Machine ID with Kubernetes Access
This version of the guide uses the v2 tbot
configuration. This version is only
supported by Teleport 14 and beyond. Change the selected version of the
documentation to view the guide for previous Teleport versions.
Teleport protects and controls access to Kubernetes clusters. Machine ID can be used to grant machines secure, short-lived access to these clusters.
In this guide, you will configure tbot
to produce credentials that can be
used to access a Kubernetes cluster enrolled with your Teleport cluster.
Prerequisites
-
A running Teleport cluster version 14.3.33 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctl
admin tool andtsh
client tool.Visit Installation for instructions on downloading
tctl
andtsh
.
- If you have not already connected your Kubernetes cluster to Teleport, follow the Kubernetes Access Getting Started Guide.
For self-hosted Teleport Clusters that have non-TLS routing the Kubernetes public address must be set for Machine ID Kubernetes connections.
To confirm the TLS routing mode check the proxy.tls_routing_enabled
from this
command with your proxy address:
$ curl https://teleport.example.com:443/webapi/ping | jq
The optional tool jq
is used here to help display the JSON output.
If the value proxy.tls_routing_enabled
is false
then non-TLS routing
is set and a Kubernetes public address is required so Machine ID
will connect to the right port. You can confirm the Kubernetes public
address is set if proxy.kube.public_addr
is populated.
The kube_public_addr
is set within the proxy_service
by Teleport administrators:
proxy_service:
enabled: true
kube_listen_addr: 0.0.0.0:3026
kube_public_addr: teleport.example.com:3026
- To check that you can connect to your Teleport cluster, sign in with
tsh login
, then verify that you can runtctl
commands using your current credentials.tctl
is supported on macOS and Linux machines. For example:If you can connect to the cluster and run the$ tsh login --proxy=teleport.example.com --user=email@example.com
$ tctl status
# Cluster teleport.example.com
# Version 14.3.33
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678tctl status
command, you can use your current credentials to run subsequenttctl
commands from your workstation. If you host your own Teleport cluster, you can also runtctl
commands on the computer that hosts the Teleport Auth Service for full permissions. - To configure the Kubernetes cluster, your client system will need to have
kubectl
installed. See the Kubernetes documentation for installation instructions. tbot
must already be installed and configured on the machine that will access Kubernetes clusters. For more information, see the deployment guides.- To demonstrate connecting to the Kubernetes cluster, the machine that will
access Kubernetes clusters will need to have
kubectl
installed. See the Kubernetes documentation for installation instructions.
Step 1/3. Configure Teleport and Kubernetes RBAC
First, we need to configure the RBAC for both Teleport and Kubernetes in order to grant the bot the correct level of access.
When forwarding requests to the Kubernetes API on behalf of a bot, the
Teleport Proxy attaches the groups configured (using kubernetes_groups
) in the
bot's Teleport roles to the request. These groups are then used to configure a
RoleBinding or ClusterRoleBinding in Kubernetes to grant specific permissions
within the Kubernetes cluster to the bot.
For the purpose of this guide, we will bind the editor
group to the default
edit
ClusterRole that is preconfigured in most Kubernetes clusters to give
the bot read and write access to resources in all the cluster namespaces.
When configuring this for a production environment, you should consider:
- If RoleBinding should be used instead of ClusterRoleBinding to limit the bot's access to a specific namespace.
- If a Role should be created that grants the bot the least privileges
necessary rather than using a pre-existing general Role such as
edit
.
To bind the editor
group to the edit
Cluster Role, execute:
$ kubectl create clusterrolebinding teleport-editor-edit \
--clusterrole=edit \
--group=editor
With the appropriate RoleBinding configured in Kubernetes to grant access to a specific group, you now need to add this group to the role that the bot will impersonate when producing credentials. You also need to grant the bot access through Teleport to the cluster itself.
If you have followed an access guide, you will have created a role and granted the bot the ability to impersonate it already. This role just needs to have the additional privileges added to it.
Use tctl edit role/example-bot
to add the following rule to the Teleport role:
spec:
allow:
kubernetes_labels:
'*': '*'
kubernetes_groups:
- editor
kubernetes_resources:
- kind: "*"
namespace: "*"
name: "*"
Adjust the allow
field for your environment:
kubernetes_labels
should be adjusted to grant access to only the clusters that the bot will need to access. The value shown,'*': '*'
will grant access to all Kubernetes clusters.editor
must match the name of the group you specified in the RoleBinding or ClusterRoleBinding.kubernetes_resources
can be used to apply additional restrictions to what the bot can access within the Kubernetes cluster. These restrictions are layered upon the RBAC configured within the Kubernetes role itself.
Step 2/3. Configure a Kubernetes tbot
output
Now, tbot
needs to be configured with an output to produce the Kubernetes
credentials and client configuration file. This is done using the kubernetes
output type.
The Kubernetes cluster you want the credentials to have access to must
be specified using the kubernetes_cluster
field. In this example,
example-k8s-cluster
will be used.
The output must be configured with a destination and the name of the
Kubernetes cluster that should be encoded in the credentials produced by tbot
.
At this time, each output can only contain credentials for a single Kubernetes
cluster. If your bot needs to connect to multiple Kubernetes clusters,
create an output for each cluster.
Outputs must also be configured with a destination. In this example, the
directory
type will be used. This will write artifacts to a specified
directory on disk. Ensure that this directory can be written to by the Linux
user that tbot
runs as, and that it can be read by the Linux user that will
be accessing the Kubernetes cluster.
Modify your tbot
configuration to add a kubernetes
output:
outputs:
- type: kubernetes
# Specify the name of the Kubernetes cluster you wish the credentials to
# grant access to.
kubernetes_cluster: example-k8s-cluster
destination:
type: directory
# For this guide, /opt/machine-id is used as the destination directory.
# You may wish to customize this. Multiple outputs cannot share the same
# destination.
path: /opt/machine-id
Ensure you replace example-k8s-cluster
with the name of the Kubernetes cluster
as registered in Teleport and adjust /opt/machine-id
if you wish
If operating tbot
as a background service, restart it. If running tbot
in
one-shot mode, it must be executed before you attempt to use the credentials.
Step 3/3. Connect to your Kubernetes cluster with the Machine ID identity
Once tbot
has been run with the new output configured, a file called
kubeconfig.yaml
should have been generated in the destination directory
you specified. This contains all the information necessary for kubectl
to
connect to the Kubernetes cluster through the Teleport Proxy.
To use kubeconfig.yaml
with kubectl
, the --kubeconfig
flag or KUBECONFIG
environment variable can be provided to kubectl
:
$ kubectl --kubeconfig /opt/machine-id/kubeconfig.yaml get pods -A
# Or, set the KUBECONFIG environment variable:
$ export KUBECONFIG=/opt/machine-id/kubeconfig.yaml
$ kubectl get pods -A
Whilst this guide has demonstrated kubeconfig.yaml
being used with kubectl
,
this format is compatible with most Kubernetes tools including:
- Helm
- Lens
- ArgoCD
Next steps
- Read the configuration reference to explore all the available configuration options.
- Read the Kubernetes Access RBAC guide for more details on controlling Kubernetes access.