使用 SSH 連線到 Azure Kubernetes Service (AKS) 叢集節點以進行維護或疑難排解Connect with SSH to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting

在 Azure Kubernetes Service (AKS) 叢集的生命週期中,您可能需要存取 AKS 節點。Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. 此存取可能用於維護、記錄收集,或其他疑難排解作業。This access could be for maintenance, log collection, or other troubleshooting operations. 您可以存取 AKS 節點使用 SSH,包括 Windows Server (目前在 AKS 中的預覽) 的節點。You can access AKS nodes using SSH, including Windows Server nodes (currently in preview in AKS). 您也可以連接到使用遠端桌面通訊協定 (RDP) 連線的 Windows Server 節點You can also connect to Windows Server nodes using remote desktop protocol (RDP) connections. 基於安全考量,AKS 節點不會公開至網際網路。For security purposes, the AKS nodes are not exposed to the internet.

本文會示範如何使用私人 IP 位址以 AKS 節點建立 SSH 連線。This article shows you how to create an SSH connection with an AKS node using their private IP addresses.

開始之前Before you begin

此文章假設您目前具有 AKS 叢集。This article assumes that you have an existing AKS cluster. 如果您需要 AKS 叢集,請參閱 AKS 快速入門使用 Azure CLI or using the Azure portalIf you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

您也需要 Azure CLI 2.0.64 版或更新版本安裝並設定。You also need the Azure CLI version 2.0.64 or later installed and configured. 執行  az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱 安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

新增公開 SSH 金鑰Add your public SSH key

根據預設,SSH 金鑰是取得,或產生,則當您建立 AKS 叢集加入節點。By default, SSH keys are obtained, or generated, then added to nodes when you create an AKS cluster. 如果您需要指定不同於建立 AKS 叢集時所使用的 SSH 金鑰,請將 SSH 公開金鑰加入 Linux AKS 節點。If you need to specify different SSH keys than those used when you created your AKS cluster, add your public SSH key to the Linux AKS nodes. 如有需要您可以建立 SSH 金鑰使用macOS 或 Linux or WindowsIf needed, you can create an SSH key using macOS or Linux or Windows. 如果您使用 PuTTY Gen 來建立金鑰組,OpenSSH 中的金鑰組儲存格式而不是預設的 PuTTy 私密金鑰格式 (.ppk 檔案)。If you use PuTTY Gen to create the key pair, save the key pair in an OpenSSH format rather than the default PuTTy private key format (.ppk file).

注意

SSH 金鑰可以目前只能加入至使用 Azure CLI 的 Linux 節點。SSH keys can currently only be added to Linux nodes using the Azure CLI. 如果您使用 Windows Server 的節點時,使用建立 AKS 叢集時所提供的 SSH 金鑰,並跳至步驟上如何取得 AKS 節點位址If you use Windows Server nodes, use the SSH keys provided when you created the AKS cluster and skip to the step on how to get the AKS node address. 或者,連接到使用遠端桌面通訊協定 (RDP) 連線的 Windows Server 節點Or, connect to Windows Server nodes using remote desktop protocol (RDP) connections.

根據您執行的 AKS 叢集類型,取得 AKS 節點的私人 IP 位址的步驟會有所不同:The steps to get the private IP address of the AKS nodes is different based on the type of AKS cluster you run:

將 SSH 金鑰新增至規則的 AKS 叢集Add SSH keys to regular AKS clusters

若要將您的 SSH 金鑰新增至 Linux AKS 節點中,完成下列步驟:To add your SSH key to a Linux AKS node, complete the following steps:

  1. 取得使用您 AKS 叢集資源的資源群組名稱az aks 顯示Get the resource group name for your AKS cluster resources using az aks show. 叢集名稱指派給名為的變數CLUSTER_RESOURCE_GROUPThe cluster name is assigned to the variable named CLUSTER_RESOURCE_GROUP. 取代myResourceGroup您您 AKS 叢集所在的資源群組的名稱:Replace myResourceGroup with the name of your Resource Group where you AKS Cluster is located:

    CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
    
  2. 列出在 AKS 叢集資源群組使用的 Vm az vm 清單命令。List the VMs in the AKS cluster resource group using the az vm list command. 這些虛擬機器是您的 AKS 節點:These VMs are your AKS nodes:

    az vm list --resource-group $CLUSTER_RESOURCE_GROUP -o table
    

    下列範例輸出顯示 AKS 節點:The following example output shows the AKS nodes:

    Name                      ResourceGroup                                  Location
    ------------------------  ---------------------------------------------  ----------
    aks-nodepool1-79590246-0  MC_myResourceGroupAKS_myAKSClusterRBAC_eastus  eastus
    
  3. 若要新增至節點的 SSH 金鑰,請使用az vm 的使用者更新命令。To add your SSH keys to the node, use the az vm user update command. 提供資源群組名稱,以及上一個步驟中取得的其中一個 AKS 節點。Provide the resource group name and then one of the AKS nodes obtained in the previous step. 根據預設,AKS 節點的使用者名稱是 azureuserBy default, the username for the AKS nodes is azureuser. 提供您自己的 SSH 公開金鑰位置,例如 ~/.ssh/id_rsa.pub,或貼上 SSH 公開金鑰的內容:Provide the location of your own SSH public key location, such as ~/.ssh/id_rsa.pub, or paste the contents of your SSH public key:

    az vm user update \
      --resource-group $CLUSTER_RESOURCE_GROUP \
      --name aks-nodepool1-79590246-0 \
      --username azureuser \
      --ssh-key-value ~/.ssh/id_rsa.pub
    

將 SSH 金鑰新增至虛擬機器擴展集為基礎的 AKS 叢集Add SSH keys to virtual machine scale set-based AKS clusters

若要將您的 SSH 金鑰新增至 Linux AKS 節點虛擬機器擴展集的一部分,完成下列步驟:To add your SSH key to a Linux AKS node that's part of a virtual machine scale set, complete the following steps:

  1. 取得使用您 AKS 叢集資源的資源群組名稱az aks 顯示Get the resource group name for your AKS cluster resources using az aks show. 叢集名稱指派給名為的變數CLUSTER_RESOURCE_GROUPThe cluster name is assigned to the variable named CLUSTER_RESOURCE_GROUP. 取代myResourceGroup您您 AKS 叢集所在的資源群組的名稱:Replace myResourceGroup with the name of your Resource Group where you AKS Cluster is located:

    CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
    
  2. 接下來,取得虛擬機器擴展集使用 AKS 叢集az vmss 清單命令。Next, get the virtual machine scale set for your AKS cluster using the az vmss list command. 虛擬機器擴展集名稱指派給名為的變數SCALE_SET_NAME:The virtual machine scale set name is assigned to the variable named SCALE_SET_NAME:

    SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query [0].name -o tsv)
    
  3. 若要將您的 SSH 金鑰新增至虛擬機器擴展集中的節點中,使用az vmss 擴充功能組命令。To add your SSH keys to the nodes in a virtual machine scale set, use the az vmss extension set command. 從先前的命令提供的叢集資源群組和虛擬機器擴展集名稱。The cluster resource group and virtual machine scale set name are provided from the previous commands. 根據預設,AKS 節點的使用者名稱是 azureuserBy default, the username for the AKS nodes is azureuser. 視需要更新的您自己 SSH 公用金鑰位置,例如 ~/.ssh/id_rsa.pub:If needed, update the location of your own SSH public key location, such as ~/.ssh/id_rsa.pub:

    az vmss extension set  \
        --resource-group $CLUSTER_RESOURCE_GROUP \
        --vmss-name $SCALE_SET_NAME \
        --name VMAccessForLinux \
        --publisher Microsoft.OSTCExtensions \
        --version 1.4 \
        --protected-settings "{\"username\":\"azureuser\", \"ssh_key\":\"$(cat ~/.ssh/id_rsa.pub)\"}"
    
  4. 套用到使用節點的 SSH 金鑰az vmss update-執行個體命令:Apply the SSH key to the nodes using the az vmss update-instances command:

    az vmss update-instances --instance-ids '*' \
        --resource-group $CLUSTER_RESOURCE_GROUP \
        --name $SCALE_SET_NAME
    

取得 AKS 節點位址Get the AKS node address

AKS 節點不會公開至網際網路。The AKS nodes are not publicly exposed to the internet. 對於 SSH 至 AKS 節點,您可以使用私人 IP 位址。To SSH to the AKS nodes, you use the private IP address. 在下一個步驟中,您的協助程式 pod 中建立 AKS 叢集,可讓您 SSH 到節點的此私人 IP 位址。In the next step, you create a helper pod in your AKS cluster that lets you SSH to this private IP address of the node. 根據您執行的 AKS 叢集類型,取得 AKS 節點的私人 IP 位址的步驟會有所不同:The steps to get the private IP address of the AKS nodes is different based on the type of AKS cluster you run:

透過 ssh 連線到一般的 AKS 叢集SSH to regular AKS clusters

檢視的 AKS 叢集節點使用的私人 IP 位址az vm 列出 ip 位址command. Provide your own AKS cluster resource group name obtained in a previous az-aks-show步驟:View the private IP address of an AKS cluster node using the az vm list-ip-addresses command. Provide your own AKS cluster resource group name obtained in a previous az-aks-show step:

az vm list-ip-addresses --resource-group $CLUSTER_RESOURCE_GROUP -o table

下列範例輸出顯示 AKS 節點的私人 IP 位址:The following example output shows the private IP addresses of the AKS nodes:

VirtualMachine            PrivateIPAddresses
------------------------  --------------------
aks-nodepool1-79590246-0  10.240.0.4

透過 ssh 連線到虛擬機器擴展集為基礎的 AKS 叢集SSH to virtual machine scale set-based AKS clusters

列出使用節點的內部 IP 位址kubectl get 命令:List the internal IP address of the nodes using the kubectl get command:

kubectl get nodes -o wide

下列範例輸出會顯示所有節點的內部 IP 位址在叢集中,包括 Windows Server 節點。The follow example output shows the internal IP addresses of all the nodes in the cluster, including a Windows Server node.

$ kubectl get nodes -o wide

NAME                                STATUS   ROLES   AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                    KERNEL-VERSION      CONTAINER-RUNTIME
aks-nodepool1-42485177-vmss000000   Ready    agent   18h   v1.12.7   10.240.0.4    <none>        Ubuntu 16.04.6 LTS          4.15.0-1040-azure   docker://3.0.4
aksnpwin000000                      Ready    agent   13h   v1.12.7   10.240.0.67   <none>        Windows Server Datacenter   10.0.17763.437

記錄您想要進行疑難排解之節點的內部 IP 位址。Record the internal IP address of the node you wish to troubleshoot. 您將在稍後步驟中使用此位址。You will use this address in a later step.

建立 SSH 連線Create the SSH connection

若要建立到 AKS 節點的 SSH 連線,您可以在 AKS 叢集中執行協助程式 Pod。To create an SSH connection to an AKS node, you run a helper pod in your AKS cluster. 此協助程式 Pod 為您提供到叢集的 SSH 存取權,以及額外的 SSH 節點存取權。This helper pod provides you with SSH access into the cluster and then additional SSH node access. 若要建立和使用此協助程式 Pod,請完成下列步驟:To create and use this helper pod, complete the following steps:

  1. 執行 debian 容器映像,並將終端機工作階段與它連結。Run a debian container image and attach a terminal session to it. 您可以使用此容器搭配 AKS 叢集中的任何節點來建立 SSH 工作階段:This container can be used to create an SSH session with any node in the AKS cluster:

    kubectl run -it --rm aks-ssh --image=debian
    

    提示

    如果您使用 Windows Server 節點 (目前在 AKS 中的預覽) 時,新增節點選取器至命令,以排程在 Linux 節點上的 Debian 容器,如下所示:If you use Windows Server nodes (currently in preview in AKS), add a node selector to the command to schedule the Debian container on a Linux node as follows:

    kubectl run -it --rm aks-ssh --image=debian --overrides='{"apiVersion":"apps/v1","spec":{"template":{"spec":{"nodeSelector":{"beta.kubernetes.io/os":"linux"}}}}}'

  2. 基底 Debian 映像不包含 SSH 元件。The base Debian image doesn't include SSH components. 終端機工作階段連線到容器後,請使用 apt-get 安裝 SSH 用戶端,如下所示:Once the terminal session is connected to the container, install an SSH client using apt-get as follows:

    apt-get update && apt-get install openssh-client -y
    
  3. 在新的終端機視窗中,未連線到您的容器,列出您 AKS 叢集使用 pod kubectl get pods命令。In a new terminal window, not connected to your container, list the pods on your AKS cluster using the kubectl get pods command. 在前一個步驟中建立的 Pod 名稱開頭為 aks-ssh,如下列範例所示:The pod created in the previous step starts with the name aks-ssh, as shown in the following example:

    $ kubectl get pods
    
    NAME                       READY     STATUS    RESTARTS   AGE
    aks-ssh-554b746bcf-kbwvf   1/1       Running   0          1m
    
  4. 在本文的第一個步驟中,您將公用 SSH 金鑰新增至 AKS 節點。In the first step of this article, you added your public SSH key the AKS node. 現在,將私人 SSH 金鑰複製到 Pod 中。Now, copy your private SSH key into the pod. 這個私密金鑰會用來將 SSH 建立至 AKS 節點中。This private key is used to create the SSH into the AKS nodes.

    提供上一個步驟中所取得您自己的 aks-ssh Pod 名稱。Provide your own aks-ssh pod name obtained in the previous step. 如有需要,將 ~/.ssh/id_rsa 變更到私人 SSH 金鑰的位置:If needed, change ~/.ssh/id_rsa to location of your private SSH key:

    kubectl cp ~/.ssh/id_rsa aks-ssh-554b746bcf-kbwvf:/id_rsa
    
  5. 回到容器的終端機工作階段,更新複製的 id_rsa 私人 SSH 金鑰使用權限,讓它是使用者唯讀:Back in the terminal session to your container, update the permissions on the copied id_rsa private SSH key so that it is user read-only:

    chmod 0600 id_rsa
    
  6. 現在,建立到 AKS 節點的 SSH 連線。Now create an SSH connection to your AKS node. 同樣地,AKS 節點的預設使用者名稱是 azureuserAgain, the default username for AKS nodes is azureuser. 在 SSH 金鑰首次受到信任時,接受提示以繼續進行連線。Accept the prompt to continue with the connection as the SSH key is first trusted. 接著會提供您 AKS 節點的 bash 提示:You are then provided with the bash prompt of your AKS node:

    $ ssh -i id_rsa azureuser@10.240.0.4
    
    ECDSA key fingerprint is SHA256:A6rnRkfpG21TaZ8XmQCCgdi9G/MYIMc+gFAuY9RUY70.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.240.0.4' (ECDSA) to the list of known hosts.
    
    Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-1018-azure x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
      Get cloud support with Ubuntu Advantage Cloud Guest:
        https://www.ubuntu.com/business/services/cloud
    
    [...]
    
    azureuser@aks-nodepool1-79590246-0:~$
    

移除 SSH 存取Remove SSH access

完成時,exit SSH 工作階段,然後 exit 互動式容器工作階段。When done, exit the SSH session and then exit the interactive container session. 這個容器工作階段關閉時,會刪除用來從 AKS 叢集存取 SSH 的 Pod。When this container session closes, the pod used for SSH access from the AKS cluster is deleted.

後續步驟Next steps

如果您需要其他的疑難排解資料,您可以檢視 kubelet 記錄 or view the Kubernetes master node logsIf you need additional troubleshooting data, you can view the kubelet logs or view the Kubernetes master node logs.