Azure ACS: Multiple SSH Keys for kubectl

Question

I work as part of a small team, and we would like to use our own ssh keys to administer the kubernetes cluster.

I use --generate-ssh-keys which picks up on my id_rsa.pub is ~/.ssh, and I then use az acs kubernetes get-credentials --resource-group $group --name $k8s_name to get my update kubectl config file.

My colleague can do most things with this, but can't kubectl exec as it requires ssh access to the minions/agents.

With my key, I can get into the master, but then can't seem to get to the agents to deploy the additional authorized_key.

Is there a way to do this? Even if it requires some manual work?

Answer 1

You can access the agents through the master by using the primary ssh key you entered when created the cluster (in case you already deleted that key in the master, you'll need to add it again).

Try following this guide: How to login into DC-OS slave through Master

Answer 2

The way we did it was by having your colleague update the k8s user account's authorized_keys on the master using:

az vm user update -u azureuser --ssh-key-value "$(< ~/.ssh/id_rsa.pub)" -n <<master vm name>> -g <<k8s acs resource group>>

They should then be able to run kubectl commands.

I haven't run into any kubectl commands needing to do this on the agents yet, but you could script this up by getting the vm names and running through each. Something like the following will give you the list of vm names (so long as your ACS cluster is the only thing in the resource group):

az vm list -g ONEKAY --query "[*].osProfile.computerName"

You should be able to run through this list using the first command to add the public key.

I'm not sure this is the 'prescribed' way to do this, but it would work.