A customer needs to access pods in legacy-fashioned style. We agreed that
SFTP would be the method of choice as
kubectl cp TUI is not an option for the customer and
ftp for me neither.
I’d check how
sftp-server actually works. It’s quite charming, that
execs the binary with STDIN/STDOUT connected. I added a little bit of configuration management and started a prototype written as
shellscript for demonstrating and benchmarking.
Starting with statically linked binaries of
sftp-server I added some glue code which processes Kubernetes pod events and derives configuration and credentials to access them via
How does it work
- Add a label
sftp: enabledto a particular pod
- The pod will be recreated and events regarding to its lifecycle catched by a pod called
- The operator resolves the topmost resource (
tr) which created the pod (e.g. its parent DaemonSet) and may create a secret holding the inbound sftp username, password and ssh private key, if there isn’t already one.
- The real service pod named
sftp-serverpicks up those secrets and creating a local user and a settings file for each of them
- When connecting via
sftpauthentication is handled normally with public-key or password-based. After a successful authentication, the
sftp-serverinto the destination container and then runs them inside the container. The connection is forwarded via
- Some simple benchmarks showed transfer-speeds which are fast enough for common ISP uplinks (e.g. xDSL, DOCSIS, or LTE) and defers routing to kubernetes
Source code, development, installation, bugs, and planned features
The source code is available at github. Eventually I’ll rewrite it in GO making operator and server more robust and resource friendly. In its current state this is a POC.
It can be installed via
At the moment the operator does not clean up secrets when the corresponding topmost resource is deleted. Healthchecks are missing, too. So there is quite some work left.