Amazon EKS Operations ssh Tunnel into an EKS NodePort Service

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

You will need ssh access to one of the EC2 nodes running any of the EKS cluster nodes. The service to access will need to be either a NodePort service or a LoadBalancer service, so the service opens ports on all EC2 Kubernetes nodes. The port number is the same on all nodes.

Procedure

ssh into the node and figure out the port the service is exposed on:

kubectl -n <namespace> get svc

NAME                     TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                        AGE
myservice                LoadBalancer   172.20.224.75   <pending>     8080:30421/TCP,80:31242/TCP,443:31743/TCP      8m34s
...

In this case, the port we're interested in is 30421, which forwards invocations to the port 8080 on the pods.

The NodePort service listens on all network interfaces on the EC2 node:

netstat -nl | grep 30421
tcp        0      0 0.0.0.0:30421           0.0.0.0:*               LISTEN

Setup the tunnel:

ssh ec2-user@<ec2-node-ip> -N -L <local-port>:localhost:30421