Get StartedContact Sales
Fork me on GitHub

Teleport

Kubernetes Application Discovery Reference

Version 14.x
  • Available for:
  • OpenSource
  • Team
  • Cloud
  • Enterprise

Configuring Teleport agent Helm chart

You can configure scope of services discovery by setting value kubernetesDiscovery of the chart. For more information please see helm chart documentation.

values.yaml example:

kubernetesDiscovery:
- types: ["app"]
  namespaces: [ "toronto", "porto" ]
  labels:
    env: staging
- types: ["app"]
  namespaces: [ "seattle", "oakland" ]
  labels:
    env: testing

Configuring Kubernetes Apps Discovery manually

While the teleport-kube-agent Helm chart will set up configuration for you automatically, you can also configure the required services manually. To do so, adjust the configuration files for the Teleport Application Service and Teleport Discovery Service, then restart the agents running these services.

Configuration for the Discovery Service is controlled by the kubernetes field, example:

# This section configures the Discovery Service
discovery_service:
  enabled: yes
  discovery_group: main-cluster
  kubernetes:
  - types: ["app"]
    namespaces: [ "toronto", "porto" ]
    labels:
      env: staging
  - types: ["app"]
    namespaces: [ "seattle", "oakland" ]
    labels:
      env: testing

Configuration for the Application Service is controlled by the resources field, example:

app_service:
  enabled: yes
  resources:
  - labels:
    "teleport.dev/kubernetes-cluster": "main-cluster"
    "teleport.dev/origin": "discovery-kubernetes"

Label teleport.dev/kubernetes-cluster should match value of discovery_group field in the Discovery Service config.

For more information you can take a look at discovery_service and app_service configuration references.

Annotations

Kubernetes annotations on services can be used to fine tune transformation of services to apps. All annotations are optional - they will override default behaviour, but they are not required for import of services.

teleport.dev/discovery-type

Controls what type this service is considered to be. If annotation is missing, by default all services are considered to be of "app" type. If matchers in the Discovery Service config match service type it will be imported. Currently the only supported value is app, which means Teleport application will be imported from this service. In the future there are plans to expand to database importing.

teleport.dev/protocol

Controls protocol for the uri of the Teleport app we create. If annotation is not set, heuristics will be used to try to determine protocol of an exposed port. If all heuristics didn't work, the port will be skipped. For app to be imported with tcp protocol, the service should have explicit annotation teleport.dev/protocol: "tcp"

teleport.dev/port

Controls preferred port for the Kubernetes service, only this one will be used even if service has multiple exposed ports. Its value should be one of the exposed service ports; otherwise, the app will not be imported. Value can be matched either by numeric value or by the name of the port defined on the service.

teleport.dev/name

Controls resulting app name. If present it will override default app name pattern $SERVICE_NAME-$NAMESPACE-$KUBE_CLUSTER_NAME. If multiple ports are exposed, resulting apps will have port names added as a suffix to the annotation value, as $APP_NAME-$PORT1_NAME, $APP_NAME-$PORT2_NAME etc, where $APP_NAME is the name set by the annotation.

teleport.dev/app-rewrite

Controls rewrite configuration for Teleport app, if needed. It should contain full rewrite configuration in YAML format, same as one would put into rewrite config section of an app (see documentation).

annotations:
  teleport.dev/app-rewrite: |
    redirect:
    - "localhost"
    - "jenkins.internal.dev"
    headers:
    - "X-Custom-Header: example"
    - "Authorization: Bearer {{internal.jwt}}"