How to enable or disable SSH
By default, an SSH server is installed and configured on the nodes of your Kubernetes Kapsule cluster. To improve the security of your Kapsule cluster, you can disable this SSH server on your nodes.
You can manage and edit the status of the SSH server of your nodes from the Scaleway console or by using the API. Here, we show you how to do it from the console.
You may need certain IAM permissions to carry out some actions described on this page. This means:
- you are the Owner of the Scaleway Organization in which the actions will be carried out, or
- you are an IAM user of the Organization, with a policy granting you the necessary permission sets
- You have an account and are logged into the Scaleway console
- You have created a Kubernetes Kapsule cluster
- This feature is available on the nodes of your cluster
How to enable or disable SSH on the nodes of a pool
- Click Kubernetes in the Containers section of the Scaleway Console side menu.
- Click on the cluster you want to edit.
- Click on the Pools tab.
- Click «See more Icon» next to the pool you wish to update and click Edit.
- Add the
ssh-enabled=falsetag to disable SSH or
ssh-enabled=trueto enable it. Make sure there is only one tag with the
- Click Update pool.
- Wait approximately 5 minutes until the tag is propagated to the nodes of your pool and the status of the SSH server of each node is updated.
All Kubernetes Kapsule clusters are delivered with a default security group.
Clusters created before May 2023 allow inbound traffic to the cluster’s nodes.
However, starting from May 2023, each Kapsule cluster is delivered with a default security group that enforces an inbound
DROP ALL policy. This means that all incoming connections are blocked by default.
To utilize the pre-installed SSH server and access the nodes within the cluster, you have to manually configure a custom rule in your clusters’ security group to allow incoming traffic on TCP port 22.
How to know if this feature is available on the nodes of your cluster
Open a terminal program.
Run the following command into the terminal. Make sure you replace
path_to_your_kubeconfigwith the path to your kubeconfig file.KUBECONFIG=path_to_your_kubeconfig kubectl get nodes -o custom-columns=NAME:.metadata.name,"AGENT-VERSION":".metadata.annotations.k8s\.scaleway\.com/agent-version"Tip:
To find the kubeconfig of your Kapsule cluster, log into the Scaleway console and click Kubernetes in the Containers section of the side menu. A list of your Kubernetes clusters will display, click on the one you want to verify. In the Download kubeconfig section at the bottom of the page, click Download file to download the kubeconfig.
This feature is available on all nodes of your cluster if
AGENT-VERSION is at least v1.0.0 for all your nodes.
NAME AGENT-VERSIONscw-k8s-silly-cartwright-default-ca35b74a4b644 v1.0.0scw-k8s-silly-cartwright-default-ca978112ca1bb v1.0.0
If this feature is not available on a specific node of your cluster, try to replace it.