Deploying a Bastion along side your OpenShift 4.x cluster on AWS

Environment

• Red Hat OpenShift Container Platform 4.x

Issue

• I have a downed API and need to investigate why, how do I access my hosts without ssh access?

Resolution

You can use the supplied Cloud Formations Template as an example of the steps required to deploy a bastion.

To run the supplied bastion stack, you can use the Content from docs.aws.amazon.com is not included.AWS Console or the Content from docs.aws.amazon.com is not included.AWS CLI to create the Stack (a single host with the proper security groups/permissions needed to access ssh on the host.

For example, to create the bastion using the AWS CLI:

aws cloudformation create-stack --stack-name your-bastion-stack-name \
     --template-body file://xx_vpc_bastion_yaml.txt  \
     --parameters file://bastion.json.txt 

bastion.json.txt contains the parameters required to deploy the stack.

Note: The same RHCOS AMI used to create the instances that form the cluster can be used to create the bastion node.

For a UPI installation, the VPC ID and public subnet are known due to their usage in the installation process. For an IPI install , they can retrieved from the <install-dir>/terraform.tfstate.

Getting a public subnet ID:

cat <install-dir>/terraform.tfstate | jq '.modules[].outputs.az_to_public_subnet_id'

Getting the VPC ID:

cat <install-dir>/terraform.tfstate | jq '.modules[].outputs.vpc_id'

You can then use an SSH command like the following to access a master or node directly (using the bastion as a proxy):

$ ssh -A -i /path/to/key/supplied/at/install_time core@<master_hostname_internal> -J USERNAME@<bastion_public_hostname>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.