Kubernetes projects leads would argue that any time a user has to SSH into one of their K8s workers, they should file a bug against Kubernetes. At KubeCon CPH, when I asked Tim Hockin about the long-awaited debug containers feature, aka 'kubectl debug', he said that "I really do feel that every time someone has to SSH into a node a ferry loses its wings." :)<p>Dropping out of or below the cluster layer inherently means there is something in K8s that is missing. But no matter what is added to its APIs, Kubernetes will experience a long tail of weird corner cases that just can’t be covered. Reportedly the same is true with Borg jobs internally within Google.<p>Teleport's K8s protocol implementation mates its certificate-based SSH auth with Kubernetes certificate signing request API, plus Teleport acts as a full recording MITM for all K8s apiserver requests. How exactly end-users will leverage this remains to be seen, but we're super excited to see where the community takes this (and related tricky K8s vs provider IAM issues) as it continues to expand.<p>Full disclosure -- I work at Gravitational, worked closely with Sasha on this feature[1], and am a fan of Kelsey Hightower's live demo keynotes[2] where he frequently quips about the inherent struggle between procedural Dev+Ops encountering declarative APIs such as K8s.<p>[1] <a href="https://github.com/gravitational/teleport/issues/1986" rel="nofollow">https://github.com/gravitational/teleport/issues/1986</a>
[2] <a href="https://www.youtube.com/watch?v=07jq-5VbBVQ" rel="nofollow">https://www.youtube.com/watch?v=07jq-5VbBVQ</a>