Azure — SSH into AKS Nodes

3 min readDec 9, 2020


Image :

The K8S service provided by Azure is called AKS. There are times where you need to ssh into the nodes for debugging. In this post, I will go through the step of how to do it, base from this post.

Due to the reason that AKS nodes are created under VMSS, therefore we need to do some configuration to VMSS.


  1. Have your RSA key ready
  2. Gather information for VMSS configuration
  3. Configuring VMSS and update VMs under it
  4. Have a instance(VM/container/etc) that can connect to node
  5. Copy RSA key to the above instance using kubectl command
  6. Now, your instance is ready to SSH into node!


For RSA key, you use command below to generate one if you don’t have it yet.



We need two information here

  1. AKS cluster resource group name
  2. AKS node VMSS name

For NO. 1, you can get it from portal or us command line.

Replace the “YOUR_XXX” part with corresponding information

CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group YOUR_Resource_Group --name YOUR_AKS_Cluster --query nodeResourceGroup -o tsv)

For NO.2, you can get it from portal or us command line. If using command line, you must run NO.1 command line to get the value for $CLUSTER_RESOURCE_GROUP variable.

SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query [0].name -o tsv)


To add your RSA key to nodes in VMSS, we need to use az vmss extension set and az vmss update-instances command. Pay attention to setup your SSH login name and location of your RSA key.

az vmss extension set \
--resource-group $CLUSTER_RESOURCE_GROUP \
--vmss-name $SCALE_SET_NAME \
--name VMAccessForLinux \
--publisher Microsoft.OSTCExtensions \
--version 1.4 \
--protected-settings “{\”username\”:\”azureuser\”, \”ssh_key\”:\”$(cat ~/.ssh/\”}”

Next, update your VMSS instances.

az vmss update-instances --instance-ids ‘*’ \
--resource-group $CLUSTER_RESOURCE_GROUP \


I am going to create a pod called aks-ssh using image alpine, which will be in the same network segment as nodes. By default apline doesn’t have ssh client so I will install it. From there, I will SSH into node.

kubectl run -it aks-ssh --image=alpine


Now I am going to copy the RSA key from my kubectl client using kubectl command to pod created in Step4. Login into pod and verify RSA key is copied.

kb cp /home/centos/.ssh/id_rsa aks-ssh:id_rsa
kb exec -it aks-ssh --/bin/sh


Get the node IP.

kubectl get nodes -o wide

From pod, SSH into node, use the username specific in Step3.

Switch to root using command sudo su - and you can start doing whatever you wanted/supposed to do : )




Cloud Solution Architect, focusing on Oracle Cloud Infrastructure currently.