Sidebar navigationMain contentFooter
HomeContainersKubernetesHow to
enable disable ssh
Jump toUpdate content

How to enable or disable SSH

Reviewed on 03 May 2023 • Published on 02 May 2023

By default, an SSH server is installed and configured on the nodes of your Kubernetes Kapsule cluster. To improve the security of your Kapsule cluster, you can disable this SSH server on your nodes.

You can manage and edit the status of the SSH server of your nodes from the Scaleway console or by using the API. Here, we show you how to do it from the console.

Security & Identity (IAM):

You may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

How to enable or disable SSH on the nodes of a pool

  1. Click Kubernetes in the Containers section of the Scaleway Console side menu.
  2. Click on the cluster you want to edit.
  3. Click on the Pools tab.
  4. Click «See more Icon» next to the pool you wish to update and click Edit.
  5. Add the ssh-enabled=false tag to disable SSH or ssh-enabled=true to enable it. Make sure there is only one tag with the ssh-enabled= prefix.
  6. Click Update pool.
  7. Wait approximately 5 minutes until the tag is propagated to the nodes of your pool and the status of the SSH server of each node is updated.
Important:

All Kubernetes Kapsule clusters are delivered with a default security group.
Clusters created before May 2023 allow inbound traffic to the cluster’s nodes.

However, starting from May 2023, each Kapsule cluster is delivered with a default security group that enforces an inbound DROP ALL policy. This means that all incoming connections are blocked by default.

To utilize the pre-installed SSH server and access the nodes within the cluster, you have to manually configure a custom rule in your clusters’ security group to allow incoming traffic on TCP port 22.

How to know if this feature is available on the nodes of your cluster

  1. Open a terminal program.

  2. Run the following command into the terminal. Make sure you replace path_to_your_kubeconfig with the path to your kubeconfig file.

    KUBECONFIG=path_to_your_kubeconfig kubectl get nodes -o custom-columns=NAME:.metadata.name,"AGENT-VERSION":".metadata.annotations.k8s\.scaleway\.com/agent-version"
    Tip:

    To find the kubeconfig of your Kapsule cluster, log into the Scaleway console and click Kubernetes in the Containers section of the side menu. A list of your Kubernetes clusters will display, click on the one you want to verify. In the Download kubeconfig section at the bottom of the page, click Download file to download the kubeconfig.

This feature is available on all nodes of your cluster if AGENT-VERSION is at least v1.0.0 for all your nodes.

NAME                                             AGENT-VERSION
scw-k8s-silly-cartwright-default-ca35b74a4b644   v1.0.0
scw-k8s-silly-cartwright-default-ca978112ca1bb   v1.0.0
Tip:

If this feature is not available on a specific node of your cluster, try to replace it.

See Also
How to delete a Kubernetes Kapsule cluster