Adding SSH Bastion Access to Services

How to access namespace services, like pods or databases for maintenance

Adding an SSH bastion allows users to securely access resources inside your environment. Common use-cases include running utilities to access backend services, like database containers or instances, or to perform administrative commands like starting and stopping jobs on private containers not connected to the public internet.

We do not recommend using bastion access in environments that are critical: for example, in staging or production environments. SSH access is usually unaudited and has elevated powers to do potentially harmful things to your services and environments, so we do not recommend this for most customers.

Some people erroneously believe having VPNs and SSH bastions makes access "more secure" but it may in fact create more openings for bad things to happen. Everything is a tradeoff and you should be aware of what those tradeoffs are for your application and environment. You have been warned.

Create Bastion Service

First, navigate to the Application Template settings to create a bastion service that will run an SSH image. This example creates a service for you:

- name: bastion
image: binlab/bastion
- sh
- "-c"
- >-
cp /var/lib/bastion/public-key /var/lib/bastion/authorized_keys &&
chmod 600 /var/lib/bastion/authorized_keys &&
chown bastion:bastion /var/lib/bastion/authorized_keys &&
- type: node_port
target_port: '22'
port: '22'
loadbalancer: true
hostname: bastion-${env_id}-${domain}

These configuration directives are explained in other sections, but roughly the sections are:

  • name is the name of the service

  • image refers to a public Binlabs ssh container

  • command says to run a bash series of commands to copy the keys and start the bastion service itself. We copy the keys from a known location which will be uploaded in the next step

  • ports describes the service listening on 22, which is standard for SSH

  • hostname describes the hostname that will be generated for the bastion service

Create and Upload Public Keys to Gain Access

The next step is to use a Just in Time File Mount that allows you to upload the public keys that will be used for the bastion. Create a text file on your computer with a list of public SSH keys, one per line and call it public-key with no file extension. An example file with two keys might look like the following:

ssh-rsa AAAAB3Nza...abcd== User1
ssh-rsa AAAAB3Nza...uvwxyz User2

Navigate to the Application Settings area and scroll down to the Just in Time File Mounts. Upload the public-key file with a file directory of /var/lib/bastion/ and make sure you select the bastion service checkbox. You do not need to select "Secret" because this file only contains public keys which are not secrets.

Create the file mount with the public keys and save the file

Connect to the Bastion

After you have completed the steps above and applied the services to deploy a new environment (or update an existing environment), you will need to copy the hostname present in the environment for the bastion service. You can find it in the Hostname URLs section shown below.

Grab the hostname for the bastion service and you can now use an SSH terminal to connect as the user bastion as shown below:

The authenticity of host ' (XX.YY.ZZZ.WWW)' can't be established.
ECDSA key fingerprint is SHA256:KKTfemSDp1s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ',XX.YY.ZZZ.WWW' (ECDSA) to the list of known hosts.
Welcome to Bastion!

You can now execute commands on the bastion to reach hosts beyond the bastion server.

(Optional) Use the Bastion as a Jump Host

The SSH bastion supports a local configuration you can enable to "proxy" through the bastion transparently. This configuration is advanced, so I will leave you with a link to an article that describes how to use it. Tecmint's Proxy Jump Host documentation.