Jenkins SSH Agent in Kubernetes cannot SSH to Kubernetes master node – Host key verification failed – Using SSH Agent Plugin

huangapple go评论124阅读模式
英文:

Jenkins SSH Agent in Kubernetes cannot SSH to Kubernetes master node - Host key verification failed - Using SSH Agent Plugin

问题

背景

我已经成功在Kubernetes集群内运行了Jenkins,并且它也连接到集群以创建部署。

我正在尝试使用SSH Agent插件来部署某些内容。我理解我需要使用它来SSH到运行集群主节点的实际机器,然后可以使用以下命令执行部署:

kubectl create -f deployment.yaml

到目前为止的进展

我已经安装了SSH Agent插件并在Jenkins中存储了SSH私钥。

我还将相应的公钥放在了集群主节点的/home/pi/.ssh文件夹和authorized_keys文件中。

我能够从另一台机器成功进行SSH连接。

问题

当执行Pipeline时,它显示正在将SSH密钥添加到slave SSH Agent pod中。

[ssh-agent] Using credentials pi (SSH credentials for the master node.)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
...
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/agent/workspace/Deployment@tmp/private_key_123123123123132.key (pi@pi1)
[ssh-agent] Started.

但是当我尝试从Jenkins slave(SSH Agent)进行SSH连接时,它显示密钥无法验证。

+ ssh pi@10.0.0.125 id
Host key verification failed.

请求

有人可以告诉我如何解决这个问题吗?我做错了什么?

附加细节

我正在使用如下简化的Pipeline进行测试:

// 启动Pipeline
pipeline {
  // 定义它将在哪个代理上运行
  agent {
      // kubernetes = Jenkins中的Kubernetes云
      kubernetes{
      }
  }
  // 开始声明Pipeline的阶段
  stages { 
    // 阶段#3 - 使用SSH代理将图像部署到生产Kubernetes集群
    stage('Deploy to Kubernetes Cluster'){
      steps {
        sshagent(['RPi-SSH']) {
          script {
            sh 'id'
            sh 'ssh pi@10.0.0.125 id'
            sh 'ssh pi@10.0.0.125 ls'
          }
        }
      }
    }
  }
}

通过这个Pipeline,我可以看到第一个id是SSH Agent节点中jenkins的ID。当它尝试SSH连接到主节点时,它就会失败。

英文:

Background

I have managed to run Jenkins inside a Kubernetes cluster. It is also connected to the cluster to create deployments.

I am trying to deploy something using the SSH Agent Plugin. My understanding is that I need it to SSH into the actual machine running the master node of the cluster, and then I can execute the deployment with the command:

kubectl create -f deployment.yaml

Progress so far

I have installed the SSH Agent plugin and stored the SSH Private Key in Jenkins.

I've also put the appropriate Public Key in the cluster's master node's /home/pi/.ssh folder and authorized_keys file.

I am able to SSH from another machine successfully to it.

Problem

When the Pipeline is executed, it says that it is adding the SSH-Key to the slave SSH Agent pod.

[ssh-agent] Using credentials pi (SSH credentials for the master node.)
[ssh-agent] Looking for ssh-agent implementation...    
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)    
...    
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/agent/workspace/Deployment@tmp/private_key_123123123123132.key (pi@pi1)
[ssh-agent] Started.

But when I try to SSH from the Jenkins slave (SSH Agent), it says that the key cannot be verified.

+ ssh pi@10.0.0.125 id
Host key verification failed.

Request

Could anybody point me how to fix this issue? What am I doing wrong?

Additional Details

I am testing with a slimmed down pipeline like this:

// Start the Pipeline
pipeline {
  // Define the agent where it will run
  agent {
      // kubernetes = kubernetes cloud in Jenkins
      kubernetes{
      }
  }
// Start declaring the stages of the pipeline
  stages { 
    // Stage #3 - Deploy the image to the production kubernetes cluster using an SSH agent
    stage('Deploy to Kubernetes Cluster'){
      steps {
        sshagent(['RPi-SSH']) {
          script {
            sh 'id'
            sh 'ssh pi@10.0.0.125 id'
            sh 'ssh pi@10.0.0.125 ls'
          }
        }
      }
    }
  }
}

With this pipeline, I can see that first id is the id of 'jenkins' in the SSH Agent node.
When it tries to SSH to the master node, it just fails.

答案1

得分: 0

可能你尝试连接的主机不在你的known_hosts文件中。理想情况下,它们应该在其中,但实际上没有人会费心去做,只需在第一次连接时通过将以下开关添加到你的ssh命令来添加它们:

ssh -oStrictHostKeyChecking=accept-new pi@10.0.0.125 id

你可能会看到建议将StrictHostKeyChecking设置为no。在这种情况下,可能并不重要,因为我们正在处理瞬态容器,它们的known_hosts文件在流水线完成后将会消失,但一旦你在其他地方使用它,其他开发人员可能会复制粘贴这个到可能重要的其他上下文中,所以...就这样。

英文:

Probably the hosts you are trying to connect to are not in your known_hosts file. Ideally they should be, but in reality nobody bothers with that, just add them the first time you connect by adding this switch to your ssh command:

ssh -oStrictHostKeyChecking=accept-new pi@10.0.0.125 id

You will find recommendations to set StrictHostKeyChecking to no. It probably doesn't matter in this context, since we are dealing with transient containers and their known_hosts files will disappear once the pipeline is done, but once you use it once other developers will just copy paste this to other contexts where it might matter, so... there you go.

huangapple
  • 本文由 发表于 2023年8月9日 11:32:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76864392-2.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定