SSH bastion access to services
Access namespace services like pods or databases for maintenance
You can add SSH bastion to an environment to allow team members to securely access resources in the environment, for example, to run utilities accessing backend services like database containers or to perform administrative commands like starting and stopping jobs on private containers not connected to the public internet.
We do not recommend using bastion access in critical environments, such as staging or production. SSH access is usually unaudited and has elevated powers that could be used to cause harm to your services and environments. Most customers do not need SSH bastion access for their environments.
It is a mistake to believe that VPNs and SSH bastions make access to your environments more secure. In reality, these connections may expose your environments to additional risk, and you should keep this in mind if you choose to add SSH bastion access to your application or environment.
Navigate to the Application Template settings to create a bastion service that will run an SSH image. This example creates a service for you:
- name: bastion
image: binlab/bastion
command:
- sh
- "-c"
- >-
cp /var/lib/bastion/public-key /var/lib/bastion/authorized_keys &&
chmod 600 /var/lib/bastion/authorized_keys &&
chown bastion:bastion /var/lib/bastion/authorized_keys &&
bastion
ports:
- type: node_port
target_port: '22'
port: '22'
loadbalancer: true
hostname: bastion-${env_id}-${domain}
Let's take a look at these configuration directives:
nameis the name of the service.commandprovides a series of bash commands that will be run to copy the keys from a known location (keys will be uploaded in the next step) and start the bastion service.portsspecifies that the service will listen on port22, which is standard for SSH.hostnamedescribes the hostname that will be generated for the bastion service.
Next we'll use a just-in-time file mount to upload the public keys that will be used to access the bastion.
Create a text file on your computer called
public-key with no file extension. Add the list of public SSH keys to this file, placing each key on a new line. An example file with two keys might look like this:ssh-rsa AAAAB3Nza...abcd== User1
ssh-rsa AAAAB3Nza...uvwxyz User2
Now navigate to App Settings and scroll down to the "Just-in-time File Mounts" section. Upload the
public-key file with the file directory /var/lib/bastion/ and make sure you select the bastion service checkbox. You do not need to select Secret, because this file only contains public keys which are not secrets.Create the file mount with the public keys and save the file
Once you have applied the services to deploy a new environment or update and existing environment, navigate to the environment's details page. You'll find the hostname for the bastion service in the "Hostname URLs" section.
Copy the hostname for the bastion service. You can now use an SSH terminal to connect as the user
bastion as follows:$ ssh [email protected]
The authenticity of host 'bastion-staging-releaseapp.io (XX.YY.ZZZ.WWW)' can't be established.
ECDSA key fingerprint is SHA256:KKTfemSDp1s.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bastion-staging-releaseapp.io,XX.YY.ZZZ.WWW' (ECDSA) to the list of known hosts.
Welcome to Bastion!
bastion-c4dc7-cx:~$
You can now execute commands on the bastion to reach hosts beyond the bastion server.
The SSH bastion supports a local configuration you can enable to proxy through the bastion transparently. If you would like to learn more using a proxy jump host, take a look at Tecmint's How to Access a Remote Server Using a Jump Host.
Last modified 29d ago