Skip to content

Instantly share code, notes, and snippets.

@jujhars13

jujhars13/sftp.yaml

Last active November 20, 2024 00:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jujhars13/1e99cf110e5df39d4ae3c7fef81589f8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jujhars13/1e99cf110e5df39d4ae3c7fef81589f8 to your computer and use it in GitHub Desktop.
Download ZIP
kubernetes pod example for atmoz/sftp
Raw
sftp.yaml
apiVersion: v1
kind: Namespace
metadata:
name: sftp
---
kind: Service
apiVersion: v1
metadata:
name: sftp
namespace: sftp
labels:
environment: production
spec:
type: "LoadBalancer"
ports:
- name: "ssh"
port: 22
targetPort: 22
selector:
app: sftp
status:
loadBalancer: {}
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: sftp
namespace: sftp
labels:
environment: environment: production
app: sftp
spec:
# how many pods and indicate which strategy we want for rolling update
replicas: 1
minReadySeconds: 10
template:
metadata:
labels:
environment: production
app: sftp
annotations:
container.apparmor.security.beta.kubernetes.io/sftp: runtime/default
spec:
#secrets and config
volumes:
- name: sftp-public-keys
configMap:
name: sftp-public-keys
containers:
#the sftp server itself
- name: sftp
image: atmoz/sftp:latest
imagePullPolicy: Always
env:
# - name: PASSWORD
# valueFrom:
# secretKeyRef:
# name: sftp-server-sec
# key: password
args: ["myUser::1001:100:incoming,outgoing"] #create users and dirs
ports:
- containerPort: 22
volumeMounts:
- mountPath: /home/myUser/.ssh/keys
name: sftp-public-keys
readOnly: true
securityContext:
capabilities:
add: ["SYS_ADMIN"]
resources: {}
@riprasad
Copy link

riprasad commented Nov 2, 2021
edited
Loading

That makes sense. Thanks for the explanation @ToMe25

Also, these lines from the documentation pretty much confirms that

An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

@afshinyavari
Copy link

afshinyavari commented Jan 12, 2022

@riprasad

Is it possible to get some help with the tweaks you made to get it working on openshift?

@riprasad
Copy link

riprasad commented Jan 13, 2022
edited
Loading

@afshinyavari Sure. You'll basically have to create a service account and grant it anyuid SCC to bypass the default security constraints in OpenShift. You can run the below commands as admin to achieve the same: -

$ oc create serviceaccount sftp-sa
$ oc adm policy add-scc-to-user anyuid -z sftp-sa

Use the created service account in your deployment. In addition, you will also need to configure the security context for the container. Here's the snippet:-

spec:
   serviceAccountName: sftp-sa
    containers:       
       securityContext:
            privileged: true

@riprasad
Copy link

riprasad commented Jan 13, 2022

@afshinyavari Also, I found this project which is compatible with OpenShift https://github.com/drakkan/sftpgo

I did not find time to deploy this but please feel free to explore it, since it is openshift compatible out-of-the-box and offers better features too. Let me know if you're able to deploy this successfully, in case you decide to choose this one over atmoz-sftp

@ToMe25
Copy link

ToMe25 commented Jan 13, 2022 via email
edited
Loading

@riprasad
Copy link

riprasad commented Jan 15, 2022

yea, sftpgo indeed is an interesting project! Do share the manifests if you decide to give it a shot :)

@marcinkubica
Copy link

marcinkubica commented Sep 7, 2023

sftpgo is all fine, sadly until you actually need a debug - drakkan/sftpgo#1412

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment