How to restrict SSH access to OpenShift cluster nodes
Environment
- Red Hat OpenShift Container Platform 4.11 and older
- Red Hat OpenShift Container Platform 4.12 and newer
Issue
- Control which client IP is allowed to connect to a cluster node using SSH
- All SSH accesses must be allowed only from a bastion host
Resolution
- Creating a machine config that will configure the
sshdand firewall in Red Hat CoreOS to allow access only from a declared IP address is not possible. This approach requires modifying iptables rules, and this approach is not supported. - As an alternative in Red Hat OpenShfit Container Platform v4.12 and newer, you can use for this purpose ingress node firewall. Check the documentation for Ingress Node Firewall Operator in OpenShift Container Platform.
- It is also important to be aware that anyone with a
cluster-adminrole can processoc debug node/<nodename>and get access to the node through the OpenShift API. - Direct SSH access is only recommended for disaster recovery. When the Kubernetes API is responsive, run privileged pods instead; check more in the documentation for Accessing hosts.
Additional information
- To restrict SSH logins to specific hosts, users, or groups in Red Hat Enterprise Linux, check the solution article: #3893151.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments