altered and the documentation was not updated?

Thanks,
Til

llarsson · February 19, 2019, 7:08am

The documentation is bad there. You need to copy it into your inventory/${CLUSTER}/group_vars, and then it will be picked up correctly.

cp inventory/sample/group_vars/no-floating.yml inventory/$CLUSTER/group_vars/

It is terribly annoying that it is hardcoded to modifying sample, rather than just assuming that ${var.cluster_name} will be a reasonable guess. Not only is it confusing for the reason you state, it is also confusing from a version control point of view.

llarsson · February 19, 2019, 7:10am

Also worth noting that you might not even need a Bastion host, as any host with a floating IP will do for the “bastion” feature. So unless you intend to lock down security groups in some different way, you can just use e.g. your (first?) master node as the way into the cluster.

tbeitter · February 19, 2019, 1:27pm

That worked, thank you! I will open a PR for the documentation. This should be fixed until it’s generated based on the cluster_name var.

tbeitter · February 19, 2019, 1:43pm

Yes, we want to separate admin and workload planes. That’s why we deploy the bastion for ssh&ansible and the k8s-master FIPs are used to access the services only.

Topic		Replies	Views
How to SSH into GKE node on a private cluster General Discussions	3	2844	December 31, 2020
Looking for a good setup guide Kubernetes + Helm + Ingress General Discussions	2	448	October 13, 2023
How configure Kubernetes Cluster Bare-Metal to access on local websites General Discussions	2	702	January 6, 2022
Pod to pod fqdn communication (instead of ip) General Discussions coredns	2	2485	September 15, 2021
Unable to run a Python up on an External IP using LoadBalancer type on Azure k8s cluster General Discussions	0	440	November 10, 2020

Ansible access via bastion host

Related Topics