Manage SSH for secure access to Azure Kubernetes Service (AKS) nodes
This article describes how to configure the SSH keys (preview) on your AKS clusters or node pools, during initial deployment or at a later time.
AKS supports the following configuration options to manage SSH keys on cluster nodes:
- Create a cluster with SSH keys
- Update the SSH keys on an existing AKS cluster
- Disable and enable the SSH service
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Before you begin
- You need
aks-preview
version 0.5.116 or later to use Update. - You need
aks-preview
version 1.0.0b6 or later to use Disable. - The Create and Update SSH feature supports Linux, Windows, and Azure Linux node pools on existing clusters.
- The Disable SSH feature isn't supported in this preview release on node pools running the Windows Server operating system.
Install the aks-preview
Azure CLI extension
Install the aks-preview extension using the
az extension add
command.az extension add --name aks-preview
Update to the latest version of the extension using the
az extension update
command.az extension update --name aks-preview
Register the DisableSSHPreview
feature flag
To use the Disable SSH feature, perform the following steps to register and enable it in your subscription.
Register the
DisableSSHPreview
feature flag using theaz feature register
command.az feature register --namespace "Microsoft.ContainerService" --name "DisableSSHPreview"
It takes a few minutes for the status to show Registered.
Verify the registration status using the
az feature show
command.az feature show --namespace "Microsoft.ContainerService" --name "DisableSSHPreview"
When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the
az provider register
command.az provider register --namespace Microsoft.ContainerService
Create an AKS cluster with SSH keys
Use the az aks create command to deploy an AKS cluster with an SSH public key. You can either specify the key or a key file using the --ssh-key-value
argument.
SSH parameter | Description | Default value |
---|---|---|
--generate-ssh-key |
If you don't have your own SSH keys, specify --generate-ssh-key . The Azure CLI automatically generates a set of SSH keys and saves them in the default directory ~/.ssh/ . |
|
--ssh-key-value | Public key path or key contents to install on node VMs for SSH access. For example, ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm . |
~/.ssh/id_rsa.pub |
--no-ssh-key |
If you don't require SSH keys, specify this argument. However, AKS automatically generates a set of SSH keys because the Azure Virtual Machine resource dependency doesn't support an empty SSH keys file. As a result, the keys aren't returned and can't be used to SSH into the node VMs. The private key is discarded and not saved. |
Note
If no parameters are specified, the Azure CLI defaults to referencing the SSH keys stored in the ~/.ssh/id_rsa.pub
file. If the keys aren't found, the command returns the message An RSA key file or key value must be supplied to SSH Key Value
.
The following are examples of this command:
To create a cluster and use the default generated SSH keys:
az aks create --name myAKSCluster --resource-group MyResourceGroup --generate-ssh-key
To specify an SSH public key file, include the
--ssh-key-value
argument:az aks create --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value ~/.ssh/id_rsa.pub
Update SSH public key on an existing AKS cluster
Use the az aks update
command to update the SSH public key (preview) on your cluster. This operation updates the key on all node pools. You can either specify a key or a key file using the --ssh-key-value
argument.
Note
Updating the SSH keys is supported on Azure virtual machine scale sets with AKS clusters.
The following are examples of this command:
To specify a new SSH public key value, include the
--ssh-key-value
argument:az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value 'ssh-rsa AAAAB3Nza-xxx'
To specify an SSH public key file, specify it with the
--ssh-key-value
argument:az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value ~/.ssh/id_rsa.pub
Important
After you update the SSH key, AKS doesn't automatically update your node pool. At any time, you can choose to perform a nodepool update operation. The update SSH keys operation takes effect after a node image update is complete.
Disable SSH overview
To improve security and support your corporate security requirements or strategy, AKS supports disabling SSH (preview) both on the cluster and at the node pool level. Disable SSH introduces a simplified approach compared to the only supported solution, which requires configuring network security group rules on the AKS subnet/node network interface card (NIC). Disable SSH only supports Virtual Machine Scale Sets node pools.
When you disable SSH at cluster creation time, it takes effect after the cluster is created. However, when you disable SSH on an existing cluster or node pool, AKS doesn't automatically disable SSH. At any time, you can choose to perform a nodepool upgrade operation. The disable/enable SSH keys operation takes effect after the node image update is complete.
Note
When you disable SSH at the cluster level, it applies to all existing node pools. Any node pools created after this operation will have SSH enabled by default, and you'll need to run these commands again in order to disable it.
SSH parameter | Description |
---|---|
disabled |
The SSH service is disabled. |
localuser |
The SSH service is enabled and users with SSH keys can securely access the node. |
Note
kubectl debug node continues to work after you disable SSH because it doesn't depend on the SSH service.
Disable SSH on a new cluster deployment
By default, the SSH service on AKS cluster nodes is open to all users and pods running on the cluster. You can prevent direct SSH access from any network to cluster nodes to help limit the attack vector if a container in a pod becomes compromised.
Use the az aks create
command to create a new cluster, and include the --ssh-access disabled
argument to disable SSH (preview) on all the node pools during cluster creation.
Important
After you disable the SSH service, you can't SSH into the cluster to perform administrative tasks or to troubleshoot.
Note
On a newly created cluster, disable ssh will only configure the 1st system nodepool. All other nodepools need to be configured at the nodepool level.
az aks create --resource-group myResourceGroup --name myManagedCluster --ssh-access disabled
After a few minutes, the command completes and returns JSON-formatted information about the cluster. The following example resembles the output and the results related to disabling SSH:
"securityProfile": {
"sshAccess": "Disabled"
},
Disable SSH for a new node pool
Use the az aks nodepool add
command to add a node pool, and include the --ssh-access disabled
argument to disable SSH during node pool creation.
az aks nodepool add --cluster-name myManagedCluster --name mynodepool --resource-group myResourceGroup --ssh-access disabled
After a few minutes, the command completes and returns JSON-formatted information about the cluster indicating mynodepool was successfully created. The following example resembles the output and the results related to disabling SSH:
"securityProfile": {
"sshAccess": "Disabled"
},
Disable SSH for an existing node pool
Use the [az aks nodepool update][az-aks-nodepool-update] command with the
--ssh-access disabled` argument to disable SSH (preview) on an existing node pool.
az aks nodepool update --cluster-name myManagedCluster --name mynodepool --resource-group myResourceGroup --ssh-access disabled
After a few minutes, the command completes and returns JSON-formatted information about the cluster indicating mynodepool was successfully created. The following example resembles the output and the results related to disabling SSH:
"securityProfile": {
"sshAccess": "Disabled"
},
For the change to take effect, you need to reimage the node pool by using the az aks nodepool upgrade
command.
az aks nodepool upgrade --cluster-name myManagedCluster --name mynodepool --resource-group myResourceGroup --node-image-only
Important
To disable SSH on an existing cluster, you need to disable SSH for each node pool on this cluster.
Re-enable SSH on an existing cluster
Use the az aks update
command to update an existing cluster, and include the --ssh-access localuser
argument to re-enable SSH (preview) on all the node pools in the cluster.
az aks update --resource-group myResourceGroup --name myManagedCluster --ssh-access localuser
The following message is returned while the process is performed:
Only after all the nodes are reimaged, does the disable/enable SSH Access operation take effect."
After re-enabling SSH, the nodes won't be reimaged automatically. At any time, you can choose to perform a reimage operation.
Important
During this operation, all Virtual Machine Scale Set instances are upgraded and reimaged to use the new SSH public key.
Re-enable SSH for a specific node pool
Use the az aks update
command to update a specific node pool, and include the --ssh-access localuser
argument to re-enable SSH (preview) on that node pool in the cluster. In the following example, nodepool1 is the target node pool.
az aks nodepool update --cluster-name myManagedCluster --name nodepool1 --resource-group myResourceGroup --ssh-access localuser
The following message is returned when the process is performed:
Only after all the nodes are reimaged, does the disable/enable SSH Access operation take effect.
Important
During this operation, all Virtual Machine Scale Set instances are upgraded and reimaged to use the new SSH public key.
SSH service status
Perform the following steps to use node-shell onto one node and inspect SSH service status using systemctl
.
Get standard bash shell by running the command
kubectl node-shell <node>
command.kubectl node-shell aks-nodepool1-20785627-vmss000001
Run the
systemctl
command to check the status of the SSH service.systemctl status ssh
If SSH is disabled, the following sample output shows the results:
ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2024-01-03 15:36:57 UTC; 20min ago
If SSH is enabled, the following sample output shows the results:
ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-01-03 15:40:20 UTC; 19min ago
Next steps
To help troubleshoot any issues with SSH connectivity to your clusters nodes, you can view the kubelet logs or view the Kubernetes master node logs.
Azure Kubernetes Service