[k8s_cloud] Add sshjump host support.

[aviweit]

Add an initial support for ssh jump host.

By this, only single port (nodeport) is opened on a target k8s cluster where ssh connections established from skypilot user targeted to ray cluster - are tunneled through ssh jump host pod.

[aviweit]

ssh_key_secret_name doesn't seem to be used.

[romilbhardwaj]

Ah thanks for catching - this is removed in the current latest k8s_cloud branch.

[aviweit]

It causes ssh itself (not its proxy command) to target internal pod ipaddress.

[aviweit]

I am not sure how to use ssh_proxy_command_config handled here. Our ssh_proxy seems to be dynamic; port is dynamic NodePort.

[romilbhardwaj]

Can we assume port assigned to nodeport doesn't change (since the service is created only once)?

[aviweit]

Yes. The port is the same as long as the sshjump service is running.

[aviweit]

I confirm that launching the following task against kind, works well.

SSH interactions with ray head during provision phase, is done through sshjump host as well as user can access ray head with ssh where head is being reached via sshjump pod.

hello.yaml:

num_nodes: 1

resources:
  memory: 2
  cpus: 1
  # Optional; if left out, pick from the available clouds.
  cloud: kubernetes
workdir: .

setup: |
  echo "Running setup."

run: |
  echo "Hello, User, how are you?"
  conda env list

create a local kind k8s cluster:

sky local up

ensure cluster is up:

kubectl get nodes | grep skypilot-control-plane

launch the task

sky launch hello.yaml

[romilbhardwaj]

Thanks @aviweit! This is great. I skimmed through the code and left some comments. Haven't tried running yet. Will take another pass soon.

Can you also merge the latest changes from k8s_cloud branch? It has a few fixes, and some changes in how ssh auth works (especially after #2119), so would be good to verify this still works.

[romilbhardwaj]

Curious - what do you think about reusing the image generated from Dockerfile_k8s (us-central1-docker.pkg.dev/skypilot-375900/skypilotk8s/skypilot:latest) instead of creating a new one?

Pros: Reduces image maintenance burden for us, may be faster to pull since cluster would likely already have the main skypilot:latest image for running tasks
Cons: Dockerfile_k8s is quite bloated because it installs SkyPilot and its dependencies.

Might be worth looking at image sizes for both before taking a call.

[aviweit]

Hi @romilbhardwaj ,

I built both images using build_image.sh and noticed the below size differences. I agree with your Pros and Cons.

$docker images
REPOSITORY                     TAG       IMAGE ID       CREATED        SIZE
...
sshjump                        latest    9c4a7ca3d121   4 hours ago    479MB
skypilot                       latest    448c7c3b7553   4 hours ago    1.32GB
...

[romilbhardwaj]

Thanks @aviweit. Since this image will be pulled only once, lets remove this and reuse Dockerfile_k8s (us-central1-docker.pkg.dev/skypilot-375900/skypilotk8s/skypilot:latest).

[aviweit]

@romilbhardwaj , done.

[romilbhardwaj]

nit: since urllib is standard library, perhaps should be added at L11 before import uuid.

[aviweit]

Hi @romilbhardwaj , I removed import urlparse, as it is now being used by clouds.Kubernetes.get_external_ip() at setup_kubernetes_authentication.

[romilbhardwaj]

Can we define this pod spec as a jinja template (e.g., templates/k8s_ssh_jump.j2) that is filled in with name, image and secret through a function call? Same for the service spec below. Might be able to put them in the same file too.

[aviweit]

Yes, I pushed the changes.

[romilbhardwaj]

Can we assume port assigned to nodeport doesn't change (since the service is created only once)?

[romilbhardwaj]

Ah thanks for catching - this is removed in the current latest k8s_cloud branch.

[aviweit]

Hi @romilbhardwaj , I have merged the PR with k8s_cloud branch and tested again (with the additional commits) - with the task yaml that is mentioned at #2201 (comment).

It worked well with skypilot installed on Ubuntu 20.04 host - against an external kubernetes cluster (deployed via kubeadm), and a one deployed locally (kind).

[romilbhardwaj]

Thanks @aviweit! We probably also need to handle the lifecycle of the jump pod - left some comments. Also, let's use us-central1-docker.pkg.dev/skypilot-375900/skypilotk8s/skypilot:latest image for the ssh jump pod.

[romilbhardwaj]

Thanks @aviweit. Since this image will be pulled only once, lets remove this and reuse Dockerfile_k8s (us-central1-docker.pkg.dev/skypilot-375900/skypilotk8s/skypilot:latest).

[romilbhardwaj]

We need to think a bit about the lifecycle of this jump pod.

• Creation - Creation of this jump ssh pod happens when the user creates their first SkyPilot cluster in the Kubernetes cluster.
• Run - The jump SSH pod is kept alive as long as there is a SkyPilot cluster running (i.e., there exists a Kubernetes pod with label parent: skypilot in the same namespace)
• Termination - If there hasn't been a pod with label parent: skypilot in the same namespace since the past n minutes (say, 10 minutes), this jump pod should terminate itself.

We can do this by running a script like this in the jump ssh pod as the command for the pod:

import os
import datetime
import pytz
import time
from kubernetes import client, config

# Load kube config
config.load_incluster_config()

v1 = client.CoreV1Api()

# Get the current namespace from the pod service account
with open("/var/run/secrets/kubernetes.io/serviceaccount/namespace", "r") as f:
    current_namespace = f.read()

# Set the time delta for checking last active pods
time_delta = datetime.timedelta(minutes=10)

# Set delay for each retry
retry_delay = 60  # In seconds

while True:
    # Get the current time
    now = datetime.datetime.now(pytz.UTC)

    found = False
    # List the pods in the current namespace
    ret = v1.list_namespaced_pod(current_namespace)
    for i in ret.items:
        if i.metadata.labels and 'parent' in i.metadata.labels and i.metadata.labels['parent'] == 'skypilot':
            # Calculate the elapsed time since the pod was last active
            elapsed_time = now - i.metadata.creation_timestamp
            # If the pod was active in the last 10 minutes, set found to True
            if elapsed_time < time_delta:
                found = True
                break

    # If no active pods were found with the specified label, exit the script
    if not found:
        print("No active pods found with label 'parent: skypilot' in the past 10 minutes. Exiting...")
        exit(1)

    # If pods were found, sleep for the specified delay and then retry
    print(f"Active pods found with label 'parent: skypilot'. Retrying in {retry_delay} seconds...")
    time.sleep(retry_delay)

What do you think?

[romilbhardwaj]

Can we have this file as a YAML instead of a json? Trying to have something that can also be easily used with kubectl apply -f for debugging/testing (of course, after replacing template variables).

[aviweit]

@romilbhardwaj , yes. I changed. Thanks.

[aviweit]

Hi @romilbhardwaj

Thanks a lot for the comments. I updated the code to reuse Dockerfile_k8s and updated the template format to yaml. I re-tested the recent changes in our environment and it seems to work well.

Your suggestion on sshjump lifecycle seems to be fine for me. There seems to be additional work such as defining RBAC for the pod to list other pods. I tested it and got that failure.

I would like to ask whether it would be ok to merge this PR and to open another PR to handle sshjump lifecycle? Other PRs can be probably opened to handle additional enhancements as needed.
What do you think?

Thanks again.

[romilbhardwaj]

@aviweit - this is great! Tried it out - works nicely.

There seems to be additional work such as defining RBAC for the pod to list other pods. I tested it and got that failure.

Is there some way to upload kubeconfig credentials so that jump pod can use those to authenticate with the control plane and list pods?

Asking because I think lifecycle management of the jump host is important to get right before we ship this. We do not want to leave an orphan ssh jump pod running on users' clusters after they are done using SkyPilot. If we can figure out a quick solution to the above problem, it'll be great to have in this PR.

If you think it will be an involved process, then it'll be good to have a draft solution verifying this kind of lifecycle management is possible. Once we can verify it can be done, then we can merge this PR and create another one to address it.

What do you think? Thanks again for adding this!

[romilbhardwaj]

@aviweit - I've made some updates to k8s_cloud branch. We use the autoscaler service account which has full permissions over the namespace. Is it possible to use the same autoscaler service account with this jump pod and use it to manage the lifecycle of the pod?

[aviweit]

Hi @romilbhardwaj , I merged k8s_cloud changes into this PR and added lifecycle management of the jump host. It seems to work well in my environment. Can you please review?

Regarding reusing autoscaler service account, I think it would be good to define a dedicated one that will contain only the permissions needed by the sshjump host lifecycle logic.

I would like to ask whether this PR can be merged and if needed, additional PRs will be opened? This will save us time on keeping this PR up to date in respect to upstream changes.

@romilbhardwaj , I think that you will need to re-build and push Dockerfile_k8s because of adding sshjump-lcm.py.

Thanks again.

[aviweit]

Hi @romilbhardwaj , I have updated the code to create sshjump related resources in the correct namespace (and a small update to if statement in lcm script).

Thanks a lot.

[aviweit]

@romilbhardwaj , I added sshjump lcm to monitor only ray pods it is responsible for.
The changes are currently under sub-branch k8s_cloud-sshjumphost2-multiuser: https://github.com/aviweit/skypilot/tree/k8s_cloud-sshjumphost2-multiuser
commit: aviweit@21879c5.

If it is ok, it can be merged to this PR. Thanks.

[Michaelvll]

We should probably re-open this PR by changing the target branch. The original k8s_cloud branch has been deleted as it was merged to the master.

[romilbhardwaj]

Hey @aviweit ! This PR got closed when we merged #2096 into master.

For our next sprint, we'll be switching to k8s_cloud_beta1 branch. Can you re-open this PR on that branch?