SSH Key Rotation for Azure Kubernetes Service Nodes

Question

Pulumi · Accepted Answer

SSH key rotation is a security process where the SSH keys are changed or updated regularly to prevent unauthorized access. In the context of Azure Kubernetes Service (AKS), you may want to rotate the SSH keys for the nodes to ensure your cluster is secure.

To handle SSH key rotation in AKS, you would typically approach it in the following way:

1. Create a new SSH key pair.
2. Update the AKS service with the new public SSH key.
3. Propagate the change to the nodes within the cluster.

With Pulumi, you can accomplish SSH key rotation by updating the relevant properties of the `ManagedCluster` resource, which represents an AKS cluster. Specifically, you'll need to update the `linuxProfile.ssh.publicKeys` property with a new SSH key.

Here's a program that shows how you can use Pulumi to rotate the SSH key for AKS nodes. It assumes that you have already set up Pulumi with an appropriate Azure credentials configuration and that an AKS cluster is already provisioned:

```python
import pulumi
import pulumi_azure_native as azure_native
from pulumi_azure_native import containerservice

# Generate a new SSH key pair here, or use an existing public key.
# For the purposes of this example, we will assume the public key is in `new_public_ssh_key`.
# In practice, you would generate this dynamically, read it from a secure location, or input it directly.
new_public_ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC..."

# The resource name of the existing AKS cluster and the resource group it belongs to.
aks_cluster_name = "my-aks-cluster"
resource_group_name = "my-resource-group"

# Fetch the existing AKS cluster so that we can update it with the new SSH key.
aks_cluster = containerservice.get_managed_cluster(
    resource_name=aks_cluster_name,
    resource_group_name=resource_group_name
)

def update_ssh_key(args):
    cluster, new_ssh_key = args
    return azure_native.containerservice.ManagedCluster(
        aks_cluster_name,
        resource_group_name=resource_group_name,
        linux_profile=containerservice.LinuxProfileArgs(
            admin_username=cluster.linux_profile.admin_username,  # Preserve the existing admin username.
            ssh=containerservice.SSHConfigurationArgs(
                public_keys=[
                    containerservice.SSHPublicKeyArgs(
                        key_data=new_ssh_key  # Update with the new public SSH key.
                    )
                ]
            )
        )
    )

# Use the `.apply` method to update the AKS cluster's SSH key.
ssh_key_update = pulumi.Output.all(aks_cluster, new_public_ssh_key).apply(update_ssh_key)

# To ensure changes are applied, we export the ID of the updated cluster.
pulumi.export('aks_cluster_id', ssh_key_update.id)
```

In this program:
- We create an SSH key and store it in `new_public_ssh_key`. This should be your newly generated SSH key.
- We reference an existing AKS cluster by its name and the name of the resource group it resides in.
- We fetch the current configuration of the AKS cluster using `containerservice.get_managed_cluster`.
- We call `.apply(update_ssh_key)` to create a new `ManagedCluster` resource with the updated `linux_profile.ssh` configuration that includes the new public SSH key.
- Finally, we export the cluster ID to confirm that the operation was successful.

Please replace `"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC..."` with your actual SSH public key and `my-aks-cluster`, `my-resource-group` with the existing AKS cluster and resource group names. Be sure to also securely handle your SSH private key that corresponds to the provided public key.

Remember, manipulating SSH keys can affect your access to the cluster nodes, so ensure that you handle these credentials securely and that you keep backups of existing keys before making any changes. It's important to apply these changes during maintenance windows or according to your organization's operational procedures to minimize impact on your services.