Suppose you have ansible and you want to provision KubeVirt VMs in a kubernets cluster, jumppod can help you reaching all VMs in your inventory easily by kubernetes assigned DNS names by e.g. headless services.

The jumppod is a small sshd deployement for k8s. It can be easily deployed and can be exposed via kubectl port-forward, LoadBalancer or NodePort services.

Once running and exposed, you have a jump pod inside your kubernetes cluster with KubeVirt, including kube-dns resolution.

Ensure that your VMIs which you want to access are part of a headless service (https://kubevirt.io/user-guide/virtual_machines/dns/#dns-records) and you will have nice DNS names for your VMs for ansible or yourself without the need for a ton of ClusterIP services or plain IPs just for administrational tasks.

jumppod should be pretty safe to use:

• The sshd servers in the jumppod deployment run in unprivileged pods.
• The host-keys are provided via a secret and not regenerated to prevent MITM (so that you trust the host key signature and do not disable the checks).

mkdir -p ~/etc/ssh && ssh-keygen -A -f ~/
kubectl create secret generic host-keys --from-file=${HOME}/etc/ssh
rm -rf ~/etc/ssh
kubectl create -f https://raw.githubusercontent.com/rmohr/jumppod/main/manifests/deployment.yaml

Access can be given or revoked by updating a configmap called authorized-keys which contains a authorized_keys file.

It is easy to transform an existing authorized_keys file or your id_rsa.pub file into the required configmap:

kubectl create configmap authorized-keys --from-file=authorized_keys=${HOME}/.ssh/id_rsa.pub

Create a nodeport service which will expose sshd on port 32222:

kubectl create service nodeport sshd-nodeport --node-port 32222 --tcp 2222:2222

Define an entry like this in .ssh/config

Host jumphost
   HostName <node-ip>
   User nonroot
   Port 32222

Using port-forward to open a connection to your local machine:

kubectl port-forward svc/sshd 2222:22 &

Connect to the ssh server:

ssh nonroot@localhost -p 2222

With the port-forward established, we can define a jumphost in our .ssh/config file:

Host jumphost
   HostName localhost
   User nonroot
   Port 2222

We now have defined a headless service which will create unique DNS entries for each of the two small Cirros VMs.

kubectl create -f example/vmis.yaml

Once they are up, we can connect like this to them (password is gocubsgo):

ssh [email protected] -J jumphost
ssh [email protected] -J jumphost

We can also define entries in .ssh/config which will use the jumphost automatically:

Host cirros0.ansiblemachines
   HostName cirros0.ansiblemachines
   User cirros
   ProxyJump jumphost
Host cirros1.ansiblemachines
   HostName cirros1.ansiblemachines
   User cirros
   ProxyJump jumphost