Prerequisites
- Kubernetes >= v1.17.0
- Helm >= 3.4.2
- Installed and running Teleport Cluster
Verify that helm and kubernetes are installed and up to date.
$ helm version
# version.BuildInfo{Version:"v3.4.2"}
$ kubectl version
# Client Version: version.Info{Major:"1", Minor:"17+"}
# Server Version: version.Info{Major:"1", Minor:"17+"}
Connecting clusters
Teleport can act as an access plane for multiple Kubernetes clusters.
We have set up the Teleport cluster tele.example.com in SSO and Kubernetes.
Let's start a lightweight agent in another Kubernetes cluster cookie and connect it to tele.example.com.
We would need a join token from tele.example.com:
A trick to save the pod ID in tele.example.com
POD=$(kubectl get po -l app=teleport-cluster -o jsonpath='{.items[0].metadata.name}')Create a join token for the cluster cookie to authenticate
TOKEN=$(kubectl exec -ti "${POD?}" -- tctl nodes add --roles=kube --ttl=10000h --format=json | jq -r '.[0]')echo $TOKEN
Switch kubectl to the Kubernetes cluster cookie and run:
Add teleport chart repository
helm repo add teleport https://charts.releases.teleport.devInstall Kubernetes agent. It dials back to the Teleport cluster tele.example.com.
CLUSTER='cookie'PROXY='tele.example.com:443'helm install teleport-agent teleport/teleport-kube-agent --set kubeClusterName=${CLUSTER?} \ --set proxyAddr=${PROXY?} --set authToken=${TOKEN?} --create-namespace --namespace=teleport-agent
List connected clusters using tsh kube ls and switch between
them using tsh kube login:
tsh kube lsKube Cluster Name Selected
----------------- --------
cookie
tele.example.com *
kubeconfig now points to the cookie cluster
tsh kube login cookieLogged into kubernetes cluster "cookie"
kubectl command executed on `cookie` but is routed through `tele.example.com` cluster.
kubectl get pods