Meet us at KubeCon + CloudNativeCon: Paris, France - March 19
Book Demo
Teleport logoTry For Free
Fork me on GitHub

Teleport

Machine ID with Kubernetes Access

  • Available for:
  • OpenSource
  • Enterprise
  • Cloud

This version of the guide uses the v2 tbot configuration. This version is only supported by Teleport 14 and beyond. Change the selected version of the documentation to view the guide for previous Teleport versions.

Teleport protects and controls access to Kubernetes clusters. Machine ID can be used to grant machines secure, short-lived access to these clusters.

In this guide, you will configure tbot to produce credentials that can be used to access a Kubernetes cluster enrolled with your Teleport cluster.

Prerequisites

  • A running Teleport cluster. For details on how to set this up, see the Getting Started guide.

  • The tctl admin tool and tsh client tool version >= 15.1.1.

    See Installation for details.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport v15.1.1 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v15.1.1 go1.21

Proxy version: 15.1.1Proxy: teleport.example.com
  • A Teleport Team account. If you don't have an account, sign up to begin your free trial.

  • The Enterprise tctl admin tool and tsh client tool, version >= 14.3.6.

    You can download these tools from the Cloud Downloads page.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport Enterprise v14.3.6 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v14.3.6 go1.21

Proxy version: 14.3.6Proxy: teleport.example.com
  • A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.

  • The Enterprise tctl admin tool and tsh client tool version >= 15.1.1.

    You can download these tools by visiting your Teleport account workspace.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport Enterprise v15.1.1 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v15.1.1 go1.21

Proxy version: 15.1.1Proxy: teleport.example.com
  • A Teleport Enterprise Cloud account. If you don't have an account, sign up to begin a free trial of Teleport Team and upgrade to Teleport Enterprise Cloud.

  • The Enterprise tctl admin tool and tsh client tool version >= 14.3.6.

    You can download these tools from the Cloud Downloads page.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport Enterprise v14.3.6 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v14.3.6 go1.21

Proxy version: 14.3.6Proxy: teleport.example.com
  • If you have not already connected your Kubernetes cluster to Teleport, follow the Kubernetes Access Getting Started Guide.
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status

    Cluster teleport.example.com

    Version 15.1.1

    CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
  • To configure the Kubernetes cluster, your client system will need to have kubectl installed. See the Kubernetes documentation for installation instructions.
  • tbot must already be installed and configured on the machine that will access Kubernetes clusters. For more information, see the deployment guides.
  • To demonstrate connecting to the Kubernetes cluster, the machine that will access Kubernetes clusters will need to have kubectl installed. See the Kubernetes documentation for installation instructions.

Step 1/3. Configure Teleport and Kubernetes RBAC

First, we need to configure the RBAC for both Teleport and Kubernetes in order to grant the bot the correct level of access.

When forwarding requests to the Kubernetes API on behalf of a bot, the Teleport Proxy attaches the groups configured (using kubernetes_groups) in the bot's Teleport roles to the request. These groups are then used to configure a RoleBinding or ClusterRoleBinding in Kubernetes to grant specific permissions within the Kubernetes cluster to the bot.

For the purpose of this guide, we will bind the editor group to the default edit ClusterRole that is preconfigured in most Kubernetes clusters to give the bot read and write access to resources in all the cluster namespaces.

When configuring this for a production environment, you should consider:

  • If RoleBinding should be used instead of ClusterRoleBinding to limit the bot's access to a specific namespace.
  • If a Role should be created that grants the bot the least privileges necessary rather than using a pre-existing general Role such as edit.

To bind the editor group to the edit Cluster Role, execute:

kubectl create clusterrolebinding teleport-editor-edit \ --clusterrole=edit \ --group=editor

With the appropriate RoleBinding configured in Kubernetes to grant access to a specific group, you now need to add this group to the role that the bot will impersonate when producing credentials. You also need to grant the bot access through Teleport to the cluster itself.

If you have followed an access guide, you will have created a role and granted the bot the ability to impersonate it already. This role just needs to have the additional privileges added to it.

Use tctl edit role/example-bot to add the following rule to the Teleport role:

spec:
  allow:
    kubernetes_labels:
      '*': '*'
    kubernetes_groups:
    - editor
    kubernetes_resources:
    - kind: "*"
      namespace: "*"
      name: "*"

Adjust the allow field for your environment:

  • kubernetes_labels should be adjusted to grant access to only the clusters that the bot will need to access. The value shown, '*': '*' will grant access to all Kubernetes clusters.
  • editor must match the name of the group you specified in the RoleBinding or ClusterRoleBinding.
  • kubernetes_resources can be used to apply additional restrictions to what the bot can access within the Kubernetes cluster. These restrictions are layered upon the RBAC configured within the Kubernetes role itself.

Step 2/3. Configure a Kubernetes tbot output

Now, tbot needs to be configured with an output to produce the Kubernetes credentials and client configuration file. This is done using the kubernetes output type.

The Kubernetes cluster you want the credentials to have access to must be specified using the kubernetes_cluster field. In this example, example-k8s-cluster will be used.

The output must be configured with a destination and the name of the Kubernetes cluster that should be encoded in the credentials produced by tbot. At this time, each output can only contain credentials for a single Kubernetes cluster. If your bot needs to connect to multiple Kubernetes clusters, create an output for each cluster.

Outputs must also be configured with a destination. In this example, the directory type will be used. This will write artifacts to a specified directory on disk. Ensure that this directory can be written to by the Linux user that tbot runs as, and that it can be read by the Linux user that will be accessing the Kubernetes cluster.

Modify your tbot configuration to add a kubernetes output:

outputs:
  - type: kubernetes
    # Specify the name of the Kubernetes cluster you wish the credentials to
    # grant access to.
    kubernetes_cluster: example-k8s-cluster
    destination:
      type: directory
          # For this guide, /opt/machine-id is used as the destination directory.
          # You may wish to customize this. Multiple outputs cannot share the same
          # destination.
      path: /opt/machine-id

Ensure you replace example-k8s-cluster with the name of the Kubernetes cluster as registered in Teleport and adjust /opt/machine-id if you wish

If operating tbot as a background service, restart it. If running tbot in one-shot mode, it must be executed before you attempt to use the credentials.

Step 3/3. Connect to your Kubernetes cluster with the Machine ID identity

Once tbot has been run with the new output configured, a file called kubeconfig.yaml should have been generated in the destination directory you specified. This contains all the information necessary for kubectl to connect to the Kubernetes cluster through the Teleport Proxy.

To use kubeconfig.yaml with kubectl, the --kubeconfig flag or KUBECONFIG environment variable can be provided to kubectl:

kubectl --kubeconfig /opt/machine-id/kubeconfig.yaml get pods -A

Or, set the KUBECONFIG environment variable:

export KUBECONFIG=/opt/machine-id/kubeconfig.yaml
kubectl get pods -A

Whilst this guide has demonstrated kubeconfig.yaml being used with kubectl, this format is compatible with most Kubernetes tools including:

  • Helm
  • Lens
  • ArgoCD

Next steps