Connecting to a node via OS Login
OS Login is used instead of SSH keys to access Yandex Cloud virtual machines via SSH. With OS Login, you can connect to Managed Service for Kubernetes nodes.
Note
To connect via OS Login, make sure to enable external network access.
Configure your cluster node and then connect to it using one of the two methods:
Getting started
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Enable access via OS Login at the organization level.
-
Make sure the account you are using to connect to the node has one of these roles assigned:
compute.osLogin
: For assess without sudo rights.compute.osAdminLogin
: For assess with sudo rights.
Configure the node
Set up your cluster node for connection:
-
Make sure to enable external access for the node.
-
To allow access to a node via OS Login:
Using the CLIUsing TerraformAdd the
enable-oslogin=true
parameter to the node configuration:yc managed-kubernetes node-group update --name <node_group_name> --metadata enable-oslogin=true
-
Open the current Terraform configuration file describing the Managed Service for Kubernetes node group.
For more information about creating this file, see Creating a node group.
-
Add the
enable-oslogin = "true"
parameter to themetadata
section:resource "yandex_kubernetes_node_group" "<node_group_name>" { ... instance_template { ... metadata = { enable-oslogin = "true" } } }
-
Make sure the configuration files are valid.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
. -
Connect to the node using the CLI
-
View the description of the CLI command for connection to the node:
yc compute ssh --help
-
To find out the name of the node you need, get a list of cluster nodes.
yc managed-kubernetes node-group list-nodes --name <node_group_name>
Result example:
+----------------------+-----------------+---------------------------+-------------+--------+ | CLOUD INSTANCE | KUBERNETES NODE | RESOURCES | DISK | STATUS | +----------------------+-----------------+---------------------------+-------------+--------+ | fhmmh23ugigb******** | <node_name> | 4 100% core(s), 8.0 GB of | 64.0 GB ssd | READY | | RUNNING_ACTUAL | | memory | | | +----------------------+-----------------+---------------------------+-------------+--------+
-
Connect to the node:
yc compute ssh --name <node_name>
Connect to the node using the SSH
-
Export the OS Login certificate.
Note
The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the node.
-
Find out the public address of the node:
-
Get the node group ID:
yc managed-kubernetes node-group list
Result:
+------------------------------+----------------------+-----------+----------------------+---------------------+---------+------+ | ID | CLUSTER ID | NAME | INSTANCE GROUP ID | CREATED AT | STATUS | SIZE | +------------------------------+----------------------+-----------+----------------------+---------------------+---------+------+ | <node_group_ID> | cato4gqs0ave******** | ng-name | cl17a1c3mbau******** | 2024-02-08 04:25:06 | RUNNING | 1 | +------------------------------+----------------------+-----------+----------------------+---------------------+---------+------+
You will find the parameter you need in the
ID
column. -
View the list of Managed Service for Kubernetes nodes that belong to this group:
yc compute instance-group list-instances <node_group_ID>
Result:
+----------------------+---------------------------+----------------+-------------+----------------------+----------------+ | INSTANCE ID | NAME | EXTERNAL IP | INTERNAL IP | STATUS | STATUS MESSAGE | +----------------------+---------------------------+----------------+-------------+----------------------+----------------+ | fhm8nq5p7t0r******** | cl12kvrgj493rhrkimmb-**** | 84.201.156.211 | 10.128.0.36 | RUNNING_ACTUAL [25m] | | +----------------------+---------------------------+----------------+-------------+----------------------+----------------+
The public IP address of the Managed Service for Kubernetes node is shown in the
EXTERNAL IP
column.
-
-
Connect to the VM:
ssh -i <certificate_file_path> <username>@<public_IP_address_of_node>
Where:
<certificate_file_path>
: Path to the previously savedIdentity
certificate file, e.g.,/home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername
.<username>
: Organization user's username. It is specified at the end of the exported OS Login certificate's name. In the example above, it isorgusername
.<public_IP_address_of_node>
: Public IP address of the node obtained earlier.
If this is your first time connecting to the node, you will get an unknown host warning:
The authenticity of host '158.160.**.** (158.160.**.**)' can't be established. ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********. Are you sure you want to continue connecting (yes/no)?
Type
yes
in the terminal and press Enter.