Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: AKS on Azure Local
During your AKS Arc cluster's lifecycle, you might need to directly access cluster nodes for maintenance, log collection, or troubleshooting operations. For security purposes, you must use a Secure Shell Protocol (SSH) connection to access Windows or Linux worker nodes. You sign in using the node's IP address.
This article explains how to use SSH to connect to both Windows and Linux nodes.
Prerequisites
Install the Kubernetes CLI
You can use the Kubernetes CLI, kubectl, to connect to your Kubernetes cluster. If you use Azure Cloud Shell, kubectl is already installed. If you run the commands locally, you can use the Azure CLI or Azure PowerShell to install kubectl.
Install kubectl locally using the
az aks install-clicommand:az aks install-cli
Use SSH to connect to worker nodes
To access the Kubernetes cluster with the specified permissions, you must retrieve the certificate-based admin kubeconfig file using the az aksarc get-credentials command. For more information, see Retrieve certificate-based admin kubeconfig:
az aksarc get-credentials --resource-group $<resource_group_name> --name $<aks_cluster_name> --adminRun kubectl get to obtain the node's IP address and capture its IP value in order to sign in to a Windows or Linux worker node using SSH:
kubectl --kubeconfig /path/to/aks-cluster-kubeconfig get nodes -o wideRun
sshto connect to a worker node:Note
You must pass the correct location to your SSH private key. The following example uses the default location of ~/.ssh/id_rsa, but you might need to change this location if you requested a different path. To change the location, see Configure SSH keys to specify the
--ssh-key-valueparameter when you create an AKS Arc cluster.For a Linux worker node, run the following command:
ssh -i $env:USERPROFILE\.ssh\id_rsa clouduser@<IP address of the node>For a Windows worker node, run the following command:
ssh -i $env:USERPROFILE\.ssh\id_rsa Administrator@<IP address of the node>
If you encounter SSH login issues, verify that your IP address is included in the --ssh-auth-ip list. To check this list, run az aksarc show --name "$<aks_cluster_name>" --resource-group "$<resource_group_name>" and look for authorizedIpRanges under clusterVmAccessProfile.
Next steps
- Use SSH keys to get on-demand logs for troubleshooting
- Configure SSH keys for an AKS Arc cluster
- Help to protect your cluster in other ways by following the guidance in the security book for AKS enabled by Azure Arc.