Basic example of a minimal ssh bastion deployment

README.md

ssh

Simple ssh server deployment with persistent root user home directory and persistent ssh host keys

Currently no password auth

kubectl apply -f config.yaml -f deployment.yaml -f pvc.yaml -f service.yaml

config.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ssh-config
data:
  sshd_config: |-
    #	$OpenBSD: ssh_config,v 1.34 2019/02/04 02:39:42 dtucker Exp $

    # This is the ssh client system-wide configuration file.  See
    # ssh_config(5) for more information.  This file provides defaults for
    # users, and the values can be changed in per-user configuration files
    # or on the command line.

    # Configuration data is parsed as follows:
    #  1. command line options
    #  2. user-specific file
    #  3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.

    # Site-wide defaults for some commonly used options.  For a comprehensive
    # list of available options, their meanings and defaults, please see the
    # ssh_config(5) man page.

    # Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   PasswordAuthentication yes
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h

deployment.yaml

---
kind: "Deployment"
apiVersion: "apps/v1"
metadata:
  name: sshd
  namespace: sshd
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sshd
  template:
    metadata:
      labels:
        app: sshd
    spec:
      containers:
        - name: sshd
          image: danielguerra/alpine-sshd:latest
          tty: true
          ports:
            - containerPort: 22
          volumeMounts:
            - mountPath: /root
              name: home
            - mountPath: /etc/ssh
              name: hostkeys
            - mountPath: /etc/ssh/sshd_config
              name: ssh-config
              subPath: sshd_config
          resources:
            requests:
              cpu: "10m"
              memory: "128Mi"
      volumes:
      - name: home
        persistentVolumeClaim:
          claimName: home
      - name: hostkeys
        persistentVolumeClaim:
          claimName: hostkeys
      - name: ssh-config
        configMap:
          name: ssh-config

pvc.yaml

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: hostkeys
  namespace: sshd
spec:
  storageClassName: freenas-nfs-csi
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Mi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: home
  namespace: sshd
spec:
  storageClassName: freenas-nfs-csi
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi

service.yaml

---
apiVersion: v1
kind: Service
metadata:
  name: ssh
  namespace: sshd
spec:
  externalTrafficPolicy: Local
  loadBalancerIP: 192.168.0.68
  ports:
  - name: ssh
    port: 22
    protocol: TCP
    targetPort: 22
  selector:
    app: sshd
  type: LoadBalancer