This project provides a Kubernetes integration for Step SSH, allowing you to run an SSH server in your Kubernetes cluster with automatic certificate management. When the pod comes online it will register the host on your Smallstep account and when the pod shuts down it will unregister.
Note: This is a proof of concept implementation and will likely need to be adjusted to fit your specific Kubernetes deployment requirements. You may need to modify aspects such as networking, security policies, resource limits, or other configurations based on your cluster's setup and security requirements.
- Docker
- Kubernetes cluster
- Smallstep account with access to the web interface
- Access to a container registry
The project consists of two containers:
- A Fedora-based container running the SSH server
- A minimal container with just the Step SSH Kube binary
Replace your-registry.example.com with your container registry:
# Build the Fedora-based SSH server container
docker build -t your-registry.example.com/step-ssh-kube:fedora .
# Build the minimal binary container
docker build -f Dockerfile.binary -t your-registry.example.com/step-ssh-kube:binary .
# Push both containers to your registry
docker push your-registry.example.com/step-ssh-kube:fedora
docker push your-registry.example.com/step-ssh-kube:binary-
Get your Step SSH token:
- Visit https://smallstep.com/app/myteam/ssh/hosts
- Replace 'myteam' with your team name if different
- Copy your token
- Generate the base64-encoded token string:
echo -n "your-token-here" | base64 -w0
-
Update the
deployment.yamlfile:- Replace the container image references with your registry
- Update the
SSH_PUBLIC_KEY_URLto point to your GitHub keys or other public key source - Adjust the
STEP_SSH_TEAMandSTEP_SSH_TAGSas needed - In the Secret section at the top of the file, replace the placeholder token:
apiVersion: v1 kind: Secret metadata: name: step-ssh-token type: Opaque data: token.txt: <base64-encoded-token> # Replace with your base64 encoded token
-
Deploy to your Kubernetes cluster:
kubectl apply -f deployment.yaml- Verify the deployment:
kubectl get pods
kubectl get service step-ssh-kubeAfter deployment, you can verify that the host is registered with Step SSH and connect to it:
- List registered hosts:
step ssh hostsYou should see your pod listed with its hostname and tags.
- Get the service's cluster IP:
kubectl get service step-ssh-kube -o jsonpath='{.spec.clusterIP}'- Connect to the pod using the cluster IP:
ssh <your-username>@<cluster-ip> -p 8822The first time you connect, you'll be prompted to verify the host's fingerprint. After accepting, you'll be logged into the pod.
- Verify root access:
sudo su -
whoami # Should show 'root'The deployment uses the following environment variables:
SSH_PUBLIC_KEY_URL: URL to fetch authorized SSH public keys from a GitHub user. Leave unset if you don't want to have your SSH keys added to the defaultstepuser.STEP_SSH_TEAM: Step SSH team name (e.g., 'myteam')STEP_SSH_TAGS: Tags for the SSH server. Tags are space-separated key-value pairs. Examples:"env=prod region=us-west-1" "foo=bar bax=fax mop.top=cat-bat"STEP_SSH_TOKEN_FILE: Path to the Step SSH token file. This shouldn't be set unless you want to change the file path.
The deployment consists of:
- A main container running the SSH server
- A sidecar container running the Step SSH Kube binary
- Shared volumes for SSH keys and configuration
- A NodePort service exposing port 8022
- The SSH server runs on port 8022
- SSH host keys are generated during pod initialization
- The Step SSH token is stored as a Kubernetes secret
- All SSH keys are mounted with appropriate permissions (0600)