使用 SSH 連線到 Azure Kubernetes Service (AKS) 叢集節點以進行維護或疑難排解Connect with SSH to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting

在 Azure Kubernetes Service (AKS) 叢集的生命週期中,您可能需要存取 AKS 節點。Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. 此存取可能用於維護、記錄收集,或其他疑難排解作業。This access could be for maintenance, log collection, or other troubleshooting operations. AKS 節點是 Linux VM,因此可以使用 SSH 進行存取。The AKS nodes are Linux VMs, so you can access them using SSH. 基於安全考量,AKS 節點不會公開至網際網路。For security purposes, the AKS nodes are not exposed to the internet.

本文會示範如何使用私人 IP 位址以 AKS 節點建立 SSH 連線。This article shows you how to create an SSH connection with an AKS node using their private IP addresses.

開始之前Before you begin

此文章假設您目前具有 AKS 叢集。This article assumes that you have an existing AKS cluster. 如果您需要 AKS 叢集,請參閱使用 Azure CLI使用 Azure 入口網站的 AKS 快速入門。If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

还需安装并配置 Azure CLI 2.0.59 或更高版本。You also need the Azure CLI version 2.0.59 or later installed and configured. 執行  az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱 安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

新增公開 SSH 金鑰Add your public SSH key

根據預設,建立 AKS 叢集時,會產生 SSH 金鑰。By default, SSH keys are generated when you create an AKS cluster. 如果在建立 AKS 叢集時您未指定自己的 SSH 金鑰,請新增公用 SSH 金鑰至 AKS 節點。If you did not specify your own SSH keys when you created your AKS cluster, add your public SSH keys to the AKS nodes.

若要新增 SSH 金鑰至 AKS 節點,請完成下列步驟:To add your SSH key to an AKS node, complete the following steps:

  1. 使用 az aks show 取得 AKS 叢集資源的資源群組名稱。Get the resource group name for your AKS cluster resources using az aks show. 提供您自己的核心資源群組和 AKS 叢集名稱:Provide your own core resource group and AKS cluster name:

    az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv
    
  2. 使用 az vm list 命令列出 AKS 叢集資源群組中的虛擬機器。List the VMs in the AKS cluster resource group using the az vm list command. 這些虛擬機器是您的 AKS 節點:These VMs are your AKS nodes:

    az vm list --resource-group MC_myResourceGroup_myAKSCluster_eastus -o table
    

    下列範例輸出顯示 AKS 節點:The following example output shows the AKS nodes:

    Name                      ResourceGroup                                  Location
    ------------------------  ---------------------------------------------  ----------
    aks-nodepool1-79590246-0  MC_myResourceGroupAKS_myAKSClusterRBAC_eastus  eastus
    
  3. 若要將 SSH 金鑰新增至節點,請使用 az vm user update 命令。To add your SSH keys to the node, use the az vm user update command. 提供資源群組名稱,以及上一個步驟中取得的其中一個 AKS 節點。Provide the resource group name and then one of the AKS nodes obtained in the previous step. 根據預設,AKS 節點的使用者名稱是 azureuserBy default, the username for the AKS nodes is azureuser. 提供您自己的 SSH 公開金鑰位置,例如 ~/.ssh/id_rsa.pub,或貼上 SSH 公開金鑰的內容:Provide the location of your own SSH public key location, such as ~/.ssh/id_rsa.pub, or paste the contents of your SSH public key:

    az vm user update \
      --resource-group MC_myResourceGroup_myAKSCluster_eastus \
      --name aks-nodepool1-79590246-0 \
      --username azureuser \
      --ssh-key-value ~/.ssh/id_rsa.pub
    

取得 AKS 節點位址Get the AKS node address

AKS 節點不會公開至網際網路。The AKS nodes are not publicly exposed to the internet. 對於 SSH 至 AKS 節點,您可以使用私人 IP 位址。To SSH to the AKS nodes, you use the private IP address. 下一步将在 AKS 群集中创建一个帮助器 Pod,以允许你通过 SSH 连接到节点的此专用 IP 地址。In the next step, you create a helper pod in your AKS cluster that lets you SSH to this private IP address of the node.

使用 az vm list-ip-addresses 命令檢視 AKS 叢集節點的私人 IP 位址。View the private IP address of an AKS cluster node using the az vm list-ip-addresses command. 提供您自己的 AKS 叢集資源群組名稱,此名稱會在前一個 az-aks-show 步驟中取得:Provide your own AKS cluster resource group name obtained in a previous az-aks-show step:

az vm list-ip-addresses --resource-group MC_myResourceGroup_myAKSCluster_eastus -o table

下列範例輸出顯示 AKS 節點的私人 IP 位址:The following example output shows the private IP addresses of the AKS nodes:

VirtualMachine            PrivateIPAddresses
------------------------  --------------------
aks-nodepool1-79590246-0  10.240.0.4

建立 SSH 連線Create the SSH connection

若要建立到 AKS 節點的 SSH 連線,您可以在 AKS 叢集中執行協助程式 Pod。To create an SSH connection to an AKS node, you run a helper pod in your AKS cluster. 此協助程式 Pod 為您提供到叢集的 SSH 存取權,以及額外的 SSH 節點存取權。This helper pod provides you with SSH access into the cluster and then additional SSH node access. 若要建立和使用此協助程式 Pod,請完成下列步驟:To create and use this helper pod, complete the following steps:

  1. 執行 debian 容器映像,並將終端機工作階段與它連結。Run a debian container image and attach a terminal session to it. 您可以使用此容器搭配 AKS 叢集中的任何節點來建立 SSH 工作階段:This container can be used to create an SSH session with any node in the AKS cluster:

    kubectl run -it --rm aks-ssh --image=debian
    
  2. 基底 Debian 映像不包含 SSH 元件。The base Debian image doesn't include SSH components. 終端機工作階段連線到容器後,請使用 apt-get 安裝 SSH 用戶端,如下所示:Once the terminal session is connected to the container, install an SSH client using apt-get as follows:

    apt-get update && apt-get install openssh-client -y
    
  3. 在未連線到容器的新終端機視窗中,,請使用 kubectl get pods 命令列出 AKS 叢集上的 Pod。In a new terminal window, not connected to your container, list the pods on your AKS cluster using the kubectl get pods command. 在前一個步驟中建立的 Pod 名稱開頭為 aks-ssh,如下列範例所示:The pod created in the previous step starts with the name aks-ssh, as shown in the following example:

    $ kubectl get pods
    
    NAME                       READY     STATUS    RESTARTS   AGE
    aks-ssh-554b746bcf-kbwvf   1/1       Running   0          1m
    
  4. 在本文的第一個步驟中,您將公用 SSH 金鑰新增至 AKS 節點。In the first step of this article, you added your public SSH key the AKS node. 現在,將私人 SSH 金鑰複製到 Pod 中。Now, copy your private SSH key into the pod. 這個私密金鑰會用來將 SSH 建立至 AKS 節點中。This private key is used to create the SSH into the AKS nodes.

    提供上一個步驟中所取得您自己的 aks-ssh Pod 名稱。Provide your own aks-ssh pod name obtained in the previous step. 如有需要,將 ~/.ssh/id_rsa 變更到私人 SSH 金鑰的位置:If needed, change ~/.ssh/id_rsa to location of your private SSH key:

    kubectl cp ~/.ssh/id_rsa aks-ssh-554b746bcf-kbwvf:/id_rsa
    
  5. 回到容器的終端機工作階段,更新複製的 id_rsa 私人 SSH 金鑰使用權限,讓它是使用者唯讀:Back in the terminal session to your container, update the permissions on the copied id_rsa private SSH key so that it is user read-only:

    chmod 0600 id_rsa
    
  6. 現在,建立到 AKS 節點的 SSH 連線。Now create an SSH connection to your AKS node. 同樣地,AKS 節點的預設使用者名稱是 azureuserAgain, the default username for AKS nodes is azureuser. 在 SSH 金鑰首次受到信任時,接受提示以繼續進行連線。Accept the prompt to continue with the connection as the SSH key is first trusted. 接著會提供您 AKS 節點的 bash 提示:You are then provided with the bash prompt of your AKS node:

    $ ssh -i id_rsa azureuser@10.240.0.4
    
    ECDSA key fingerprint is SHA256:A6rnRkfpG21TaZ8XmQCCgdi9G/MYIMc+gFAuY9RUY70.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.240.0.4' (ECDSA) to the list of known hosts.
    
    Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1018-azure x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
      Get cloud support with Ubuntu Advantage Cloud Guest:
        https://www.ubuntu.com/business/services/cloud
    
    [...]
    
    azureuser@aks-nodepool1-79590246-0:~$
    

移除 SSH 存取Remove SSH access

完成時,exit SSH 工作階段,然後 exit 互動式容器工作階段。When done, exit the SSH session and then exit the interactive container session. 這個容器工作階段關閉時,會刪除用來從 AKS 叢集存取 SSH 的 Pod。When this container session closes, the pod used for SSH access from the AKS cluster is deleted.

後續步驟Next steps

如需其他疑難排解資料,您可以檢視 kubelet 記錄檢視 Kubernetes 主要節點記錄If you need additional troubleshooting data, you can view the kubelet logs or view the Kubernetes master node logs.