|
| 1 | +--- |
| 2 | +date: 2026-03-22 |
| 3 | +title: "ContainerSSH 0.6.0: Persistent Pods" |
| 4 | +description: "ContainerSSH 0.6.0: Persistent Pods" |
| 5 | +--- |
| 6 | + |
| 7 | +# ContainerSSH 0.6: Persistent Pods |
| 8 | + |
| 9 | +ContainerSSH 0.6 has been released! This release introduces the persistent Kubernetes execution mode, extra scope support for OIDC authentication, important bug fixes for Kerberos and Docker image pulling, and a lot of dependency updates. |
| 10 | + |
| 11 | +## Change summary |
| 12 | + |
| 13 | +1. [Persistent Kubernetes execution mode](#persistent-kubernetes-execution-mode) |
| 14 | +2. [OIDC extra scopes](#oidc-extra-scopes) |
| 15 | +3. [Kerberos authentication fixes](#kerberos-authentication-fixes) |
| 16 | +4. [Docker image pull policy fix](#docker-image-pull-policy-fix) |
| 17 | + |
| 18 | +## Persistent Kubernetes execution mode |
| 19 | + |
| 20 | +A new `persistent` execution mode has been added to the Kubernetes backend. Unlike the existing `connection` mode which create a new pod for each SSH connection and terminates the pod after the session terminates, `persistent` mode execs into an already existing pod with an option to create the pod if it doesn't exist, or to simply refuse entry if it doesn't. This mode can be useful for use-cases where stateful sessions are needed, including but not limited to managing long-running interactive processes, resource sharing etc. |
| 21 | + |
| 22 | +!!! warning "ContainerSSH cannot guarantee user isolation in this mode" |
| 23 | + It is expeced that the users of this feature will use the configuration server to **ensure that every user is dropped into the correct pod**, ideally unique per-user. Do not specify the pod to use in the global configuration as this will lead to all users to be sent to the same pod without any isolation. If this is combined with any type of credential forwarding it can lead to the users credentials being compromised. |
| 24 | + |
| 25 | +In the simplest form the persistent mode can be configured with the following block: |
| 26 | + |
| 27 | +```yaml |
| 28 | +kubernetes: |
| 29 | + pod: |
| 30 | + mode: persistent |
| 31 | + metadata: |
| 32 | + name: my-existing-pod |
| 33 | + namespace: default |
| 34 | +``` |
| 35 | +
|
| 36 | +With the `createMissingPods` option a minimal pod spec is also required: |
| 37 | + |
| 38 | +```yaml |
| 39 | +kubernetes: |
| 40 | + pod: |
| 41 | + mode: persistent |
| 42 | + createMissingPods: true |
| 43 | + metadata: |
| 44 | + name: my-pod |
| 45 | + namespace: default |
| 46 | + spec: |
| 47 | + containers: |
| 48 | + - name: shell |
| 49 | + image: containerssh/containerssh-guest-image |
| 50 | +``` |
| 51 | + |
| 52 | +Thanks to [@gigabyte132](https://github.com/gigabyte132) for contributing this feature. |
| 53 | + |
| 54 | +[Read more »](/reference/kubernetes){: .md-button} |
| 55 | + |
| 56 | +## OIDC extra scopes |
| 57 | + |
| 58 | +The OIDC authentication provider now supports requesting additional scopes beyond the default `openid` scope. |
| 59 | + |
| 60 | +Two new configuration options have been added for the oidc provider: |
| 61 | + |
| 62 | +- **`extraScopes`**: A list of additional OIDC scopes to request during authentication. |
| 63 | +- **`enforceScopes`**: When set to `true`, authentication will be rejected if the user does not grant all requested extra scopes. |
| 64 | + |
| 65 | +```yaml |
| 66 | +auth: |
| 67 | + keyboardInteractive: |
| 68 | + method: oauth2 |
| 69 | + oauth2: |
| 70 | + provider: oidc |
| 71 | + oidc: |
| 72 | + url: https://your-oidc-server.example.com/ |
| 73 | + extraScopes: |
| 74 | + - profile |
| 75 | + - email |
| 76 | + enforceScopes: true |
| 77 | +``` |
| 78 | + |
| 79 | +These options work with both the device flow and authorization code flow. |
| 80 | + |
| 81 | +Thanks to [@hashkrish](https://github.com/hashkrish) for contributing this feature. |
| 82 | + |
| 83 | +[Read more »](/reference/auth-oauth2){: .md-button} |
| 84 | + |
| 85 | +## Kerberos authentication fixes |
| 86 | + |
| 87 | +This release fixes two issues with Kerberos authentication: |
| 88 | + |
| 89 | +- **`enforceUsername=false` now works correctly.** Previously, disabling username enforcement would still reject valid logins with differing usernames. |
| 90 | +- **Metadata merging is now additive.** Kerberos authentication metadata is now correctly merged with existing connection metadata instead of replacing it. This ensures that metadata set by earlier authentication or configuration steps is preserved. |
| 91 | + |
| 92 | +Thanks to [@gigabyte132](https://github.com/gigabyte132) for contributing this feature. |
| 93 | + |
| 94 | +## Docker image pull policy fix |
| 95 | + |
| 96 | +The behavior of the `IfNotPresent` image pull policy has been corrected. Previously, images with no tag or the `:latest` tag were always pulled even when already present locally, which prevented using local images. The `IfNotPresent` policy now consistently skips pulling when the image is already available locally, regardless of the tag. |
| 97 | + |
| 98 | +Thanks to [@AlbertoPimpo](https://github.com/AlbertoPimpo) for the fix |
0 commit comments