SSH keys offer a highly secure manner of logging into a server with SSH as against mere dependence on a password. While a password stands the risk of being finally cracked, SSH keys are rather impossible to decipher using brute force. As a matter of fact, generating a key pair offers users two.
- Quick Start
- Install Needed Tools
- Create a Resource Group and Service Principal
- Create an aks-engine apimodel
- Deploy the cluster
Quick Start
This guide will step through everything needed to build your first Kubernetes cluster and deploy a Windows web server on it. The steps include:
- Getting the right tools
- Completing an AKS Engine apimodel which describes what you want to deploy
- Running AKS Engine to generate Azure Resource Model templates
- Deploying your first Kubernetes cluster with Windows Server 2019 nodes
- Managing the cluster from your Windows machine
- Deploying your first app on the cluster
All of these steps can be done from any OS platform, so some sections are split out by Windows, Mac or Linux to provide the most relevant samples and scripts. If you have a Windows machine but want to use the Linux tools - no problem! Set up the Windows Subsystem for Linux and you can follow the Linux instructions on this page.
When you're done, you will have a working cluster running Windows Server 2019 and the latest Kubernetes v1.13 release. Older releases are available but not recommended.
Note: Windows support for Kubernetes is still in beta and under active development. If you run into problems, please be sure to check the Troubleshooting page and active Windows issues in this repo, then help us by filing new issues for things that aren't already covered.
Install Needed Tools
This guide needs a few important tools, which are available on Windows, Mac, and Linux:
- AKS Engine - used to generate the Azure Resource Manager (ARM) template to automatically deploy a Kubernetes cluster
- Azure CLI - used to log into Azure, create resource groups, and deploy a Kubernetes cluster from a template
- Kubectl - 'Kube control' tool used to manage Kubernetes clusters
- SSH - A SSH public key is needed when you deploy a cluster. It's used to connect to the Linux VMs running the cluster if you need to do more management or troubleshooting later.
Windows
Azure CLI (Windows)
Click the download link, and choose 'Run'. Click through the setup steps as needed.
Once it's installed, make sure you can connect to Azure with it. Open a new PowerShell window, then run
az login
. It will have you log in to Azure in your web browser, then return back to the command line and show 'You have logged in. Now let us find all the subscriptions to which you have access...' along with the list of subscriptions.
If you want other versions, check out the official instructions. For more help, check out the Azure CLI getting started page.
AKS Engine (Windows)
Windows support is evolving rapidly, so be sure to use the latest AKS Engine version (v0.20 or later).
-
Browse to the AKS Engine releases page on GitHub.
-
Find the latest version, and download the file ending in
-windows-amd64.zip
. -
Extract the
aks-engine...-windows-amd64.zip
file to a working folder such asc:tools
-
Check that it runs with
.aks-engine.exe version
- Add the folder you created in step 3 to your path.
Kubectl (Windows)
The latest release of Kubernetes Control (kubectl) is available on the Kubernetes release page. Look for
kubernetes-client-windows-amd64.tar.gz
and download it.
Windows 10 version 1803 and later already include
tar
, so extract the archive and move kubectl.exe
to the same folder (such as c:tools
) that you put aks-engine.exe
. If you don't already have tar
, then busybox-w32 is a good alternative. Download busybox.exe, then copy it to c:toolstar.exe
. It must be named to tar.exe
for the next step to work.
SSH (Windows)
Windows 10 version 1803 and later come with the Secure Shell (SSH) client as an optional feature installed at
C:Windowssystem32openssh
. If you have ssh.exe
and ssh-keygen.exe
there, skip forward to Generate SSH key (Windows)
- Download the latest OpenSSH-Win64.zip file from Win32-OpenSSH releases
- Extract it to the same
c:tools
folder or another folder in your path
Generate SSH key (Windows)
First, check if you already have a SSH key generated at
~.sshid_rsa.pub
If the file already exists, then you can skip forward to Create a Resource Group and Service Principal.
If it does not exist, then run
ssh-keygen.exe
. Use the default file, and enter a passphrase if you wish to protect it. Be sure not to use a SSH key with blank passphrase in production.
Mac
Most of the needed tools are available with Homebrew. Use it or another package manager to install these:
jq
- helpful JSON processorazure-cli
- for theaz
Azure command line toolkubernetes-cli
- for thekubectl
'Kube Control' management tool
Once you have those installed, make sure you can log into Azure. Open a new Terminal window, then run
az login
. It will have you log in to Azure in your web browser, then return back to the command line and show 'You have logged in. Now let us find all the subscriptions to which you have access...' along with the list of subscriptions.
AKS Engine (Mac)
Windows support is evolving rapidly, so be sure to use the latest AKS Engine version (v0.20 or later).
-
Browse to the AKS Engine releases page on GitHub.
-
Find the latest version, and download the file ending in
-darwin-amd64.zip
. -
Extract the
aks-engine...-darwin-amd64.zip
file to a folder in your path such as/usr/local/bin
-
Check that it runs with
aks-engine version
SSH (Mac)
SSH is preinstalled, but you may need to generate an SSH key.
Generate SSH key (Mac)
Open up Terminal, and make sure you have a SSH public key
If the file doesn't exist, run
ssh-keygen
to create one.
Linux
These tools are included in most distributions. Use your typical package manager to make sure they're installed:
jq
- helpful JSON processorcurl
- to download filesopenssh
or anotherssh
clienttar
Azure CLI (Linux)
Packages for the
az
cli are available for most distributions. Please follow the right link for your package manager:apt,yum,zypper
Now, make sure you can log into Azure. Open a new Terminal window, then run
az login
. It will have you log in to Azure in your web browser, then return back to the command line and show 'You have logged in. Now let us find all the subscriptions to which you have access...' along with the list of subscriptions.
AKS Engine (Linux)
Windows support is evolving rapidly, so be sure to use the latest AKS Engine version (v0.20 or later).
-
Browse to the AKS Engine releases page on GitHub.
-
Find the latest version, and download the file ending in
-linux-amd64.zip
. -
Extract the
aks-engine...-linux-amd64.zip
file to a folder in your path such as/usr/local/bin
-
Check that it runs with
aks-engine version
Kubectl (Linux)
The latest release of Kubernetes Control (kubectl) is available on the Kubernetes release page. Look for
kubernetes-client-linux-....tar.gz
and copy the link to it.
Download and extract it with curl & tar:
Then copy it to
/usr/local/bin
or another directory in your PATH
Generate SSH key (Linux)
From a terminal, make sure you have a SSH public key
If the file doesn't exist, run
ssh-keygen
to create one.
Create a Resource Group and Service Principal
Now that we have the Azure CLI configured and a SSH key generated, it's time to create a resource group to hold the deployment.
AKS Engine and Kubernetes also need access to deploy resources inside that resource group to build the cluster, as well as configure more resources such as Azure Load Balancers once the cluster is running. This is done using an Azure Service Principal. It's safest to create one with access just to the resource group so that once your deployment is deleted, the service principal can't be used to make other changes in your subscription.
Create a Resource Group and Service Principal (Windows)
az group create --location <location> --name <name>
will create a group for you. Be sure to use a unique name for each cluster. If you need a list of available locations, run az account list-locations -o table
.
Now that the group is created, create a service principal with Contributor access for that group only
Create a Resource Group and Service Principal (Mac+Linux)
az group create --location <location> --name <name>
will create a group for you. Be sure to use a unique name for each cluster. If you need a list of available locations, run az account list-locations -o table
.
Now that the group is created, create a service principal with Contributor access for that group only
Create an aks-engine apimodel
Multiple samples are available in this repo under examples/windows. This guide will use the windows/kubernetes.json sample to deploy 1 Linux VM to run Kubernetes services, and 2 Windows nodes to run your Windows containers.
After downloading that file, you will need to
- Set windowsProfile.adminUsername and adminPassword. Be sure to check the Azure Windows VM username and password requirements first.
- Set a unique name for masterProfile.dnsPrefix. This will be the first part of the domain name you'll use to manage the Kubernetes cluster later
- Set the ssh public key that will be used to log into the Linux VM
- Set the Azure service principal for the deployments
Filling out apimodel (Windows)
You can use the same PowerShell window from earlier to run this next script to do all that for you. Be sure to replace
$dnsPrefix
with something unique and descriptive, $windowsUser
and $windowsPassword
to meet the requirements.
Filling out apimodel (Mac & Linux)
Using the same terminal as before, you can use this script to download the template and fill it out. Be sure to set DNSPREFIX, WINDOWSUSER, and WINDOWSPASSWORD to meet the requirements.
Generate Azure Resource Manager template
Now that the AKS Engine cluster definition is complete, generate the Azure templates with
aks-engine generate kubernetes-windows-complete.json
This will generate a
_output
directory with a subdirectory named after the dnsPrefix you set above. In this example, it's _output/wink8s1
.
It will also create a working Kubernetes client config file in
_output/<dnsprefix>/kubeconfig
folder. We'll come back to that in a bit.
Deploy the cluster
Get the paths to
azuredeploy.json
and azuredeploy.parameters.json
from the last step, and pass them into az group deployment create --name <name for deployment> --resource-group <resource group name> --template-file <...azuredeploy.json> --parameters <...azuredeploy.parameters.json>
After several minutes, it will return the list of resources created in JSON. Look for
masterFQDN
.
The DNS prefix provided is used to generate the hostname of the cluster (e.g. staging, prodwest, blueberry) and must be unique for each cluster deployment.
Check that the cluster is up
As mentioned earlier,
aks-engine generate
also creates Kubernetes configuration files under _output/<dnsprefix>/kubeconfig
. There will be one per possible region, so find the one matching the region you deployed in.
In the example above with
dnsprefix
=wink8s1
and the westus2
region, the filename would be _output/wink8s1/kubeconfig/kubeconfig.westus2.json
.
Setting KUBECONFIG on Windows
Set
$ENV:KUBECONFIG
to the full path to that file.
Setting KUBECONFIG on Mac or Linux
Once you have
KUBECONFIG
set, you can verify the cluster is up with kubectl get node -o wide
.
SSH to the Linux master (optional)
If you would like to manage the cluster over SSH, you can connect to the Linux master directly using the FQDN of the cluster:
Deploy your first application
Kubernetes deployments are typically written in YAML files. This one will create a pod with a container running the IIS web server, and tell Kubernetes to expose it as a service with the Azure Load Balancer on an external IP.
Copy and paste that into a file called
iis.yaml
, then run kubectl apply -f iis.yaml
. kubectl will show the deployment and service were created:
Now, you can check the status of the pod and service with
kubectl get pod
and kubectl get service
respectively.
Initially, the pod will be in the
ContainerCreating
state, and eventually go to Running
. The service will show <pending>
under EXTERNAL-IP
. Here's what the first progress will look like:
Since this is the first deployment, it will probably take several minutes for the Windows node to download and run the container. Later deployments will be faster because the large
microsoft/windowsservercore
container will already be on disk.
The service will eventually show an EXTERNAL-IP as well:
Once the pod is in
Running
state, get the IP from kubectl get service
then visit http://<EXTERNAL-IP>
to test your web server.
What was deployed
Once your Kubernetes cluster has been created you will have a resource group containing:
-
1 master accessible by SSH on port 22 or kubectl on port 443
-
A set of Windows and/or Linux nodes. The windows nodes can be accessed through an RDP SSH tunnel via the master node, following these steps Connecting to Windows Nodes.
These parts were all automatically created using the Azure Resource Manager template created by AKS Engine:
- Master Components - The master runs the Kubernetes scheduler, api server, and controller manager. Port 443 is exposed for remote management with the kubectl cli.
- Linux Nodes - the Kubernetes nodes run in an availability set. Azure load balancers are dynamically added to the cluster depending on exposed services.
- Windows Nodes - the Kubernetes windows nodes run in an availability set.
- Common Components - All VMs run a kubelet, Docker, and a Proxy.
- Networking - All VMs are assigned an ip address in the 10.240.0.0/16 network and are fully accessible to each other.
Next Steps
For more resources on Windows and AKS Engine, continue reading:
- Using Kubernetes ingress for more flexibility in http and https routing
If you'd like to learn more about Kubernetes in general, check out these guides:
- Kubernetes Bootcamp - shows you how to deploy, scale, update, and debug containerized applications.
- Kubernetes Userguide - provides information on running programs in an existing Kubernetes cluster.
I am having a really hard time getting my SSH keys up and running after installing Windows 10. Normal method is create it and throw it in the user's account under .ssh. This folder does not appear to be available in Windows 10.
Anyone else run into this? I need to have 3 SSH keys for different repos and this is really holding me up.
Rudenate3Rudenate3
4521 gold badge4 silver badges12 bronze badges
9 Answers
- Open the windows command line (type 'cmd' on the search box and hit enter).
- It'll default to your home folder, so you don't need to
cd
to a different one. - Type
ssh-keygen
- Follow the instructions and you are good to go
- Your ssh keys should be stored at chosed directory, the default is:
/c/Users/YourUserName/.ssh/id_rsa.pub
p.s.: If you installed git with bash integration (like me) open 'Git Bash' instead of 'cmd' on first step
Digital Fun FrenzyDigital Fun Frenzy
2019-04-07 UPDATE:I tested today with a new version of windows 10 (build 1809, '2018 October's update') and not only the open SSH client is no longer in beta, as it is already installed. So, all you need to do is create the key and set your client to use open SSH instead of putty(pagent):
- open command prompt (cmd)
- enter
ssh-keygen
and press enter - press enter to all settings. now your key is saved in c:Users.sshid_rsa.pub
- Open your git client and set it to use open SSH
I tested on Git Extensions and Source Tree and it worked with my personal repo in GitHub.If you are in an earlier windows version or prefer a graphical client for SSH, please read below.
2018-06-04 UDPATE:
On windows 10, starting with version 1709 (win+R and type
winver
to find the build number), Microsoft is releasing a beta of the OpenSSH client and server.To be able to create a key, you'll need to install the OpenSSH server. To do this follow these steps:
- open the start menu
- Type 'optional feature'
- select 'Add an optional feature'
- Click 'Add a feature'
- Install 'Open SSH Client'
- Restart the computer
Now you can open a prompt and
ssh-keygen
and the client will be recognized by windows. I have not tested this.If you do not have windows 10 or do not want to use the beta, follow the instructions below on how to use putty.
ssh-keygen
does not come installed with windows. Here's how to create an ssh key with Putty:
- Install putty
- Open PuttyGen
- Check the Type of key and number of bytes to use
- Move the mouse over the progress bar
- Now you can define a passphrase and save the public and private keys
For openssh keys, a few more steps are required:
- copy the text from 'Public key for pasting' textbox and save it as 'id_rsa.pub'
- To save the private key in the openssh format, go to Conversions->Export OpenSSH key ( if you did not define a passkey it will ask you to confirm that you do not want a pass key)
- Save it as 'id_rsa'
Now that the keys are saved. Start
pagent
and add the private key there ( the ppk file in Putty's format)
Remember that
pagent
must be running for the authentication to work
franksandsfranksands
WINDOWS: If you have git for windows installed go to its folder.
Look in the bin directory. There is a sh.exe file. Run that.
Then type:
ssh-keygen -t rsa -C 'your email here'
Follow through instructions and then type:
cat ~/.ssh/id_rsa.pub | clip
It copies the key to your clipboard.Now you can paste that public key to the server side.
DanielDaniel
- Open the windows command line (type 'cmd' on the search box and hit enter).
- It'll default to your home folder, so you don't need to
cd
to a different one. - Type
mkdir .ssh
aruanocaruanoc
Warning: If you are saving your keys under C:/User/username/.ssh ( the default place), make sure to back up your keys somewhere (eg your password manager).
After the most recent Windows 10 Update (version 1607), my .ssh folder was empty. This is where my keys have always been, but Windows decided to delete them when updating.
Thankfully I had backed up my keys... But... I bet some people will be reverting their PC's today.
AndrewAndrew
7,8155 gold badges47 silver badges71 bronze badges
I found a notable exception that in Windows 10, using the described route only wrote the files to the folder if the file names where not specified in the ssh-keygen generator.
giving a custom key name caused the files containing the RSA public and private keys not to be written to the folder.
- Open the windows command line
- Type
ssh-keygen
- Leave file name blank, just press return,
- Set your passphrase
- Generate your key files. They will now exist. and be stored in
c:/Users/YourUserName/.ssh/
(using Admin Command Line and Windows 10 Pro)
MartinMartin
13.9k5 gold badges40 silver badges86 bronze badges
I finally got it to work by running opening command line with 'Run a Administrator' even though I was already admin and could create directory manually
adelaidedaveadelaidedave
I had an issue today with this.
For GIT the key must have a strength of 2048, must be located in the users .ssh directory and be called id_rsa and id_rsa.pub. When pasting the keys into the files make sure to use a program that does not add new lines like VIM.
Karl MorrisonKarl Morrison
10.7k27 gold badges116 silver badges207 bronze badges
I'm running Microsoft Windows 10 Pro, Version 10.0.17763 Build 17763, and I see my .ssh folder easily at C:Usersjrosario.ssh without having to edit permissions or anything (though in File Explorer, I did select 'Show hidden files, folders and drives'):
The keys are stored in a text file named known_hosts, which looks roughly like this:
ShieldOfSalvationShieldOfSalvation