Ssh with port 22 into k8s pod as non root user

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: 1.19
Cloud being used: on-perm
Installation method: i believe kubeadm
Host OS: ubuntu

Hi, I have a business requirement to SSH as a non-root into kubernetes pod and this is already in traditional server setup, just moving the same to k8s.
Have installed metallb. I created my set of private and public keys. Add the public key and sshd_config ( PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no) as configmap and mounted as volumes (/root/.ssh/authorized_keys).
Created a LB type service which bind the pod with metallb ip.
Able to ssh using ssh root@metallbip.

Added the non-root user in /etc/group and /etc/passwd, public key under /home/xyz/.ssh/authorized_keys.If i mount this using configmap, the ownership is root:root.
So I added them in dockerimage itself, updated the ownership to xyz:xyz’s group and permission to 0600, created pod in k8s cluster. But getting “xyz@metallbip: Permission denied (publickey)”.
I think am missing something when I want to ssh as a non root user. Am running the pod and openssh-server as root.

Please let me know if anyone can help with this.

apiVersion: apps/v1
kind: Deployment
metadata:
name: application-deployment
spec:
selector:
matchLabels:
app: application
replicas: 1
template:
metadata:
labels:
app: application
spec:
containers:
- name: application
image: my-private-docker-registry/ssh-test:0.1.3
ports:
- containerPort: 22
volumeMounts:
- name: ssh-volume
subPath: sshd_config
mountPath: /etc/ssh/sshd_config
volumes:
- name: ssh-volume
configMap:
name: ssh-config
imagePullSecrets:
- name: image-pull-secret

apiVersion: v1
kind: Service
metadata:
name: ssh-service
spec:
type: LoadBalancer
ports:

• port: 22
  targetPort: 22
  selector:
  app: application

apiVersion: v1
kind: ConfigMap
metadata:
name: ssh-config
data:
sshd_config: |
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no
AllowUsers xyz
authorized_keys: |
ssh-rsa XXXXXXXXXX

my dockerfile…

FROM ubuntu
RUN apt-get update
RUN apt-get -y install openssh-server
RUN apt-get -y install net-tools
RUN apt-get -y install lsof
RUN apt-get -y install iproute2
COPY ./id_rsa.pub /home/xyz/.ssh/authorized_keys
COPY ./group /etc/group
COPY ./passwd /etc/passwd
RUN mkdir -p /home/xyz/.ssh
RUN chown -R xyz:xyz_g /home/xyz/.ssh
RUN chmod 0700 /home/xyz/.ssh
RUN chmod 0600 /home/xyz/.ssh/authorized_keys
ENTRYPOINT service ssh restart -D
EXPOSE 22

Hi:

You should create the user xyz:xyz_g in the Dockerfile, otherwise, the only user inside the container is root.

Best regards,

Xavi

You can try,

OpenPubkey to SSH Without SSH Keys. Following are the links for more information.

How to Use OpenPubkey to SSH Without SSH Keys | Docker

How to Handle Kubernetes Zero Trust Security | BastionZero