How to – Connect to TKG node via SSH
As part of TKG we can distinguish two implementations – TKG with Management cluster also known as TKGm (multicloud) or TKG standalone. Eventhough nowadays these solutions are extremely close to each other especially if we deploy Supervisor cluster based on VDS, there are two different ways to access a TKG node via SSH.
Why would you even need to do that? Mostly for troubleshooting, perhaps checking logs or kubelet status on a node locally. So how do we connect there? Let’s go through these two solutions separately.
Connecting to a node in the Management Cluster
Assuming you are using the (bootstrap) machine with the private key that you generate as a key pair for the deployment and your management cluster has the public one from that pair it’s pretty streightforward process.
1. First of all – you need to identify the IP address of a node you want to connect to. You can get the IP addresses using kubectl get nodes -o wide command.
2. Run ssh capv@Node_IP_address – capv is the internal user created automatically. You won’t be asked about password.
And that’s it! We are in 🙂 Now you can test it by checking kubelet status or listening logs of pods running on that node or whatever was the reason to get logged there.
Note: The same procedure will apply also to any node in workload clusters.
Connecting to a node in Supervisor Cluster
1.Use SSH to connect to the vCenter appliance and type shell.
2.Retrieve the supervisor cluster SSH password using a script available at: /usr/lib/vmware-wcp/decryptK8Pwd.py
3.Connect to a supervisor node using the root account and the password that you retrieved in the previous step and you are in! As a confirmation you can run some commands to check kubectl status or container logs, etc.
Connecting to a workload cluster node managed by Supervisor cluster.
1. Use the terminal to retrieve the secret that contains the SSH password.
kubectl get secrets -n namespace-name | grep "cluster-name-ssh-password"
2. Retrieve the ssh-passwordkey value from the secret using following command: kubectl get secrets cluster-name-ssh-password -n namespace-name -o yaml | grep "ssh-passwordkey"
3. Record the ssh-passwordkey value from the output and use Base64 to decode the ssh-passwordkey value using command: echo <SSH_PASSWORDKEY> | base64 --decode
4. List nodes in the cluster using kubectl get nodes -o wide command to grab the IP address of the node you are willing to connect to.
5. Use SSH to connect to the target cluster node as the user vmware-system-user running following command: ssh vmware-system-user@<IPADDR>
6. When prompted for a password, enter the decoded SSH password that you recorded in an earlier step.
More helpful articles can be found on my blog under Tanzu category!