Let’s say you’d like to run a pod on your cluster that accepts incoming ssh connections. (There are various reasons to do this — I have one application planned for an upcoming post.)

It’s actually quite easy to just run sshd in a container and mount a public key file as /root/.ssh/authorized_keys to allow a user with the corresponding private key to ssh in as root.

It’s a little trickier, though, if you want to allow ssh access without allowing root access.

The main issue is that a non-root user can’t launch the ssh service, so you can’t simply run your pod as a non-root user. And [right now, as far as I know] you can’t mount a file with a different owner than the security context of the pod. But the ~/.ssh/authorized_keys file needs to be owned by its own corresponding user in order for the ssh service to accept it…