Jenkins SSH Agent in Kubernetes cannot SSH to Kubernetes master node – Host key verification failed – Using SSH Agent Plugin

huangapple go评论84阅读模式
英文:

Jenkins SSH Agent in Kubernetes cannot SSH to Kubernetes master node - Host key verification failed - Using SSH Agent Plugin

问题

背景

我已经成功在Kubernetes集群中运行了Jenkins。它也连接到集群以创建部署。

我正在尝试使用SSH Agent插件进行部署。我的理解是,我需要通过SSH连接到运行集群主节点的实际机器,然后可以使用以下命令执行部署:

kubectl create -f deployment.yaml

目前进展

我已经安装了SSH Agent插件并在Jenkins中存储了SSH私钥。

我还将适当的公钥放在了集群的主节点的/home/pi/.ssh文件夹和authorized_keys文件中。

我能够成功地从另一台机器通过SSH连接到它。

问题

当执行Pipeline时,它显示正在将SSH密钥添加到slave SSH Agent pod中。

[ssh-agent] 使用凭据pi(用于主节点的SSH凭据)。
[ssh-agent] 查找ssh-agent实现...
[ssh-agent] 执行ssh-agent(远程机器上的二进制ssh-agent)
...
运行ssh-add(命令行已禁止)
已添加标识:/home/jenkins/agent/workspace/Deployment@tmp/private_key_123123123123132.key(pi@pi1)
[ssh-agent] 已启动。

但是当我尝试从Jenkins slave(SSH Agent)进行SSH时,它显示无法验证密钥。

+ ssh pi@10.0.0.125 id
主机密钥验证失败。

请求

有人可以指导我如何解决这个问题吗?我做错了什么?

附加细节

我正在使用以下简化的Pipeline进行测试:

// 开始Pipeline
pipeline {
  // 定义它将在哪个代理上运行
  agent {
      // kubernetes = Jenkins中的Kubernetes云
      kubernetes{
      }
  }
// 开始声明Pipeline的阶段
  stages { 
    // 阶段#3 - 使用SSH代理将镜像部署到生产Kubernetes集群
    stage('Deploy to Kubernetes Cluster'){
      steps {
        sshagent(['RPi-SSH']) {
          script {
            sh 'id'
            sh 'ssh pi@10.0.0.125 id'
            sh 'ssh pi@10.0.0.125 ls'
          }
        }
      }
    }
  }
}

通过这个Pipeline,我可以看到第一个id是SSH Agent节点中'jenkins'的id。
当它尝试SSH到主节点时,它就失败了。

英文:

Background

I have managed to run Jenkins inside a Kubernetes cluster. It is also connected to the cluster to create deployments.

I am trying to deploy something using the SSH Agent Plugin. My understanding is that I need it to SSH into the actual machine running the master node of the cluster, and then I can execute the deployment with the command:

kubectl create -f deployment.yaml

Progress so far

I have installed the SSH Agent plugin and stored the SSH Private Key in Jenkins.

I've also put the appropriate Public Key in the cluster's master node's /home/pi/.ssh folder and authorized_keys file.

I am able to SSH from another machine successfully to it.

Problem

When the Pipeline is executed, it says that it is adding the SSH-Key to the slave SSH Agent pod.

[ssh-agent] Using credentials pi (SSH credentials for the master node.)
[ssh-agent] Looking for ssh-agent implementation...    
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)    
...    
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/agent/workspace/Deployment@tmp/private_key_123123123123132.key (pi@pi1)
[ssh-agent] Started.

But when I try to SSH from the Jenkins slave (SSH Agent), it says that the key cannot be verified.

+ ssh pi@10.0.0.125 id
Host key verification failed.

Request

Could anybody point me how to fix this issue? What am I doing wrong?

Additional Details

I am testing with a slimmed down pipeline like this:

// Start the Pipeline
pipeline {
  // Define the agent where it will run
  agent {
      // kubernetes = kubernetes cloud in Jenkins
      kubernetes{
      }
  }
// Start declaring the stages of the pipeline
  stages { 
    // Stage #3 - Deploy the image to the production kubernetes cluster using an SSH agent
    stage('Deploy to Kubernetes Cluster'){
      steps {
        sshagent(['RPi-SSH']) {
          script {
            sh 'id'
            sh 'ssh pi@10.0.0.125 id'
            sh 'ssh pi@10.0.0.125 ls'
          }
        }
      }
    }
  }
}

With this pipeline, I can see that first id is the id of 'jenkins' in the SSH Agent node.
When it tries to SSH to the master node, it just fails.

答案1

得分: 0

你尝试连接的主机可能不在你的known_hosts文件中。理想情况下,它们应该在其中,但实际上没有人会在意这个,你只需要在第一次连接时通过在ssh命令中添加这个选项来添加它们:

ssh -oStrictHostKeyChecking=accept-new pi@10.0.0.125 id

你可能会看到建议将StrictHostKeyChecking设置为no。在这种情况下可能并不重要,因为我们正在处理临时容器,它们的known_hosts文件将在流水线完成后消失,但一旦你使用它一次,其他开发人员就会将其复制粘贴到可能重要的其他上下文中,所以...就是这样。

英文:

Probably the hosts you are trying to connect to are not in your known_hosts file. Ideally they should be, but in reality nobody bothers with that, just add them the first time you connect by adding this switch to your ssh command:

ssh -oStrictHostKeyChecking=accept-new pi@10.0.0.125 id

You will find recommendations to set StrictHostKeyChecking to no. It probably doesn't matter in this context, since we are dealing with transient containers and their known_hosts files will disappear once the pipeline is done, but once you use it once other developers will just copy paste this to other contexts where it might matter, so... there you go.

huangapple
  • 本文由 发表于 2023年8月9日 11:32:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76864392.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定