teleport-kube-agent Chart Reference

Report an issue with this page

The teleport-kube-agent Helm chart is used to configure a Teleport Agent that runs in a remote Kubernetes cluster to provide access to resources in your infrastructure.

You can browse the source on GitHub.

This reference details available values for the teleport-kube-agent chart.

Warning

Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.

What the chart deploys

Teleport services

The teleport-kube-agent chart can run any or all of three Teleport services:

Teleport service	Name for roles and tctl tokens add	Purpose
kubernetes_service	kube	Uses Teleport to handle authentication with and proxy access to a Kubernetes cluster
application_service	app	Uses Teleport to handle authentication with and proxy access to web-based applications
database_service	db	Uses Teleport to handle authentication with and proxy access to databases
discovery_service	discovery	Uses Teleport to discover new resources and dynamically add them to the cluster
jamf_service	jamf	Uses Teleport to integrate with Jamf Pro and sync devices with Device Trust inventory

Legacy releases

Releases of this chart installed before version 11 are considered legacy releases, which launch the Teleport pod as a Deployment if no storage was configured.

In version 11 and above, the chart launches the Teleport pod as a StatefulSet even when the chart is configured not to use external storage, and the Teleport pod reads its state from a Kubernetes Secret.

While the Teleport pod does not require external storage, you can still use the storage.enabled field to configure the way the Teleport pod reads data from a persistent volume.

To learn how upgrading from a legacy release to version 11 will affect resources launched by this chart, see the resource list.

Kubernetes resources

The teleport-kube-agent chart deploys the following Kubernetes resources:

Kind	Default Name	Description	When Deployed
StatefulSet	The release name	Running a user-configured Teleport pod.	Always.
Secret	joinTokenSecret.name (default: teleport-kube-agent-join-token)	Used for managing the state of the Teleport pod.	joinTokenSecret.secret is true.
Secret	jamfCredentialsSecret.name (default: teleport-jamf-api-credentials)	Used for integrating Jamf Prod with Teleport (jamf_service).	jamfCredentialsSecret.create is true
Deployment	The release name	Runs a user-configured Teleport pod.	storage.enabled is false and the chart is being upgraded. Fresh installs will deploy a StatefulSet instead.
Role	The roleName option, if given, or the release name.	Used to manage the state of the Teleport pod via Kubernetes secrets.	Always.
ClusterRole	clusterRoleName, if given, or the release name.	Allows impersonating users, groups, and service accounts, getting pods, and creating SelfSubjectAccessReviews so the Teleport pod can manage access to resources in its Kubernetes cluster.	Always.
ClusterRoleBinding	clusterRoleBindingName, if provided, or the release name	Enables the Teleport pod to manage access to resources in the Kubernetes cluster.	Always.
RoleBinding	roleBindingName, if given, or the release name	Enables the Teleport pod to manage access to resources in the Kubernetes cluster.	Always.
ServiceAccount	serviceAccount.name, if given, or the release name	Enables the Teleport pod to manage access to resources in the Kubernetes cluster.	serviceAccount.create is true
PodDisruptionBudget	The release name	Ensure high availability for the Teleport pod.	highAvailability.podDisruptionBudget.enabled is true.
ServiceAccount	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
Role	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
RoleBinding	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
Job	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
ConfigMap	The release name	Contains the configuration for the Teleport pod.	Always.
PodSecurityPolicy	The release name	Enforces security requirements for pods deployed by teleport-kube-agent.	podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.
Role	The release name, suffixed by -psp	Enforces security requirements for pods deployed by teleport-kube-agent.	podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.
RoleBinding	The release name, suffixed by -psp	Enforces security requirements for pods deployed by teleport-kube-agent.	podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.

roles

Type	Default
string	"kube"

roles is a comma-separated list of services which will be enabled when running the teleport-kube-agent chart.

Services	Value for roles	Mandatory additional settings for this role
Teleport Kubernetes service	kube	kubeClusterName
Teleport Application service	app	apps or appResources
Teleport Database service	db	databases or databaseResources
Teleport Discovery service	discovery	kubeClusterName
Teleport Jamf service	jamf	jamfApiEndpoint, jamfClientId

For example:

roles: kube,app,discovery

proxyAddr

Type	Default
string	""

proxyAddr provides the public-facing Teleport Proxy Service endpoint which should be used to join the cluster. This is the same URL used to access the web UI of your Teleport cluster. The port used is usually either 3080 or 443.

Here are a few examples:

Deployment method	Example proxy_service.public_addr
On-prem Teleport cluster	teleport.example.com:3080
Teleport Cloud cluster	example.teleport.sh:443
teleport-cluster Helm chart	teleport.example.com:443

enterprise

Type	Default
bool	false

enterprise controls if the teleport-kube-agent chart should deploy the OSS version or the enterprise version of the container image. This must be set to true when connecting to Teleport Cloud or self-hosted Teleport Enterprise clusters to allow the agent to leverage enterprise features.

authToken

Type	Default
string	""

authToken provides a Teleport join token which will be used to join the Teleport instance to a Teleport cluster. authToken only supports the token join method.

For other methods such as kubernetes, iam or gcp, the value joinParams should be used as it supports more methods to join the Teleport cluster. joinParams takes precedence if both authToken and joinParams are set.

A token must be specified for the agent to join the Teleport cluster, either via authToken, joinParams, or an existing Kubernetes Secret.

The token used must at least grant the required system roles. For example, if the chart roles is kube,app, the token should allow the system roles App and Kube.

joinParams

joinParams controls how the Teleport Agent joins the Teleport cluster. These sub-values must be configured for the agent to connect to a cluster.

This value serves the same purpose as authToken but supports all join methods. When set, it takes precedence over authToken. Its usage should be preferred.

joinParams.method

Type	Default
string	"token"

joinParams.method controls which join method will be used by the instance to join the Teleport cluster.

See the join method reference for the list of possible values, the implications of each join method, and guides to set up each method.

Common join-methods for the teleport-kube-agent are:

• token: the most basic one, with regular ephemeral secret tokens
• kubernetes: either the in-cluster variant (if the agent runs in the same Kubernetes cluster as the teleport-cluster chart) or the JWKS/OIDC variants (work in every Kubernetes cluster, regardless of the Teleport Auth Service location).

joinParams.tokenName

Type	Default
string	""

joinParams.tokenName controls which token is used by the agent to join the Teleport cluster.

When joinParams.method is a delegated join method, the value is not sensitive.

When joinParams.method is token (by default), joinParams.tokenName contains the secret token itself. In this case, the value is sensitive and is automatically stored in a Kubernetes Secret instead of being directly included in the agent's configuration.

If method is token, joinParams.tokenName can be empty if the token is provided through an existing Kubernetes Secret, see joinTokenSecret for more details and instructions.

If method is kubernetes, you must set teleportClusterName.

teleportClusterName

Type	Default
string	""

teleportClusterName is the name of the joined Teleport cluster. Setting this value is required when joining via the Kubernetes JWKS or OIDC join method.

When this value is set, the chart mounts a kubernetes service account token via a projected volume and configures Teleport to use it for joining.

kubeClusterName

Type	Default
string	""

kubeClusterName sets the name used for the Kubernetes cluster proxied by the Teleport Agent. This name will be shown to Teleport users connecting to the cluster.

This setting is required if the chart roles contains kube.

apps

Type	Default
list	[]

apps is a static list of applications that should be proxied by the agent. See the Teleport Application access documentation for more details.

Proxied applications can be defined statically (through this value) or dynamically (through the appResources value). One of apps and appResources is required if the chart roles contains app.

You can specify multiple apps by adding elements to the list. For example:

apps:
  - name: grafana
    uri: http://localhost:3000
    labels:
      purpose: monitoring
  - name: jenkins
    uri: http://jenkins:8080
    labels:
      purpose: ci

Supported values

You can see a list of all the supported values that can be used in a Teleport Application Service configuration in the Application Service Configuration Reference.

appResources

Type	Default
list	[]

appResources is a set of labels the agent will monitor. Any application matching those labels will be proxied by the agent. See the Teleport Application access documentation for more details.

Proxied applications can be defined statically (through apps) or dynamically (through this value). One of apps and appResources is required if the chart roles contains app.

You can specify multiple selectors by including additional list elements. For example:

appResources:
  - labels:
      "env": "prod"
  - labels:
      "env": "test"

Example

Once appResources is set, you can dynamically register application with tsh by following the Dynamic App Registration guide.

clusterDomain

Type	Default
string	"cluster.local"

clusterDomain sets the domain name used by the Kubernetes cluster. This value is used to build the FQDN application URIs. For example, if the cluster domain is anything.local, the agent will proxy the application myapp running in the default namespace at http://myapp.default.svc.anything.local. You must manually set this value to match your cluster domain if it is different from the default value cluster.local.

awsDatabases

Type	Default
list	[]

awsDatabases configures AWS database auto-discovery.

IAM roles

For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the database documentation. After configuring a role, you can use an eks.amazonaws.com/role-arn annotation with the annotations.serviceAccount value to associate it with the service account and grant permissions:

annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

You can specify multiple database filters by adding elements to the list.

• types is a list containing the types of AWS databases that should be discovered.
• regions is a list of AWS regions which should be scanned for databases.
• tags can be used to set AWS tags that must be matched for databases to be discovered.

For example:

roles: db
awsDatabases:
  - types: ["rds"]
    regions: ["us-east-1", "us-west-2"]
    tags:
      "environment": "production"
  - types: ["rds"]
    regions: ["us-east-1"]
    tags:
      "environment": "dev"
  - types: ["rds"]
    regions: ["eu-west-1"]
    tags:
      "*": "*"
annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

azureDatabases

Type	Default
list	[]

azureDatabases configures Azure database auto-discovery.

Azure IAM

For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the database documentation.

After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. The easiest way is to use an Azure client secret.

First, create in the chart installation namespace a Kubernetes Secret containing the azure client secret:

kubectl create secret generic teleport-azure-client-secret --from-literal=client_secret=<your-azure-client-secret>
secret/teleport-azure-client-secret created

Then, use the extraEnv value to set the pods environment variables:

extraEnv:
- name: AZURE_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
    name: teleport-azure-client-secret
    key: client_secret
    optional: false
- name: AZURE_TENANT_ID
  value: "11111111-2222-3333-4444-555555555555"
- name: AZURE_CLIENT_ID
  value: "11111111-2222-3333-4444-555555555555"

You can specify multiple database filters by adding elements to the list.

Required fields for each filter:

• types is a list containing the types of Azure databases that should be discovered.
• tags can be used to set Azure resource tags that must be matched for databases to be discovered.

Optional fields for each filter:

• regions is a list of Azure regions which should be scanned for databases.
• subscriptions can be used to discover databases within matching Azure subscriptions.
• resource_groups can be used to discover databases within matching Azure resource groups.

The default for each of these optional settings is *, which will auto-discover in all subscriptions, regions, or resource groups accessible by the Teleport service principal in Azure.

For example:

roles: db
azureDatabases:
  - types: ["mysql", "postgres"]
    tags:
      "*": "*"
  - types: ["mysql"]
    tags:
      "env": ["dev", "staging"]
      "origin": "alice"
    regions: ["eastus", "centralus"]
    subscriptions: ["subID1", "subID2"]
    resource_groups: ["group1", "group2"]
extraEnv:
  - name: AZURE_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
      name: teleport-azure-client-secret
      key: client_secret
      optional: false
  - name: AZURE_TENANT_ID
    value: "11111111-2222-3333-4444-555555555555"
  - name: AZURE_CLIENT_ID
    value: "11111111-2222-3333-4444-555555555555"

databases

Type	Default
list	[]

databases is a static list of databases that should be proxied by the agent. See the Teleport Database access documentation for more details.

Proxied applications can be defined statically (through this value) or dynamically (through the databaseResources value).

You can specify multiple databases by adding additional list elements.

values.yaml example:

databases:
  - name: aurora-postgres
    uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432
    protocol: postgres
    aws:
      region: us-east-1
    static_labels:
      env: staging
  - name: mysql
    uri: mysql-instance-1.xxx.us-east-1.rds.amazonaws.com:3306
    protocol: mysql
    aws:
      region: us-east-1
    static_labels:
      env: staging

Supported values

You can see a list of all the supported values which can be used in a Teleport Database Service configuration here.

Trusting Database CA

Database CAs can be trusted on a per-database basis. You must create a secret containing the database CA certificate in the same namespace as Teleport using a command like:

kubectl create secret generic my-postgres-ca --from-file=ca.pem=/path/to/database-ca.pem

Then, deploy the Helm chart with the following values:

databases:
  - name: my-postgres
    uri: postgres.example.com:5432
    protocol: postgres
    tls:
      ca_cert_file: "/etc/teleport-tls-db/my-postgres/ca.pem"
extraVolumes:
  - name: my-postgres-ca
    secret:
      secretName: my-postgres-ca
extraVolumeMounts:
  - name: my-postgres-ca
    mountPath: /etc/teleport-tls-db/my-postgres
    readOnly: true

databaseResources

Type	Default
list	[]

databaseResources is a set of labels the agent will monitor. Any database matching those labels will be proxied by the agent. See the Teleport Database access documentation for more details.

Proxied databases can be defined statically (through databases) or dynamically (through this value).

You can specify multiple selectors by including additional list elements. For example:

databaseResources:
  - labels:
      "env": "prod"
      "engine": "postgres"
  - labels:
      "env": "test"
      "engine": "mysql"

Example

Once databaseResources is set, you can dynamically register database with tsh by following this guide.

kubernetesDiscovery

Type	Default
list	[{"labels":{"*":"*"},"namespaces":["*"],"types":["app"]}]

kubernetesDiscovery controls the Discovery Service configuration if it's enabled.

The Discovery Service is enabled when the agent roles contains "discovery". The Discovery service automatically detects Kubernetes Services and configures the agent to provide access to them. See the Kubernetes App Discovery documentation for more details.

note

The Discovery mechanism ignores Kubernetes services running in the kube-system and kube-public namespaces.

The default value will try to discover all apps running in Kubernetes. The discovery can be restricted through this value. For example:

kubernetesDiscovery:
- types: ["app"]
  namespaces: [ "toronto", "porto" ]
  labels:
    env: staging
- types: ["app"]
  namespaces: [ "seattle", "oakland" ]
  labels:
    env: testing

jamfApiEndpoint

Type	Default
string	""

jamfApiEndpoint sets the Jamf Pro API endpoint used for Jamf service. Example: "https://yourtenant.jamfcloud.com/api".

This setting is required if the chart roles contains jamf.

jamfClientId

Type	Default
string	""

jamfClientId sets the Jamf Pro API Client ID used for Jamf service.

This setting is required if the chart roles contains jamf.

jamfClientSecret

Type	Default
string	""

jamfClientSecret sets the Jamf Pro API client secret used for Jamf service.

This setting is required if the chart roles contains jamf and jamfCredentialsSecret.create is set to true. If you provide your own Kubernetes Secret, this setting can remain unset.

jamfCredentialsSecret

jamfCredentialsSecret manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password).

jamfCredentialsSecret.create

Type	Default
bool	true

jamfCredentialsSecret.create controls whether the chart creates the Kubernetes Secret containing the Jamf Pro API Client Secret. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

jamfCredentialsSecret.name

Type	Default
string	"teleport-jamf-api-credentials"

jamfCredentialsSecret.name is the name of the Kubernetes Secret containing the Jamf Pro API Client Secret used by the chart.

If jamfCredentialsSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing Kubernetes Secret. jamfCredentialsSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext Jamf Pro API Client Secret stored in your Teleport chart values.

To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command:

kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential=<replace-with-actual-secret>

note

The key used for the Jamf Pro API Client Secret inside the secret must be credential, as in the command above.

For example:

jamfCredentialsSecret:
  create: false
  name: my-jamf-secret

teleportVersionOverride

Type	Default
string	""

teleportVersionOverride controls the Teleport Kubernetes Operator image version deployed by the chart.

Normally, the version of the Teleport Kubernetes Operator matches the version of the chart. If you install chart version 15.0.0, you'll use Teleport version 15.0.0. Upgrading the agent is done by upgrading the chart.

warning

teleportVersionOverride is intended for development and MUST NOT be used to control the Teleport version in a typical deployment. This chart is designed to run a specific Teleport version. You will face compatibility issues trying to run a different Teleport version with it.

If you want to run Teleport version X.Y.Z, you should use helm install --version X.Y.Z instead.

caPin

Type	Default
list	[]

caPin is a list of CA pins the agent must validate when joining the Teleport cluster to ensure it is connecting to the correct Auth Service.

This is only used when joining the Auth Service directly. When joining through a Proxy Service, authenticity is guaranteed by the x509 certificate used for the TLS connection.

Each list element can be the pin itself (recommended), or a path to a file containing the pin. For the latter, it is your responsibility to mount the file, using extraVolumes.

insecureSkipProxyTLSVerify

Type	Default
bool	false

insecureSkipProxyTLSVerify disables TLS verification of the TLS certificate presented by the Proxy Service.

This can be used for joining a Teleport instance to a Teleport cluster which does not have valid TLS certificates for testing.

warning

Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads.

One option might be to use Teleport's built-in ACME support or enable cert-manager support.

teleportConfig

Type	Default
object	{}

teleportConfig contains YAML teleport configuration to pass to the Teleport pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict.

See the Teleport Configuration Reference for the list of supported fields.

teleportConfig:
  app_service:
    debug_app: true
  discovery_service:
    enabled: true
    azure:
    - types: ["aks"]
      tags:
        "*":"*"

terminationGracePeriodSeconds

Type	Default
integer	30

terminationGracePeriodSeconds is the time the pod has to do a graceful shutdown. If teleport has not existed after this delay, the process gets killed. Teleport will wait until every connection backed by the agent is over before exiting. If you want to reduce the disruption of rolling out agents at the price of a slower rollout, you can increase this value to an hour.

See the Kubernetes Pod Lifecycle docs for more details.

tls

tls contains settings for mounting your own TLS material in the agent pod. The agent does not expose a TLS server, so this is only used to trust CAs.

tls.existingCASecretName

Type	Default
string	""

tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods. The injected CA will be used to validate TLS communications, with the Proxy Service, with upstream applications or databases.

note

The recommended way to trust a database CA is to do it per-database instead of adding the CA to the global Teleport trust store. It allows to trust multiple CAs while limiting the trust scope to their specific databases. See the databases section.

You must create a secret containing the CA certs in the same namespace as Teleport using a command like:

kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

Root CA filename

The key containing the root CA in the secret must be ca.pem.

updater

updater controls whether the Kube Agent Updater should be deployed alongside the teleport-kube-agent. The updater fetches the target version, validates the image signature, and updates the teleport deployment.

The updater can fetch the update information using two protocols:

• the webapi update protocol (in this case the Teleport Proxy Service is the one driving the version rollout)
• the version server protocol (this is an HTTP server serving static files specifying the version and if the update is critical).

The webapi protocol takes precedence over the version server one if the Teleport Proxy Service supports it. The version server protocol failover can be disabled by unsetting updater.versionServer. The webapi protocol can be disabled by setting updater.proxyAddr to "". For backward compatibility reasons, the webapi protocol is not enabled if a custom updater.versionServer is set.

All Kubernetes-specific fields such as tolerations, affinity, nodeSelector, ... default to the agent values. However, they can be overridden from the updater object. For example:

# the agent pod requests 1cpu and 2 GiB of memory. It also has a memory limit.
resources:
  requests:
    cpu: "1"
    memory: "2Gi"
  limits:
    memory: "2Gi"

# the updater pod requests 0.5 cpu and 512MiB of memory. The memory limit has also been unset.
updater:
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits: ~

Other updater-specific values that can be defined in updater are described below.

updater.enabled

Type	Default
bool	false

updater.enabled Enables the Kube Agent Updater and deploys it alongside the Teleport Agent. You can enable this when:

• using Teleport Cloud and your tenant is enrolled into automatic updates. (You can check this through the web UI, choose Add Kubernetes and Enroll New Resource of type Kubernetes, and check if the value is turned on.)
• using self-hosted Teleport and you maintain your own version server.

You must not enable this when:

• you are a Teleport Cloud customer not enrolled in automatic updates.
• you are a self-hosted Teleport user and have not set up your Teleport cluster to support automatic updates.

updater.versionServer

Type	Default
string	"https://{{ .Values.proxyAddr }}/v1/webapi/automaticupgrades/channel"

updater.versionServer is the URL of the version server the agent fetches the target version from. The complete version endpoint is built by concatenating versionServer and releaseChannel . This field supports gotemplate.

Setting this field makes the updater fetch the version using the version server protocol. Setting this field to a custom value disables the webapi update protocol to ensure backward compatibility.

updater.releaseChannel

Type	Default
string	"stable/cloud"

updater.releaseChannel is the release channel the updater subscribes to.

The complete version endpoint is built by concatenating versionServer and releaseChannel. You must not change the default value if you are a Teleport Cloud user unless instructed by Teleport support.

This value is used when the updater is fetching the version using the version server protocol. It is also used as a failover when fetching the version using the webapi protocol if updater.group is unset.

updater.group

Type	Default
string	""

updater.group is the update group used when fetching the version using the webapi protocol. When unset, the group defaults to update.releaseChannel.

updater.image

Type	Default
string	"public.ecr.aws/gravitational/teleport-kube-agent-updater"

updater.image sets the container image used for Teleport updater pods run when updater.enabled is true.

You can override this to use your own Teleport Kube Agent Updater image rather than a Teleport-published image.

updater.serviceAccount

updater.serviceAccount.name

Type	Default
string	""

updater.serviceAccount.name is the updater Kubernetes Service Account name. When unset, it defaults to <kube agent sa name>-updater

updater.pullCredentials

Type	Default
string	""

updater.pullCredentials configures how the updater attempts to get the image pull credentials used to validate the image signature.

This is not required when pulling images from official public Teleport registries (chart's default).

Supported values are amazon, google, docker and none.

updater.extraArgs

Type	Default
list	[]

updater.extraArgs contains additional arguments to pass to the updater binary.

updater.extraVolumes

Type	Default
list	[]

updater.extraVolumes contains extra volumes to mount into the Updater pods. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumes:
  - name: myvolume
    secret:
      secretName: testSecret

updater.extraVolumeMounts

Type	Default
list	[]

updater.extraVolumeMounts contains extra volumes mounts for the updater. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumesMounts:
  - name: myvolume
    mountPath: /path/on/host

existingDataVolume

Type	Default
string	""

existingDataVolume is the name of an existing Kubernetes Persistent Volume that should be mounted at /var/lib/teleport.

This is only useful if you had a previous agent running with persistence enabled and want for a new agent to reuse the volume.

podSecurityPolicy

podSecurityPolicy.enabled

Type	Default
bool	true

podSecurityPolicy.enabled controls if the chart should deploy a Kubernetes PodSecurityPolicy.

By default, Teleport charts used to install a podSecurityPolicy.

PodSecurityPolicy resources (PSP) have been removed in Kubernetes 1.25 and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs. The steps are documented in the PSP removal guide.

This value will be removed in a future chart version.

labels

Type	Default
object	{}

labels is the map of key-value pairs that will be applied on the Teleport resource representing the Kubernetes cluster. These labels can then be used with Teleport's RBAC policies to define access rules for the cluster. This is only used when the roles contains kube.

note

These are Teleport-specific RBAC labels, not Kubernetes labels.

note

For historical/backwards compatibility reasons, these labels will only be applied to the Kubernetes cluster being joined via the Teleport Kubernetes service.

To set labels for applications, add a labels element to the apps section. To set labels for databases, add a static_labels element to the databases section.

For more information on how to set static/dynamic labels for Teleport services, see labelling nodes and applications.

For example:

labels:
  environment: production
  region: us-east

highAvailability

highAvailability contains settings controlling the availability of the Teleport Agent deployed by the chart.

The availability can be increased by:

• running more replicas with replicaCount
• requiring that the Pods are not scheduled on the same Kubernetes Node with requireAntiAffinity
• by asking Kubernetes not to delete all pods at the same time with podDisruptionBudget.

Even with highAvailability settings Restarting/rolling-out pods can still cause disruption for established long-lived sessions, like kubectl exec or database shells.

highAvailability.replicaCount

Type	Default
int	1

highAvailability.replicaCount is the number of agent replicas deployed by the Chart.

Set to a number higher than 1 for a high availability mode where multiple Teleport pods will be deployed.

Sizing guidelines

As a rough guide, we recommend configuring one replica per distinct availability zone where your cluster has worker nodes.

2 replicas/availability zones will be fine for smaller workloads. 3-5 replicas/availability zones will be more appropriate for bigger clusters with more traffic.

When adding new replicas to an existing agent, you must ensure the provided token (via authToken, joinParams, or joinTokenSecret) is still valid. Each replica has its own identity and needs to join the Teleport cluster on its first startup.

highAvailability.requireAntiAffinity

Type	Default
bool	false

highAvailability.requireAntiAffinity configures Kubernetes requiredDuringSchedulingIgnoredDuringExecution to require that multiple Teleport pods must not be scheduled on the same physical host.

warning

This can result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.

Setting highAvailability.requireAntiAffinity to false (the default) uses preferredDuringSchedulingIgnoredDuringExecution to make node anti-affinity a soft requirement.

note

This setting only has any effect when highAvailability.replicaCount is greater than 1.

highAvailability.podDisruptionBudget

highAvailability.podDisruptionBudget controls how the chart creates and configures a Kubernetes PodDisruptionBudget to ensure Kubernetes does not delete all agent replicas at the same time.

highAvailability.podDisruptionBudget.enabled

Type	Default
bool	false

highAvailability.podDisruptionBudget.enabled makes the chart create a Kubernetes PodDisruptionBudget for the agent pods.

highAvailability.podDisruptionBudget.minAvailable

Type	Default
int	1

highAvailability.podDisruptionBudget.minAvailable is the minimum available pod specified on the PodDisruptionBudget.

podMonitor

podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) This CRD is managed by the prometheus-operator and allows workload to get monitored. To use this value, you need to run a prometheus-operator in the cluster for this value to take effect. See https://prometheus-operator.dev/docs/getting-started/introduction/

podMonitor.enabled

Type	Default
bool	false

podMonitor.enabled controls if the chart deploys a PodMonitor. This is disabled by default as it requires the PodMonitor CRD to be installed.

podMonitor.additionalLabels

Type	Default
object	{}

podMonitor.additionalLabels adds labels on the PodMonitor. This is used to be selected by a specific prometheus instance.

For example:

podMonitor:
  additionalLabels:
    prometheus: default

podMonitor.interval

Type	Default
string	"30s"

podMonitor.interval is the interval between two metrics scrapes.

storage

storage controls how the agent stores data in a Kubernetes Persistent Volume.

Since Teleport 12, the agent does not need PV storage to keep its identity across restarts: it stores it in a Kubernetes Secret. This means the teleport-kubernetes-agent can use one-time and short-lived join tokens, it will retain its identity and secrets even after a restart.

The main benefit of enabling storage is to persist not-yet-uploaded session recordings after Pod termination, when the Teleport session recording mode is not synchronous.

storage.enabled

Type	Default
bool	false

storage.enabled enables the creation of a Kubernetes persistent volume to hold Teleport instance state.

storage.storageClassName

Type	Default
string	""

storage.storageClassName controls which Kubernetes StorageClass the chart uses when creating Persistent Volume Claims. A StorageClass with the provided name must exist on the Kubernetes cluster.

storage.requests

Type	Default
string	"128Mi"

storage.requests is the size of the persistent volume to create.

adminClusterRoleBinding

adminClusterRoleBinding optionally creates a cluster admin role binding. This is useful for granting cluster admin permissions to a Kubernetes Group other than the default system:masters group.

GKE Autopilot clusters forbid using the system:masters group for impersonation and require a custom group to be used instead.

adminClusterRoleBinding.create

Type	Default
bool	false

adminClusterRoleBinding.create controls if the chart should create an additional admin cluster role binding.

adminClusterRoleBinding.name

Type	Default
string	"cluster-admin"

adminClusterRoleBinding.name is the name of the created admin cluster role binding.

image

Type	Default
string	"public.ecr.aws/gravitational/teleport-distroless"

image sets the container image used for Teleport Community Edition Agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

Interaction with Teleport Kube Agent Updater

When using the Teleport Kube Agent Updater, you must ensure the image is available before the updater version target gets updated and Kubernetes tries to pull the image.

For this reason, it is strongly discouraged to set a custom image when using automatic updates. Teleport Cloud uses automatic updates by default.

By default, the image contains only the Teleport application and its runtime dependencies, and does not contain a shell. This setting only takes effect when enterprise is false. When running an enterprise version, you must use enterpriseImage instead.

enterpriseImage

Type	Default
string	"public.ecr.aws/gravitational/teleport-ent-distroless"

enterpriseImage sets the container image used for Teleport Enterprise agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

Interaction with Teleport Kube Agent Updater

When using the Teleport Kube Agent Updater you must ensure the image is available before the updater version target gets updated and Kubernetes tries to pull the image.

For this reason, it is strongly discouraged to set a custom image when using automatic updates. Teleport Cloud uses automatic updates by default.

By default, the image contains only the Teleport application and its runtime dependencies, and does not contain a shell. This setting only takes effect when enterprise is true. When running an enterprise version, you must use image instead.

imagePullSecrets

Type	Default
list	[]

imagePullSecrets is a list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

See the Kubernetes reference for more details.

clusterRoleName

Type	Default
string	""

clusterRoleName can be optionally used to override the name of the Kubernetes ClusterRole used by the agent's ServiceAccount.

note

Most users will not need to change this.

clusterRoleBindingName

Type	Default
string	""

clusterRoleBindingName can be optionally used to override the name of the Kubernetes ClusterRoleBinding used by the agent's ServiceAccount.

note

Most users will not need to change this.

roleName

Type	Default
string	""

roleName provides a custom name for the Role resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the Role has the name of the Helm release.

You should set this value if there is a Role resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

roleBindingName

Type	Default
string	""

roleBindingName provides a custom name for the RoleBinding resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the RoleBinding has the name of the Helm release.

You should set this value if there is a RoleBinding resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

serviceAccountName

Type	Default
string	""

serviceAccountName is deprecated and will be removed in a future version. Use serviceAccount.name instead.

serviceAccount

serviceAccount controls the Kubernetes ServiceAccounts deployed and used by the chart.

serviceAccount.create

Type	Default
bool	true

serviceAccount.create controls whether Helm Chart creates the Kubernetes ServiceAccount resources for the agent and optionally for the updater. When off, you are responsible for creating the appropriate ServiceAccount resources.

serviceAccount.name

Type	Default
string	""

serviceAccount.name sets the name of the ServiceAccount resource used by the chart. By default, the ServiceAccount has the name of the Helm release.

rbac

rbac.create

Type	Default
bool	true

rbac.create controls if the chart should create RBAC Kubernetes resources.

• When true, the chart creates both ClusterRole and ClusterRoleBinding resources for the agent, and Role/RoleBinding for the updater if enabled.
• When false, the chart does not create the Role and RoleBinding resources. The user is responsible for deploying and maintaining them separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit RBAC resources.

joinTokenSecret

joinTokenSecret manages the join token secret creation and its name. See the joinParams section for more details.

joinTokenSecret.create

Type	Default
bool	true

joinTokenSecret.create controls whether the chart creates the Kubernetes Secret containing the Teleport join token. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

joinTokenSecret.name

Type	Default
string	"teleport-kube-agent-join-token"

joinTokenSecret.name is the name of the Kubernetes Secret containing the Teleport join token used by the chart.

If joinTokenSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing secret. joinTokenSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext join token stored in your Teleport chart values.

To create your own join token secret, you can use a command like this:

kubectl --namespace teleport create secret generic my-token-secret --from-literal=auth-token=<replace-with-actual-token>

note

The key used for the auth token inside the secret must be auth-token, as in the command above.

For example:

joinTokenSecret:
  create: false
  name: my-token-secret

joinParams:
  method: "token"
  tokenName: ""

log

log controls the agent logging.

log.level

Type	Default
string	"INFO"

log.level is the log level for the Teleport process. Available log levels are: DEBUG, INFO, WARNING, ERROR.

The default is INFO, which is recommended in production. DEBUG is useful during first-time setup or to see more detailed logs for debugging.

log.output

Type	Default
string	"stderr"

log.output sets the output destination for the Teleport process. This can be set to any of the built-in values: stdout, stderr or syslog to use that destination.

The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.

log.format

Type	Default
string	"text"

log.format sets the log output format for the Teleport process. Possible values are text (default) or json.

log.extraFields

Type	Default
list	["timestamp","level","component","caller"]

log.extraFields sets the fields used in logging for the Teleport process.

See the Teleport config file reference for more details on possible values for extra_fields.

affinity

Type	Default
object	{}

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

dnsConfig

Type	Default
object	{}

dnsConfig contains custom Pod DNS Configuration for the agent pods. This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs to refer to applications and databases.

See the Kubernetes pod DNS documentation for more information.

For example:

 nameservers:
   - 1.2.3.4
 searches:
   - ns1.svc.cluster-domain.example
   - my.dns.search.suffix
 options:
   - name: ndots
     value: "2"

dnsPolicy

Type	Default
string	""

dnsPolicy sets the Pod's DNS Policy

See the Kubernetes pod DNS documentation for more information.

nodeSelector

Type	Default
object	{}

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

extraLabels

extraLabels contains additional Kubernetes labels to apply on the resources created by the chart. See the Kubernetes label documentation for more information.

extraLabels.clusterRole

Type	Default
object	{}

extraLabels.clusterRole are labels to set on the ClusterRole.

extraLabels.clusterRoleBinding

Type	Default
object	{}

extraLabels.clusterRoleBinding are labels to set on the ClusterRoleBinding.

extraLabels.role

Type	Default
object	{}

extraLabels.role are labels to set on the Role.

extraLabels.roleBinding

Type	Default
object	{}

extraLabels.roleBinding are labels to set on the RoleBinding.

extraLabels.config

Type	Default
object	{}

extraLabels.config are labels to set on the ConfigMap.

extraLabels.deployment

Type	Default
object	{}

extraLabels.deployment are labels to set on the Deployment or StatefulSet.

extraLabels.job

Type	Default
object	{}

extraLabels.job are labels to set on the post-delete Job created by the chart.

extraLabels.pod

Type	Default
object	{}

extraLabels.pod are labels to set on the Pods created by the Deployment, StatefulSet, or Job.

extraLabels.podDisruptionBudget

Type	Default
object	{}

extraLabels.podDisruptionBudget are labels to set on the podDisruptionBudget.

extraLabels.podSecurityPolicy

Type	Default
object	{}

extraLabels.podSecurityPolicy are labels to set on the podSecurityPolicy.

extraLabels.secret

Type	Default
object	{}

extraLabels.secret are labels to set on the Secret.

extraLabels.serviceAccount

Type	Default
object	{}

extraLabels.serviceAccount are labels to set on the ServiceAccount.

annotations

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.config

Type	Default
object	{}

annotations.config contains the Kubernetes annotations put on the ConfigMap resource created by the chart.

annotations.deployment

Type	Default
object	{}

annotations.deployment contains the Kubernetes annotations put on the Deployment or StatefulSet resource created by the chart.

annotations.pod

Type	Default
object	{}

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.secret

Type	Default
object	{}

annotations.secret contains the Kubernetes annotations put on the Secret resource created by the chart. This has no effect when joinTokenSecret.create is false.

annotations.serviceAccount

Type	Default
object	{}

annotations.serviceAccount contains the Kubernetes annotations put on the ServiceAccount resource created by the chart.

extraArgs

Type	Default
list	[]

extraArgs contains extra arguments to pass to teleport start for the main Teleport pod

extraEnv

Type	Default
list	[]

extraEnv contains extra environment variables to set in the main Teleport pod.

For example:

extraEnv:
  - name: HTTPS_PROXY
    value: "http://username:[email protected]:3128"

extraContainers

Type	Default
list	[]

extraContainers contains extra containers to add in the main Teleport pod.

For example:

extraContainers:
- name: debug-sidecar
  command:
    - busybox
    - sh
    - -c
    - "echo waiting && sleep infinity"
  image: busybox:latest
  imagePullPolicy: IfNotPresent
  securityContext:
    privileged: true
    runAsNonRoot: false

extraVolumes

Type	Default
list	[]

extraVolumes contains extra volumes to mount into the Teleport pods. See the Kubernetes volume documentation for more details.

For example:

extraVolumes:
- name: myvolume
  secret:
    secretName: testSecret

extraVolumeMounts

Type	Default
list	[]

extraVolumeMounts contains extra volumes mounts for the main Teleport container. See the Kubernetes volume documentation for more details.

For example:

extraVolumesMounts:
- name: myvolume
  mountPath: /path/on/host

hostAliases

hostAliases sets Host aliases in the Teleport Pod. See the Kubernetes hosts file documentation for more details.

For example:

hostAliases:
  - ip: "127.0.0.1"
    hostnames:
      - "foo.local"
      - "bar.local"
  - ip: "10.1.2.3"
    hostnames:
      - "foo.remote"
      - "bar.remote"

imagePullPolicy

Type	Default
string	"IfNotPresent"

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

initContainers

Type	Default
list	[]

initContainers sets the Teleport Pod's init-containers. See the Kubernetes init-container documentation for more details.

For example:

initContainers:
- name: "teleport-init"
  image: "alpine"
  args: ["echo test"]

resources

Type	Default
object	{}

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

initSecurityContext

Type	Default
object	{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":9807,"seccompProfile":{"type":"RuntimeDefault"}}

initSecurityContext sets the init container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

securityContext

Type	Default
object	{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":9807,"seccompProfile":{"type":"RuntimeDefault"}}

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

podSecurityContext

Type	Default
object	{"fsGroup":9807}

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

To unset the security context, set it to null or ~.

priorityClassName

Type	Default
string	""

priorityClassName sets the priority class used by any pods created by the chart. The user is responsible for creating the PriorityClass resource before deploying the chart. See the Kubernetes documentation for more details.

tolerations

Type	Default
list	[]

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

probeTimeoutSeconds

Type	Default
int	1

probeTimeoutSeconds sets the timeout for the readiness and liveness probes https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/