Fork me on GitHub
Teleport

Kubernetes Access Multiple Clusters

Prerequisites

  • Kubernetes >= v1.17.0
  • Helm >= 3.4.2
  • Installed and running Teleport Cluster

Verify that helm and kubernetes are installed and up to date.

$ helm version
# version.BuildInfo{Version:"v3.4.2"}

$ kubectl version
# Client Version: version.Info{Major:"1", Minor:"17+"}
# Server Version: version.Info{Major:"1", Minor:"17+"}

Connecting clusters

Teleport can act as an access plane for multiple Kubernetes clusters. We have set up the Teleport cluster tele.example.com in SSO and Kubernetes.

Let's start a lightweight agent in another Kubernetes cluster cookie and connect it to tele.example.com. We would need a join token from tele.example.com:

A trick to save the pod ID in tele.example.com

POD=$(kubectl get po -l app=teleport-cluster -o jsonpath='{.items[0].metadata.name}')

Create a join token for the cluster cookie to authenticate

TOKEN=$(kubectl exec -ti "${POD?}" -- tctl nodes add --roles=kube --ttl=10000h --format=json | jq -r '.[0]')
echo $TOKEN

Switch kubectl to the Kubernetes cluster cookie and run:

Add teleport chart repository

helm repo add teleport https://charts.releases.teleport.dev

Install Kubernetes agent. It dials back to the Teleport cluster tele.example.com.

CLUSTER='cookie'
PROXY='tele.example.com:443'
helm install teleport-agent teleport/teleport-kube-agent --set kubeClusterName=${CLUSTER?} \ --set proxyAddr=${PROXY?} --set authToken=${TOKEN?} --create-namespace --namespace=teleport-agent

List connected clusters using tsh kube ls and switch between them using tsh kube login:

tsh kube ls

Kube Cluster Name Selected

----------------- --------

cookie

tele.example.com *

kubeconfig now points to the cookie cluster

tsh kube login cookie

Logged into kubernetes cluster "cookie"

kubectl command executed on `cookie` but is routed through `tele.example.com` cluster.

kubectl get pods
Have a suggestion or can’t find something?
IMPROVE THE DOCS