Enroll a Kubernetes Cluster
This guide demonstrates how to enroll a Kubernetes cluster as a Teleport resource by deploying the Teleport Kubernetes Service on the Kubernetes cluster you want to protect.
In this scenario, the Teleport Kubernetes Service pod detects that it is running on Kubernetes and enrolls the Kubernetes cluster automatically. The following diagram provides a simplified overview of this deployment scenario with the Teleport Kubernetes Service running on the Kubernetes cluster:
For information about other ways to enroll and discover Kubernetes clusters, see Registering Kubernetes Clusters with Teleport.
Prerequisites
-
Access to a running Teleport cluster,
tctl
admin tool, andtsh
client tool, version >= 14.3.33.For Teleport Enterprise and Teleport Enterprise Cloud, you should use the Enterprise version of
tctl
. You can verify the tools you have installed by running the following commands:$ tctl version
# Teleport Enterprise v14.3.33 go1.21
$ tsh version
# Teleport v14.3.33 go1.21You can download these tools by following the appropriate Installation instructions for your environment.
-
Kubernetes >= v1.17.0
-
Helm >= 3.4.2
Verify that Helm and Kubernetes are installed and up to date.
$ helm version
# version.BuildInfo{Version:"v3.4.2"}
$ kubectl version
# Client Version: version.Info{Major:"1", Minor:"17+"}
# Server Version: version.Info{Major:"1", Minor:"17+"}
- To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials.tctl
is supported on macOS and Linux machines. For example:If you can connect to the cluster and run the$ tsh login --proxy=teleport.example.com --user=email@example.com
$ tctl status
# Cluster teleport.example.com
# Version 14.3.33
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions.
Step 1/3. Create RBAC resources
To authenticate to a Kubernetes cluster using Teleport, you must have a Teleport role that grants access to the Kubernetes cluster you plan to interact with.
In this step, we show you how to create a Teleport role called kube-access
that enables a user to send requests to any Teleport-protected Kubernetes
cluster as a member of the viewers
group. The Teleport Kubernetes Service
impersonates the viewers
group when proxying requests from the user.
-
Create a file called
kube-access.yaml
with the following content:kind: role
metadata:
name: kube-access
version: v6
spec:
allow:
kubernetes_labels:
'*': '*'
kubernetes_resources:
- kind: 'pod'
namespace: '*'
name: '*'
kubernetes_groups:
- viewers
deny: {} -
Apply your changes:
$ tctl create -f kube-access.yaml
-
Assign the
kube-access
role to your Teleport user by running the appropriate commands for your authentication provider:- Local User
- GitHub
- SAML
- OIDC
-
Retrieve your local user's configuration resource:
$ tctl get users/$(tsh status -f json | jq -r '.active.username') > out.yaml
-
Edit
out.yaml
, addingkube-access
to the list of existing roles:roles:
- access
- auditor
- editor
+ - kube-access -
Apply your changes:
$ tctl create -f out.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
github
authentication connector:$ tctl get github/github --with-secrets > github.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to thegithub.yaml
file. Because this key contains a sensitive value, you should remove the github.yaml file immediately after updating the resource. -
Edit
github.yaml
, addingkube-access
to theteams_to_roles
section.The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.
Here is an example:
teams_to_roles:
- organization: octocats
team: admins
roles:
- access
+ - kube-access -
Apply your changes:
$ tctl create -f github.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
saml
configuration resource:$ tctl get --with-secrets saml/mysaml > saml.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to thesaml.yaml
file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. -
Edit
saml.yaml
, addingkube-access
to theattributes_to_roles
section.The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.
Here is an example:
attributes_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - kube-access -
Apply your changes:
$ tctl create -f saml.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
-
Retrieve your
oidc
configuration resource:$ tctl get oidc/myoidc --with-secrets > oidc.yaml
Note that the
--with-secrets
flag adds the value ofspec.signing_key_pair.private_key
to theoidc.yaml
file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. -
Edit
oidc.yaml
, addingkube-access
to theclaims_to_roles
section.The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.
Here is an example:
claims_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - kube-access -
Apply your changes:
$ tctl create -f oidc.yaml
-
Sign out of the Teleport cluster and sign in again to assume the new role.
While you have authorized the kube-access
role to access Kubernetes clusters
as a member of the viewers
group, this group does not yet have permissions
within its Kubernetes cluster. To assign these permissions, create a Kubernetes
RoleBinding
or ClusterRoleBindings
that grants permission to the viewers
group.
-
Create a file called
viewers-bind.yaml
with the following contents:apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: viewers-crb
subjects:
- kind: Group
# Bind the group "viewers" to the kubernetes_groups assigned in the "kube-access" role
name: viewers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
# "view" is a default ClusterRole that grants read-only access to resources
# See: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
name: view
apiGroup: rbac.authorization.k8s.io -
Apply the
ClusterRoleBinding
withkubectl
:$ kubectl apply -f viewers-bind.yaml
Your Teleport user now has permissions to assume membership in the viewers
group when accessing your Kubernetes cluster, and the viewers
group now has
permissions to view resources in the cluster. The next step is to deploy the
Teleport Kubernetes Service in the cluster to proxy user requests.
Step 2/3. Follow guided enrollment instructions
In this step, you will deploy the Teleport Kubernetes Service on your Kubernetes cluster by copying a script from the Teleport Web UI and running it on your terminal.
-
Open the Teleport Web UI and sign in using your administrative account.
-
Click Enroll New Resource.
-
Type all or part of Kubernetes in the Search field to filter the resource types displayed, then click Kubernetes.
-
Copy the command to add the
teleport-agent
chart repository and paste it in a terminal on your workstation. -
Type
teleport-agent
for namespace where you will deploy the Teleport Kubernetes Service and the display name to use when connecting to this cluster, then click Next.After you click Next, Teleport generates a script to configure and enroll the Kubernetes cluster as a resource in the Teleport cluster.
-
Copy the command displayed in the Teleport Web UI and run it in your terminal.
The Teleport Web UI displays "Successfully detected your new Kubernetes cluster" as confirmation that your cluster is enrolled. When you see this message, click Next to continue.
Step 3/3. Test Kubernetes access
Now that you have deployed the Teleport Kubernetes Service on your Kubernetes
cluster and enrolled the cluster as a Teleport resource, confirm that you can
access your Kubernetes cluster as a member of the viewers
group.
If you followed the previous steps in this guide, the Set Up Access view
populates the Kubernetes Groups field with viewers
.
To set up and test access:
-
Click Next.
-
Specify the
teleport-agent
namespace, the Kubernetesviewers
group from the previous step, and your Teleport user name. -
Copy and run the commands displayed in the Teleport Web UI to interact with the Kubernetes cluster and verify access through Teleport. Alternatively, run the commands shown below:
Authenticate to your Teleport cluster:
$ tsh login --proxy=teleport.example.com:443 --auth=local --user=admin@example.com teleport.example.com
List Kubernetes clusters available for you to access:
$ tsh kube ls
Retrieve credentials to access your Kubernetes cluster:
$ tsh kube login Kubernetes-cluster-name
The Teleport Kubernetes Service proxies
kubectl
commands:$ kubectl get pods -n teleport-agent
You should see the Teleport Kubernetes Service pod you deployed earlier:
NAME READY STATUS RESTARTS AGE
teleport-agent-0 1/1 Running 0 8m6s -
Click Finish.
Next steps
This guide demonstrated how to enroll a Kubernetes cluster by running the Teleport Kubernetes Service within the Kubernetes cluster.
- To learn about other ways you can register a Kubernetes cluster with Teleport, see Registering Kubernetes Clusters with Teleport.
- For a complete list of the parameters you can configure in the
teleport-kube-agent
helm chart, see the Chart Reference.