From f78eff258066961650bc7e3fe9f1961b4a37afe5 Mon Sep 17 00:00:00 2001
From: Dmitry Meyer <me@undef.im>
Date: Fri, 7 Nov 2025 14:31:11 +0000
Subject: [PATCH] Kubernetes: change jump pod image, tune sshd options

Part-of: https://github.com/dstackai/dstack/issues/3126
---
 .../core/backends/kubernetes/compute.py       | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/dstack/_internal/core/backends/kubernetes/compute.py b/src/dstack/_internal/core/backends/kubernetes/compute.py
index 8647e49c6..0a37268fe 100644
--- a/src/dstack/_internal/core/backends/kubernetes/compute.py
+++ b/src/dstack/_internal/core/backends/kubernetes/compute.py
@@ -58,6 +58,7 @@
 
 logger = get_logger(__name__)
 
+JUMP_POD_IMAGE = "testcontainers/sshd:1.3.0@sha256:c50c0f59554dcdb2d9e5e705112144428ae9d04ac0af6322b365a18e24213a6a"
 JUMP_POD_SSH_PORT = 22
 DUMMY_REGION = "-"
 
@@ -845,8 +846,7 @@ def _create_jump_pod_service(
             containers=[
                 client.V1Container(
                     name=f"{pod_name}-container",
-                    # TODO: Choose appropriate image for jump pod
-                    image="dstackai/base:py3.11-0.4rc4",
+                    image=JUMP_POD_IMAGE,
                     command=["/bin/sh"],
                     args=["-c", " && ".join(commands)],
                     ports=[
@@ -898,10 +898,7 @@ def _create_jump_pod_service(
 def _get_jump_pod_commands(authorized_keys: List[str]) -> List[str]:
     authorized_keys_content = "\n".join(authorized_keys).strip()
     commands = [
-        # prohibit password authentication
-        'sed -i "s/.*PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config',
-        # create ssh dirs and add public key
-        "mkdir -p /run/sshd ~/.ssh",
+        "mkdir -p ~/.ssh",
         "chmod 700 ~/.ssh",
         f"echo '{authorized_keys_content}' > ~/.ssh/authorized_keys",
         "chmod 600 ~/.ssh/authorized_keys",
@@ -909,8 +906,14 @@ def _get_jump_pod_commands(authorized_keys: List[str]) -> List[str]:
         "rm -rf /etc/ssh/ssh_host_*",
         "ssh-keygen -A > /dev/null",
         # start sshd
-        f"/usr/sbin/sshd -p {JUMP_POD_SSH_PORT} -o PermitUserEnvironment=yes",
-        "sleep infinity",
+        (
+            f"/usr/sbin/sshd -D -e -p {JUMP_POD_SSH_PORT}"
+            " -o LogLevel=ERROR"
+            " -o PasswordAuthentication=no"
+            " -o AllowTcpForwarding=local"
+            # proxy jumping only, no shell access
+            " -o ForceCommand=/bin/false"
+        ),
     ]
     return commands