Scribd
Upload
3 views

ssh Block in eksctl Node Groups

The document outlines the configuration of SSH and SSM access for EC2 instances in EKS node groups, detailing fields such as 'allow', 'publicKeyPath', and 'enableSsm'. It provides example scenarios for basic SSH access, using existing EC2 key pairs, restricting access by security groups, and preferring SSM over SSH. Important rules emphasize the need for specific configurations and security tips recommend using SSM to minimize security risks.

Uploaded by

balakrishnageela.aws
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
3 views

ssh Block in eksctl Node Groups

The document outlines the configuration of SSH and SSM access for EC2 instances in EKS node groups, detailing fields such as 'allow', 'publicKeyPath', and 'enableSsm'. It provides example scenarios for basic SSH access, using existing EC2 key pairs, restricting access by security groups, and preferring SSM over SSH. Important rules emphasize the need for specific configurations and security tips recommend using SSM to minimize security risks.

Uploaded by

balakrishnageela.aws
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

ssh Block in eksctl Node Groups

The ssh section is used to configure SSH or SSM access to the EC2 instances in your managed or self-
managed node groups.

nodeGroups:
- name: example-ng
instanceType: t3.medium
ssh:
allow: true
publicKeyPath: ~/.ssh/id_rsa.pub
sourceSecurityGroupIds:
- sg-0123456789abcdef0
enableSsm: true

🧾 Field-by-Field Breakdown
Field Description
allow
Enables or disables SSH access for this node group. Must be true to allow any
SSH config to take effect.
publicKeyPath
Path to your local public SSH key file (default: ~/.ssh/id_rsa.pub). This key is
injected into the instance for SSH access.
publicKey
You can provide the actual public key string directly here (instead of using a
path).
publicKeyName
Name of an existing EC2 key pair in AWS to associate with the instance. Use this
instead of publicKeyPath or publicKey.
sourceSecurityGroupIds
List of security group IDs that are allowed to access the nodes via SSH (port 22).
Required if your nodes are in a private subnet.
enableSsm
Enables access to EC2 instances via AWS Systems Manager Session Manager
(SSM) — no need to use SSH/port 22.

✅ Example Scenarios
📌 1. Basic SSH with default key
ssh:
allow: true
publicKeyPath: ~/.ssh/id_rsa.pub

 Uses your local SSH key and allows you to SSH using:

ssh ec2-user@<node-public-ip>

📌 2. Use existing EC2 Key Pair


ssh:
allow: true
publicKeyName: my-ec2-keypair

 You’ve already uploaded a key to AWS EC2 (EC2 → Key Pairs).

📌 3. Restrict SSH access to a specific Security Group


ssh:
allow: true
publicKeyPath: ~/.ssh/id_rsa.pub
sourceSecurityGroupIds:
- sg-123abc456def789gh

 Only hosts in this security group can SSH into the nodes.

📌 4. Prefer SSM over SSH


ssh:
allow: true
enableSsm: true

 You can now connect via AWS CLI:

bash
CopyEdit
aws ssm start-session --target <instance-id>

🛠 Note: You must install SSM Agent, configure IAM role permissions, and have internet or VPC endpoints for
SSM to work.

❗ Important Rules
 You must choose only one among: publicKeyPath, publicKey, or publicKeyName.
 allow: true must be set for any SSH config to take effect.
 For managed node groups, SSH access is only possible if the AMI allows it (Amazon EKS optimized
AMIs do).
 For SSM, ensure:
o EC2 IAM role has SSM permissions.
o Outbound access to the internet or SSM VPC endpoints exists.
o Port 22 is not required.

🔒 Security Tip
For production clusters, prefer enableSsm: true over SSH to avoid opening port 22 and reduce your attack
surface.

You might also like