Skip to content

andsens/k8sss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.github/workflows
.github/workflows
 
 
bin
bin
 
 
deploy
deploy
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bootstrap.Dockerfile
bootstrap.Dockerfile
 
 
upkg.json
upkg.json
 
 

Repository files navigation

k8sss

Get access to your Kubernetes cluster using your SSH key (or YubiKey, TPM chip, Google login, anything supported by Smallstep really).

Note that the key itself is not used for accessing the cluster, instead k8sss generates a key on disk and obtains a short-lived kube-api client certificate (30 min.) that is reissued every 15 min.
To authenticate with your cluster directly via an HSM see step-kmsproxy-plugin.

Installation

The Kubernetes manifest can be deployed by fetching the repo and running kubectl apply -k deploy/.
The deployment mounts the kube-api client CA certificate as a hostPath from /var/lib/rancher/k3s/server/tls/client-ca.crt, so k3s is assumed, see Customizing access for changing how you authenticate.

The k8sss tool can be installed through μpkg. Check the latest release for a copy & paste string with the proper shasum.

# DON'T COPY THIS, SEE THE LATEST RELEASE
$ upkg add -g 'https://github.com/andsens/k8sss/releases/download/v0.0.0/k8sss.tar.gz' f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2
upkg: Added 'https://github.com/andsens/k8sss/releases/download/v0.0.0/k8sss.tar.gz'
$ k8sss --help
k8sss - Issue Kubernetes client certificates via smallstep
Usage:
...

Client setup

Run k8sss setup <kube-api>:6443 and you're done.

$ k8sss setup nas:6443
k8sss: No trust has been established with this Kubernetes cluster yet.
The root certificate fingerprint is f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2
Do you want to establish that trust now? [y/N]y
k8sss: Downloading Kubernetes API Client CA certificate
k8sss: Setting up ~/.kube/config.yaml
Cluster "nas" set.
User "system:admin@nas" set.
Context "nas" modified.

$ kubectl --context nas -n kube-system get pod
NAME                       READY   STATUS    RESTARTS   AGE
coredns-77dbf85789-g7qkm   2/2     Running   0          2d15h

Run k8sss --help for details on how to adjust things like the smallstep CA endpoint (assumed to be <kube-api>:9000), the Kubernetes username (system:admin), or what key to use for authentication.

Customizing access

The CA setup script reads each line from /home/admin/.ssh/authorized_keys (mounted via hostPath) and converts it to a JWK that is added to the step-ca provisioner config.

The script and the deployment need to be modified if you wish to change how step-ca authenticates users.

... or, you remove the setup_authorized_keys() part in the setup script and hardcode your authentication method directly in deploy/kube-client-ca.json.

About

Access Kubernetes using your SSH keys

Topics

kubernetes ssh jwt smallstep

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 9

v0.1.2 Latest
Jan 3, 2026
+ 8 releases

Packages

 
 
 

Languages