Configure SSH Server


With SSH bastion server, users are able to connect to their jupyter notebooks directly using SSH connections.

By setting up a SSH bastion server and exposing the TCP service, users could SSH into their Jupyter notebook if users toggle the Enable SSH Server option in the spawner page.

The bastion server also fetches public keys of users from Jupyter pods and cache them to speed up the SSH authorization.

The bastion server pod has very strict network policies and only allow to reach Jupyter notebook pods with SSH Server enabled.

This is a very practical feature, there are various of things you can do, for example:

  • Port-forward services to your machine

  • Connect to your Jupyter notebook workspace in your favorite editor


Enable SSH Bastion Server Feature

This feature is default enabled in PrimeHub CE version, if you're using EE version you'll need to enable this manually.

In your helm_override/primehub.yaml simply add this section and helmfile apply.

  enabled: true

You may need to restart the hub pod manually to reload the config.


SSH bastion server will access Kubernetes API to get pods' info. The default API port is 6443.

If your Kubernetes API listens on other ports, you need to specify the port in helm_override/primehub.yaml. For instance, microk8s is using 16443 as default API port. The configuration will look like this:

  enabled: true
    kubeApiPort: 16443

To obtain Kubernetes API info, please run the following command.

kubectl get services kubernetes -o,IP:.spec.clusterIP,PORT:.spec.ports[0].targetPort

Allow SSH connection

You'll need to allow external SSH connection to your ingress / loadbalancer

And don't forget to allow the TCP port (default 2222 port) on your firewall or security group.

Here's some setup example in different environments:

On-Premises (NGINX Ingress)

For NGINX Ingress Controller, you'll have to edit the tcp-services configmap to expose certain TCP 2222 port to the SSH bastion server port.

$ kubectl edit -n ingress-nginx tcp-services
apiVersion: v1
kind: ConfigMap
  name: tcp-services
  namespace: ingress-nginx
  "2222": hub/ssh-bastion-server:2222

For more detail about exposing TCP services of NGINX Ingress Controller, you can check out the official document.

Google Kubernetes Engine

If you're using GCE Ingress Controller, it doesn't support TCP proxy. You need to specify the annotation "nginx" in all ingresses to target NGINX ingress controller.

  name: foo
  annotations: "nginx"

After that, you'll have to edit the firewall to expose certain TCP 2222 port. Go to Firewall page in Google Cloud Platform console, then create the firewall rule.


What's the logic of the SSH key cache mechanism?

  • 15 min since last update cache → cache invalid, the whole cache will be fully rebuild upon the next ssh connection.

  • 2 min since last update cache → if incoming ssh key is not in cache store, try to fetch publickey APIs of those pods not in the cache.

  • cache updated within 2 min → only check incoming SSH key from local cache.

How do I refresh the SSH key cache manually?

If you are able to reach your Kubernetes cluster, you can run the following command to refresh the SSH key cache manually.

$ POD_NAME=$(kubectl get pod -n hub --selector=ssh-bastion-server/bastion=true -o jsonpath='{.items[*]}')
$ kubectl exec -it -n hub $POD_NAME bash
root@ssh-bastion-server:/# cd /etc/ssh
root@ssh-bastion-server:/# python full
root@ssh-bastion-server:/# exit

Last updated