Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

teleport-kube-agent Chart Reference

The teleport-kube-agent Helm chart is used to configure a Teleport agent that runs in a remote Kubernetes cluster to provide access to resources in your infrastructure.

You can browse the source on GitHub.

This reference details available values for the teleport-kube-agent chart.

Warning

Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.

What the chart deploys

Teleport services

The teleport-kube-agent chart can run any or all of three Teleport services:

Teleport serviceName for roles and tctl tokens addPurpose
kubernetes_servicekubeUses Teleport to handle authentication
with and proxy access to a Kubernetes cluster
application_serviceappUses Teleport to handle authentication
with and proxy access to web-based applications
database_servicedbUses Teleport to handle authentication
with and proxy access to databases
discovery_servicediscoveryUses Teleport to discover new resources
and dynamically add them to the cluster
jamf_servicejamfUses Teleport to integrate with Jamf Pro
and sync devices with Device Trust inventory

Legacy releases

Releases of this chart installed before version 11 are considered legacy releases, which launch the Teleport pod as a Deployment if no storage was configured.

In version 11 and above, the chart launches the Teleport pod as a StatefulSet even when the chart is configured not to use external storage, and the Teleport pod reads its state from a Kubernetes Secret.

While the Teleport pod does not require external storage, you can still use the storage.enabled field to configure the way the Teleport pod reads data from a persistent volume.

To learn how upgrading from a legacy release to version 11 will affect resources launched by this chart, see the resource list.

Kubernetes resources

The teleport-kube-agent chart deploys the following Kubernetes resources:

KindDefault NameDescriptionWhen Deployed
StatefulSetThe release nameRunning a user-configured Teleport pod.Always.
SecretjoinTokenSecret.name (default: teleport-kube-agent-join-token)Used for managing the state of the Teleport pod.joinTokenSecret.secret is true.
SecretjamfCredentialsSecret.name (default: teleport-jamf-api-credentials)Used for integrating Jamf Prod with Teleport (jamf_service).jamfCredentialsSecret.create is true
DeploymentThe release nameRuns a user-configured Teleport pod.storage.enabled is false and the chart is being upgraded. Fresh installs will deploy a StatefulSet instead.
RoleThe roleName option, if given, or the release name.Used to manage the state of the Teleport pod via Kubernetes secrets.Always.
ClusterRoleclusterRoleName, if given, or the release name.Allows impersonating users, groups, and service accounts, getting pods, and creating SelfSubjectAccessReviews so the Teleport pod can manage access to resources in its Kubernetes cluster.Always.
ClusterRoleBindingclusterRoleBindingName, if provided, or the release nameEnables the Teleport pod to manage access to resources in the Kubernetes cluster.Always.
RoleBindingroleBindingName, if given, or the release nameEnables the Teleport pod to manage access to resources in the Kubernetes cluster.Always.
ServiceAccountserviceAccount.name, if given, or the release nameEnables the Teleport pod to manage access to resources in the Kubernetes cluster.serviceAccount.create is true
PodDisruptionBudgetThe release nameEnsure high availability for the Teleport pod.highAvailability.podDisruptionBudget.enabled is true.
ServiceAccountThe release name, suffixed by -hookUsed to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.If the teleport-kube-agent release contains a legacy Deployment resource.
RoleThe release name, suffixed by -hookUsed to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.If the teleport-kube-agent release contains a legacy Deployment resource.
RoleBindingThe release name, suffixed by -hookUsed to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.If the teleport-kube-agent release contains a legacy Deployment resource.
JobThe release name, suffixed by -hookUsed to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.If the teleport-kube-agent release contains a legacy Deployment resource.
ConfigMapThe release nameContains the configuration for the Teleport pod.Always.
PodSecurityPolicyThe release nameEnforces security requirements for pods deployed by teleport-kube-agent.podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.
RoleThe release name, suffixed by -pspEnforces security requirements for pods deployed by teleport-kube-agent.podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.
RoleBindingThe release name, suffixed by -pspEnforces security requirements for pods deployed by teleport-kube-agent.podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.

roles

TypeDefault
string"kube"

roles is a comma-separated list of services which will be enabled when running the teleport-kube-agent chart.

ServicesValue for rolesMandatory additional settings for this role
Teleport Kubernetes servicekubekubeClusterName
Teleport Application serviceappapps or appResources
Teleport Database servicedbdatabases or databaseResources
Teleport Discovery servicediscoverykubeClusterName
Teleport Jamf servicejamfjamfApiEndpoint, jamfClientId

For example:

roles: kube,app,discovery

proxyAddr

TypeDefault
string""

proxyAddr provides the public-facing Teleport Proxy Service endpoint which should be used to join the cluster. This is the same URL used to access the web UI of your Teleport cluster. The port used is usually either 3080 or 443.

Here are a few examples:

Deployment methodExample proxy_service.public_addr
On-prem Teleport clusterteleport.example.com:3080
Teleport Cloud clusterexample.teleport.sh:443
teleport-cluster Helm chartteleport.example.com:443

enterprise

TypeDefault
boolfalse

enterprise controls if the teleport-kube-agent chart should deploy the OSS version or the enterprise version of the container image. This must be set to true when connecting to Teleport Cloud or self-hosted Teleport Enterprise clusters to allow the agent to leverage enterprise features.

authToken

TypeDefault
string""

authToken provides a Teleport join token which will be used to join the Teleport instance to a Teleport cluster. authToken only supports the token join method.

For other methods such as kubernetes, iam or gcp, the value joinParams should be used as it supports more methods to join the Teleport cluster. joinParams takes precedence if both authToken and joinParams are set.

A token must be specified for the agent to join the Teleport cluster, either via authToken, joinParams, or an existing Kubernetes Secret.

The token used must at least grant the required system roles. For example, if the chart roles is kube,app, the token should allow the system roles App and Kube.

joinParams

joinParams controls how the Teleport Agent joins the Teleport cluster. These sub-values must be configured for the agent to connect to a cluster.

This value serves the same purpose as authToken but supports all join methods. When set, it takes precedence over authToken. Its usage should be preferred.

joinParams.method

TypeDefault
string"token"

joinParams.method controls which join method will be used by the instance to join the Teleport cluster.

See the join method reference for the list of possible values, the implications of each join method, and guides to set up each method.

Common join-methods for the teleport-kube-agent are:

  • token: the most basic one, with regular ephemeral secret tokens
  • kubernetes: either the in-cluster variant (if the agent runs in the same Kubernetes cluster as the teleport-cluster chart) or the JWKS variant (works in every Kubernetes cluster, regardless of the Teleport Auth Service location).

joinParams.tokenName

TypeDefault
string""

joinParams.tokenName controls which token is used by the agent to join the Teleport cluster.

When joinParams.method is a delegated join method, the value is not sensitive.

When joinParams.method is token (by default), joinParams.tokenName contains the secret token itself. In this case, the value is sensitive and is automatically stored in a Kubernetes Secret instead of being directly included in the agent's configuration.

If method is token, joinParams.tokenName can be empty if the token is provided through an existing Kubernetes Secret, see joinTokenSecret for more details and instructions.

kubeClusterName

TypeDefault
string""

kubeClusterName sets the name used for the Kubernetes cluster proxied by the Teleport Agent. This name will be shown to Teleport users connecting to the cluster.

This setting is required if the chart roles contains kube.

apps

TypeDefault
list[]

apps is a static list of applications that should be proxied by the agent. See the Teleport Application access documentation for more details.

Proxied applications can be defined statically (through this value) or dynamically (through the appResources value). One of apps and appResources is required if the chart roles contains app.

You can specify multiple apps by adding elements to the list. For example:

apps:
  - name: grafana
    uri: http://localhost:3000
    labels:
      purpose: monitoring
  - name: jenkins
    uri: http://jenkins:8080
    labels:
      purpose: ci
Supported values

You can see a list of all the supported values that can be used in a Teleport Application Service configuration in the Application Service Configuration Reference.

appResources

TypeDefault
list[]

appResources is a set of labels the agent will monitor. Any application matching those labels will be proxied by the agent. See the Teleport Application access documentation for more details.

Proxied applications can be defined statically (through apps) or dynamically (through this value). One of apps and appResources is required if the chart roles contains app.

You can specify multiple selectors by including additional list elements. For example:

appResources:
  - labels:
      "env": "prod"
  - labels:
      "env": "test"
Example

Once appResources is set, you can dynamically register application with tsh by following the Dynamic App Registration guide.

clusterDomain

TypeDefault
string"cluster.local"

clusterDomain sets the domain name used by the Kubernetes cluster. This value is used to build the FQDN application URIs. For example, if the cluster domain is anything.local, the agent will proxy the application myapp running in the default namespace at http://myapp.default.svc.anything.local. You must manually set this value to match your cluster domain if it is different from the default value cluster.local.

awsDatabases

TypeDefault
list[]

awsDatabases configures AWS database auto-discovery.

IAM roles

For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the database documentation. After configuring a role, you can use an eks.amazonaws.com/role-arn annotation with the annotations.serviceAccount value to associate it with the service account and grant permissions:

annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

You can specify multiple database filters by adding elements to the list.

  • types is a list containing the types of AWS databases that should be discovered.
  • regions is a list of AWS regions which should be scanned for databases.
  • tags can be used to set AWS tags that must be matched for databases to be discovered.

For example:

roles: db
awsDatabases:
  - types: ["rds"]
    regions: ["us-east-1", "us-west-2"]
    tags:
      "environment": "production"
  - types: ["rds"]
    regions: ["us-east-1"]
    tags:
      "environment": "dev"
  - types: ["rds"]
    regions: ["eu-west-1"]
    tags:
      "*": "*"
annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

azureDatabases

TypeDefault
list[]

azureDatabases configures Azure database auto-discovery.

Azure IAM

For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the database documentation.

After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. The easiest way is to use an Azure client secret.

First, create in the chart installation namespace a Kubernetes Secret containing the azure client secret:

kubectl create secret generic teleport-azure-client-secret --from-literal=client_secret=<your-azure-client-secret>
secret/teleport-azure-client-secret created

Then, use the extraEnv value to set the pods environment variables:

extraEnv:
- name: AZURE_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
    name: teleport-azure-client-secret
    key: client_secret
    optional: false
- name: AZURE_TENANT_ID
  value: "11111111-2222-3333-4444-555555555555"
- name: AZURE_CLIENT_ID
  value: "11111111-2222-3333-4444-555555555555"

You can specify multiple database filters by adding elements to the list.

Required fields for each filter:

  • types is a list containing the types of Azure databases that should be discovered.
  • tags can be used to set Azure resource tags that must be matched for databases to be discovered.

Optional fields for each filter:

  • regions is a list of Azure regions which should be scanned for databases.
  • subscriptions can be used to discover databases within matching Azure subscriptions.
  • resource_groups can be used to discover databases within matching Azure resource groups.

The default for each of these optional settings is *, which will auto-discover in all subscriptions, regions, or resource groups accessible by the Teleport service principal in Azure.

For example:

roles: db
azureDatabases:
  - types: ["mysql", "postgres"]
    tags:
      "*": "*"
  - types: ["mysql"]
    tags:
      "env": ["dev", "staging"]
      "origin": "alice"
    regions: ["eastus", "centralus"]
    subscriptions: ["subID1", "subID2"]
    resource_groups: ["group1", "group2"]
extraEnv:
  - name: AZURE_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
      name: teleport-azure-client-secret
      key: client_secret
      optional: false
  - name: AZURE_TENANT_ID
    value: "11111111-2222-3333-4444-555555555555"
  - name: AZURE_CLIENT_ID
    value: "11111111-2222-3333-4444-555555555555"

databases

TypeDefault
list[]

databases is a static list of databases that should be proxied by the agent. See the Teleport Database access documentation for more details.

Proxied applications can be defined statically (through this value) or dynamically (through the databaseResources value).

You can specify multiple databases by adding additional list elements.

values.yaml example:

databases:
  - name: aurora-postgres
    uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432
    protocol: postgres
    aws:
      region: us-east-1
    static_labels:
      env: staging
  - name: mysql
    uri: mysql-instance-1.xxx.us-east-1.rds.amazonaws.com:3306
    protocol: mysql
    aws:
      region: us-east-1
    static_labels:
      env: staging
Supported values
Trusting Database CA

Database CAs can be trusted on a per-database basis. You must create a secret containing the database CA certificate in the same namespace as Teleport using a command like:

kubectl create secret generic my-postgres-ca --from-file=ca.pem=/path/to/database-ca.pem

Then, deploy the Helm chart with the following values:

databases:
  - name: my-postgres
    uri: postgres.example.com:5432
    protocol: postgres
    tls:
      ca_cert_file: "/etc/teleport-tls-db/my-postgres/ca.pem"
extraVolumes:
  - name: my-postgres-ca
    secret:
      secretName: my-postgres-ca
extraVolumeMounts:
  - name: my-postgres-ca
    mountPath: /etc/teleport-tls-db/my-postgres
    readOnly: true

databaseResources

TypeDefault
list[]

databaseResources is a set of labels the agent will monitor. Any database matching those labels will be proxied by the agent. See the Teleport Database access documentation for more details.

Proxied databases can be defined statically (through databases) or dynamically (through this value).

You can specify multiple selectors by including additional list elements. For example:

databaseResources:
  - labels:
      "env": "prod"
      "engine": "postgres"
  - labels:
      "env": "test"
      "engine": "mysql"
Example

Once databaseResources is set, you can dynamically register database with tsh by following this guide.

kubernetesDiscovery

TypeDefault
list[{"labels":{"*":"*"},"namespaces":["*"],"types":["app"]}]

kubernetesDiscovery controls the Discovery Service configuration if it's enabled.

The Discovery Service is enabled when the agent roles contains "discovery". The Discovery service automatically detects Kubernetes Services and configures the agent to provide access to them. See the Kubernetes App Discovery documentation for more details.

Note

The Discovery mechanism ignores Kubernetes services running in the kube-system and kube-public namespaces.

The default value will try to discover all apps running in Kubernetes. The discovery can be restricted through this value. For example:

kubernetesDiscovery:
- types: ["app"]
  namespaces: [ "toronto", "porto" ]
  labels:
    env: staging
- types: ["app"]
  namespaces: [ "seattle", "oakland" ]
  labels:
    env: testing

jamfApiEndpoint

TypeDefault
string""

jamfApiEndpoint sets the Jamf Pro API endpoint used for Jamf service. Example: "https://yourtenant.jamfcloud.com/api".

This setting is required if the chart roles contains jamf.

jamfClientId

TypeDefault
string""

jamfClientId sets the Jamf Pro API Client ID used for Jamf service.

This setting is required if the chart roles contains jamf.

jamfClientSecret

TypeDefault
string""

jamfClientSecret sets the Jamf Pro API client secret used for Jamf service.

This setting is required if the chart roles contains jamf and jamfCredentialsSecret.create is set to true. If you provide your own Kubernetes Secret, this setting can remain unset.

jamfCredentialsSecret

jamfCredentialsSecret manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password).

jamfCredentialsSecret.create

TypeDefault
booltrue

jamfCredentialsSecret.create controls whether the chart creates the Kubernetes Secret containing the Jamf Pro API Client Secret. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

jamfCredentialsSecret.name

TypeDefault
string"teleport-jamf-api-credentials"

jamfCredentialsSecret.name is the name of the Kubernetes Secret containing the Jamf Pro API Client Secret used by the chart.

If jamfCredentialsSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing Kubernetes Secret. jamfCredentialsSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext Jamf Pro API Client Secret stored in your Teleport chart values.

To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command:

kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential=<replace-with-actual-secret>
Note

The key used for the Jamf Pro API Client Secret inside the secret must be credential, as in the command above.

For example:

jamfCredentialsSecret:
  create: false
  name: my-jamf-secret

teleportVersionOverride

TypeDefault
string""

teleportVersionOverride controls the Teleport Kubernetes Operator image version deployed by the chart.

Normally, the version of the Teleport Kubernetes Operator matches the version of the chart. If you install chart version 15.0.0, you'll use Teleport version 15.0.0. Upgrading the agent is done by upgrading the chart.

Warning

teleportVersionOverride is intended for development and MUST NOT be used to control the Teleport version in a typical deployment. This chart is designed to run a specific Teleport version. You will face compatibility issues trying to run a different Teleport version with it.

If you want to run Teleport version X.Y.Z, you should use helm install --version X.Y.Z instead.

caPin

TypeDefault
list[]

caPin is a list of CA pins the agent must validate when joining the Teleport cluster to ensure it is connecting to the correct Auth Service.

This is only used when joining the Auth Service directly. When joining through a Proxy Service, authenticity is guaranteed by the x509 certificate used for the TLS connection.

Each list element can be the pin itself (recommended), or a path to a file containing the pin. For the latter, it is your responsibility to mount the file, using extraVolumes.

insecureSkipProxyTLSVerify

TypeDefault
boolfalse

insecureSkipProxyTLSVerify disables TLS verification of the TLS certificate presented by the Proxy Service.

This can be used for joining a Teleport instance to a Teleport cluster which does not have valid TLS certificates for testing.

Warning

Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads.

One option might be to use Teleport's built-in ACME support or enable cert-manager support.

teleportConfig

TypeDefault
object{}

teleportConfig contains YAML teleport configuration to pass to the Teleport pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict.

See the Teleport Configuration Reference for the list of supported fields.

teleportConfig:
  app_service:
    debug_app: true
  discovery_service:
    enabled: true
    azure:
    - types: ["aks"]
      tags:
        "*":"*"

tls

tls contains settings for mounting your own TLS material in the agent pod. The agent does not expose a TLS server, so this is only used to trust CAs.

tls.existingCASecretName

TypeDefault
string""

tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods. The injected CA will be used to validate TLS communications, with the Proxy Service, with upstream applications or databases.

Note

The recommended way to trust a database CA is to do it per-database instead of adding the CA to the global Teleport trust store. It allows to trust multiple CAs while limiting the trust scope to their specific databases. See the databases section.

You must create a secret containing the CA certs in the same namespace as Teleport using a command like:

kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

The key containing the root CA in the secret must be ca.pem.

updater

updater controls whether the Kube Agent Updater should be deployed alongside the teleport-kube-agent. The updater fetches the target version, validates the image signature, and updates the teleport deployment. The enterprise value should have been set to true.

All Kubernetes-specific fields such as tolerations, affinity, nodeSelector, ... default to the agent values. However, they can be overridden from the updater object. For example:

# the agent pod requests 1cpu and 2 GiB of memory. It also has a memory limit.
resources:
  requests:
    cpu: "1"
    memory: "2Gi"
  limits:
    memory: "2Gi"

# the updater pod requests 0.5 cpu and 512MiB of memory. The memory limit has also been unset.
updater:
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits: ~

Other updater-specific values that can be defined in updater are described below.

updater.enabled

TypeDefault
boolfalse

updater.enabled Enables the Kube Agent Updater and deploys it alongside the Teleport Agent. You can enable this when:

  • using Teleport Cloud and your tenant is enrolled into automatic updates. (You can check this through the web UI, choose Add Kubernetes and Enroll New Resource of type Kubernetes, and check if the value is turned on.)
  • using self-hosted Teleport and you maintain your own version server.

You must not enable this when:

  • you are a Teleport Cloud customer not enrolled in automatic updates.
  • you are a self-hosted Teleport user and have not set up your Teleport cluster to support automatic updates.

updater.versionServer

TypeDefault
string"https://{{ .Values.proxyAddr }}/v1/webapi/automaticupgrades/channel"

updater.versionServer is the URL of the version server the agent fetches the target version from. The complete version endpoint is built by concatenating versionServer and releaseChannel . This field supports gotemplate.

You must set this if the updater is enabled, and you are not a Teleport Cloud user.

You must not change the default values if you are a Teleport Cloud user.

updater.releaseChannel

TypeDefault
string"stable/cloud"

updater.releaseChannel is the release channel the updater subscribes to.

The complete version endpoint is built by concatenating versionServer and releaseChannel. You must not change the default value if you are a Teleport Cloud user unless instructed by Teleport support.

You can change this value if the updater is enabled, you are not a Teleport Cloud user, and manage your own version server.

updater.image

TypeDefault
string"public.ecr.aws/gravitational/teleport-kube-agent-updater"

updater.image sets the container image used for Teleport updater pods run when updater.enabled is true.

You can override this to use your own Teleport Kube Agent Updater image rather than a Teleport-published image.

updater.serviceAccount

updater.serviceAccount.name

TypeDefault
string""

updater.serviceAccount.name is the updater Kubernetes Service Account name. When unset, it defaults to <kube agent sa name>-updater

updater.pullCredentials

TypeDefault
string""

updater.pullCredentials configures how the updater attempts to get the image pull credentials used to validate the image signature.

This is not required when pulling images from official public Teleport registries (chart's default).

Supported values are amazon, google, docker and none.

updater.extraArgs

TypeDefault
list[]

updater.extraArgs contains additional arguments to pass to the updater binary.

updater.extraVolumes

TypeDefault
list[]

updater.extraVolumes contains extra volumes to mount into the Updater pods. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumes:
  - name: myvolume
    secret:
      secretName: testSecret

updater.extraVolumeMounts

TypeDefault
list[]

updater.extraVolumeMounts contains extra volumes mounts for the updater. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumesMounts:
  - name: myvolume
    mountPath: /path/on/host

existingDataVolume

TypeDefault
string""

existingDataVolume is the name of an existing Kubernetes Persistent Volume that should be mounted at /var/lib/teleport.

This is only useful if you had a previous agent running with persistence enabled and want for a new agent to reuse the volume.

podSecurityPolicy

podSecurityPolicy.enabled

TypeDefault
booltrue

podSecurityPolicy.enabled controls if the chart should deploy a Kubernetes PodSecurityPolicy.

By default, Teleport charts used to install a podSecurityPolicy.

PodSecurityPolicy resources (PSP) have been removed in Kubernetes 1.25 and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs. The steps are documented in the PSP removal guide.

This value will be removed in a future chart version.

labels

TypeDefault
object{}

labels is the map of key-value pairs that will be applied on the Teleport resource representing the Kubernetes cluster. These labels can then be used with Teleport's RBAC policies to define access rules for the cluster. This is only used when the roles contains kube.

Note

These are Teleport-specific RBAC labels, not Kubernetes labels.

Note

For historical/backwards compatibility reasons, these labels will only be applied to the Kubernetes cluster being joined via the Teleport Kubernetes service.

To set labels for applications, add a labels element to the apps section. To set labels for databases, add a static_labels element to the databases section.

For more information on how to set static/dynamic labels for Teleport services, see labelling nodes and applications.

For example:

labels:
  environment: production
  region: us-east

highAvailability

highAvailability contains settings controlling the availability of the Teleport Agent deployed by the chart.

The availability can be increased by:

  • running more replicas with replicaCount
  • requiring that the Pods are not scheduled on the same Kubernetes Node with requireAntiAffinity
  • by asking Kubernetes not to delete all pods at the same time with podDisruptionBudget.

Even with highAvailability settings Restarting/rolling-out pods can still cause disruption for established long-lived sessions, like kubectl exec or database shells.

highAvailability.replicaCount

TypeDefault
int1

highAvailability.replicaCount is the number of agent replicas deployed by the Chart.

Set to a number higher than 1 for a high availability mode where multiple Teleport pods will be deployed.

Sizing guidelines

As a rough guide, we recommend configuring one replica per distinct availability zone where your cluster has worker nodes.

2 replicas/availability zones will be fine for smaller workloads. 3-5 replicas/availability zones will be more appropriate for bigger clusters with more traffic.

When adding new replicas to an existing agent, you must ensure the provided token (via authToken, joinParams, or joinTokenSecret) is still valid. Each replica has its own identity and needs to join the Teleport cluster on its first startup.

highAvailability.requireAntiAffinity

TypeDefault
boolfalse

highAvailability.requireAntiAffinity configures Kubernetes requiredDuringSchedulingIgnoredDuringExecution to require that multiple Teleport pods must not be scheduled on the same physical host.

Warning

This can result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.

Setting highAvailability.requireAntiAffinity to false (the default) uses preferredDuringSchedulingIgnoredDuringExecution to make node anti-affinity a soft requirement.

Note

This setting only has any effect when highAvailability.replicaCount is greater than 1.

highAvailability.podDisruptionBudget

highAvailability.podDisruptionBudget controls how the chart creates and configures a Kubernetes PodDisruptionBudget to ensure Kubernetes does not delete all agent replicas at the same time.

highAvailability.podDisruptionBudget.enabled

TypeDefault
boolfalse

highAvailability.podDisruptionBudget.enabled makes the chart create a Kubernetes PodDisruptionBudget for the agent pods.

highAvailability.podDisruptionBudget.minAvailable

TypeDefault
int1

highAvailability.podDisruptionBudget.minAvailable is the minimum available pod specified on the PodDisruptionBudget.

podMonitor

podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) This CRD is managed by the prometheus-operator and allows workload to get monitored. To use this value, you need to run a prometheus-operator in the cluster for this value to take effect. See https://prometheus-operator.dev/docs/prologue/introduction/

podMonitor.enabled

TypeDefault
boolfalse

podMonitor.enabled controls if the chart deploys a PodMonitor. This is disabled by default as it requires the PodMonitor CRD to be installed.

podMonitor.additionalLabels

TypeDefault
object{}

podMonitor.additionalLabels adds labels on the PodMonitor. This is used to be selected by a specific prometheus instance.

For example:

podMonitor:
  additionalLabels:
    prometheus: default

podMonitor.interval

TypeDefault
string"30s"

podMonitor.interval is the interval between two metrics scrapes.

storage

storage controls how the agent stores data in a Kubernetes Persistent Volume.

Since Teleport 12, the agent does not need PV storage to keep its identity across restarts: it stores it in a Kubernetes Secret. This means the teleport-kubernetes-agent can use one-time and short-lived join tokens, it will retain its identity and secrets even after a restart.

The main benefit of enabling storage is to persist not-yet-uploaded session recordings after Pod termination, when the Teleport session recording mode is not synchronous.

storage.enabled

TypeDefault
boolfalse

storage.enabled enables the creation of a Kubernetes persistent volume to hold Teleport instance state.

storage.storageClassName

TypeDefault
string""

storage.storageClassName controls which Kubernetes StorageClass the chart uses when creating Persistent Volume Claims. A StorageClass with the provided name must exist on the Kubernetes cluster.

storage.requests

TypeDefault
string"128Mi"

storage.requests is the size of the persistent volume to create.

adminClusterRoleBinding

adminClusterRoleBinding optionally creates a cluster admin role binding. This is useful for granting cluster admin permissions to a Kubernetes Group other than the default system:masters group.

GKE Autopilot clusters forbid using the system:masters group for impersonation and require a custom group to be used instead.

adminClusterRoleBinding.create

TypeDefault
boolfalse

adminClusterRoleBinding.create controls if the chart should create an additional admin cluster role binding.

adminClusterRoleBinding.name

TypeDefault
string"cluster-admin"

adminClusterRoleBinding.name is the name of the created admin cluster role binding.

image

TypeDefault
string"public.ecr.aws/gravitational/teleport-distroless"

image sets the container image used for Teleport Community Edition Agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

Interaction with Teleport Kube Agent Updater

When using the Teleport Kube Agent Updater, you must ensure the image is available before the updater version target gets updated and Kubernetes tries to pull the image.

For this reason, it is strongly discouraged to set a custom image when using automatic updates. Teleport Cloud uses automatic updates by default.

Since version 13, hardened distroless images are used by default. You can use the deprecated debian-based images by setting the value to public.ecr.aws/gravitational/teleport. Those images will be removed with teleport 15.

This setting only takes effect when enterprise is false. When running an enterprise version, you must use enterpriseImage instead.

enterpriseImage

TypeDefault
string"public.ecr.aws/gravitational/teleport-ent-distroless"

enterpriseImage sets the container image used for Teleport Enterprise agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

Interaction with Teleport Kube Agent Updater

When using the Teleport Kube Agent Updater you must ensure the image is available before the updater version target gets updated and Kubernetes tries to pull the image.

For this reason, it is strongly discouraged to set a custom image when using automatic updates. Teleport Cloud uses automatic updates by default.

Since version 13, hardened distroless images are used by default. You can use the deprecated debian-based images by setting the value to public.ecr.aws/gravitational/teleport-ent. Those images will be removed with teleport 15.

This setting only takes effect when enterprise is true. When running an enterprise version, you must use image instead.

imagePullSecrets

TypeDefault
list[]

imagePullSecrets is a list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

See the Kubernetes reference for more details.

clusterRoleName

TypeDefault
string""

clusterRoleName can be optionally used to override the name of the Kubernetes ClusterRole used by the agent's ServiceAccount.

Note

Most users will not need to change this.

clusterRoleBindingName

TypeDefault
string""

clusterRoleBindingName can be optionally used to override the name of the Kubernetes ClusterRoleBinding used by the agent's ServiceAccount.

Note

Most users will not need to change this.

roleName

TypeDefault
string""

roleName provides a custom name for the Role resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the Role has the name of the Helm release.

You should set this value if there is a Role resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

roleBindingName

TypeDefault
string""

roleBindingName provides a custom name for the RoleBinding resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the RoleBinding has the name of the Helm release.

You should set this value if there is a RoleBinding resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

serviceAccountName

TypeDefault
string""

serviceAccountName is deprecated and will be removed in a future version. Use serviceAccount.name instead.

serviceAccount

serviceAccount controls the Kubernetes ServiceAccounts deployed and used by the chart.

serviceAccount.create

TypeDefault
booltrue

serviceAccount.create controls whether Helm Chart creates the Kubernetes ServiceAccount resources for the agent and optionally for the updater. When off, you are responsible for creating the appropriate ServiceAccount resources.

serviceAccount.name

TypeDefault
string""

serviceAccount.name sets the name of the ServiceAccount resource used by the chart. By default, the ServiceAccount has the name of the Helm release.

rbac

rbac.create

TypeDefault
booltrue

rbac.create controls if the chart should create RBAC Kubernetes resources.

  • When true, the chart creates both ClusterRole and ClusterRoleBinding resources for the agent, and Role/RoleBinding for the updater if enabled.
  • When false, the chart does not create the Role and RoleBinding resources. The user is responsible for deploying and maintaining them separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit RBAC resources.

joinTokenSecret

joinTokenSecret manages the join token secret creation and its name. See the joinParams section for more details.

joinTokenSecret.create

TypeDefault
booltrue

joinTokenSecret.create controls whether the chart creates the Kubernetes Secret containing the Teleport join token. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

joinTokenSecret.name

TypeDefault
string"teleport-kube-agent-join-token"

joinTokenSecret.name is the name of the Kubernetes Secret containing the Teleport join token used by the chart.

If joinTokenSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing secret. joinTokenSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext join token stored in your Teleport chart values.

To create your own join token secret, you can use a command like this:

kubectl --namespace teleport create secret generic my-token-secret --from-literal=auth-token=<replace-with-actual-token>
Note

The key used for the auth token inside the secret must be auth-token, as in the command above.

For example:

joinTokenSecret:
  create: false
  name: my-token-secret

joinParams:
  method: "token"
  tokenName: ""

log

log controls the agent logging.

log.level

TypeDefault
string"INFO"

log.level is the log level for the Teleport process. Available log levels are: DEBUG, INFO, WARNING, ERROR.

The default is INFO, which is recommended in production. DEBUG is useful during first-time setup or to see more detailed logs for debugging.

log.output

TypeDefault
string"stderr"

log.output sets the output destination for the Teleport process. This can be set to any of the built-in values: stdout, stderr or syslog to use that destination.

The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.

log.format

TypeDefault
string"text"

log.format sets the log output format for the Teleport process. Possible values are text (default) or json.

log.extraFields

TypeDefault
list["timestamp","level","component","caller"]

log.extraFields sets the fields used in logging for the Teleport process.

See the Teleport config file reference for more details on possible values for extra_fields.

affinity

TypeDefault
object{}

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

dnsConfig

TypeDefault
object{}

dnsConfig contains custom Pod DNS Configuration for the agent pods. This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs to refer to applications and databases.

See the Kubernetes pod DNS documentation for more information.

For example:

 nameservers:
   - 1.2.3.4
 searches:
   - ns1.svc.cluster-domain.example
   - my.dns.search.suffix
 options:
   - name: ndots
     value: "2"

dnsPolicy

TypeDefault
string""

dnsPolicy sets the Pod's DNS Policy

See the Kubernetes pod DNS documentation for more information.

nodeSelector

TypeDefault
object{}

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

extraLabels

extraLabels contains additional Kubernetes labels to apply on the resources created by the chart. See the Kubernetes label documentation for more information.

extraLabels.clusterRole

TypeDefault
object{}

extraLabels.clusterRole are labels to set on the ClusterRole.

extraLabels.clusterRoleBinding

TypeDefault
object{}

extraLabels.clusterRoleBinding are labels to set on the ClusterRoleBinding.

extraLabels.role

TypeDefault
object{}

extraLabels.role are labels to set on the Role.

extraLabels.roleBinding

TypeDefault
object{}

extraLabels.roleBinding are labels to set on the RoleBinding.

extraLabels.config

TypeDefault
object{}

extraLabels.config are labels to set on the ConfigMap.

extraLabels.deployment

TypeDefault
object{}

extraLabels.deployment are labels to set on the Deployment or StatefulSet.

extraLabels.job

TypeDefault
object{}

extraLabels.job are labels to set on the post-delete Job created by the chart.

extraLabels.pod

TypeDefault
object{}

extraLabels.pod are labels to set on the Pods created by the Deployment, StatefulSet, or Job.

extraLabels.podDisruptionBudget

TypeDefault
object{}

extraLabels.podDisruptionBudget are labels to set on the podDisruptionBudget.

extraLabels.podSecurityPolicy

TypeDefault
object{}

extraLabels.podSecurityPolicy are labels to set on the podSecurityPolicy.

extraLabels.secret

TypeDefault
object{}

extraLabels.secret are labels to set on the Secret.

extraLabels.serviceAccount

TypeDefault
object{}

extraLabels.serviceAccount are labels to set on the ServiceAccount.

annotations

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.config

TypeDefault
object{}

annotations.config contains the Kubernetes annotations put on the ConfigMap resource created by the chart.

annotations.deployment

TypeDefault
object{}

annotations.deployment contains the Kubernetes annotations put on the Deployment or StatefulSet resource created by the chart.

annotations.pod

TypeDefault
object{}

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.secret

TypeDefault
object{}

annotations.secret contains the Kubernetes annotations put on the Secret resource created by the chart. This has no effect when joinTokenSecret.create is false.

annotations.serviceAccount

TypeDefault
object{}

annotations.serviceAccount contains the Kubernetes annotations put on the ServiceAccount resource created by the chart.

extraArgs

TypeDefault
list[]

extraArgs contains extra arguments to pass to teleport start for the main Teleport pod

extraEnv

TypeDefault
list[]

extraEnv contains extra environment variables to set in the main Teleport pod.

For example:

extraEnv:
  - name: HTTPS_PROXY
    value: "http://username:[email protected]:3128"

extraContainers

TypeDefault
list[]

extraContainers contains extra containers to add in the main Teleport pod.

For example:

extraContainers:
- name: debug-sidecar
  command:
    - busybox
    - sh
    - -c
    - "echo waiting && sleep infinity"
  image: busybox:latest
  imagePullPolicy: IfNotPresent
  securityContext:
    privileged: true
    runAsNonRoot: false

extraVolumes

TypeDefault
list[]

extraVolumes contains extra volumes to mount into the Teleport pods. See the Kubernetes volume documentation for more details.

For example:

extraVolumes:
- name: myvolume
  secret:
    secretName: testSecret

extraVolumeMounts

TypeDefault
list[]

extraVolumeMounts contains extra volumes mounts for the main Teleport container. See the Kubernetes volume documentation for more details.

For example:

extraVolumesMounts:
- name: myvolume
  mountPath: /path/on/host

hostAliases

hostAliases sets Host aliases in the Teleport Pod. See the Kubernetes hosts file documentation for more details.

For example:

hostAliases:
  - ip: "127.0.0.1"
    hostnames:
      - "foo.local"
      - "bar.local"
  - ip: "10.1.2.3"
    hostnames:
      - "foo.remote"
      - "bar.remote"

imagePullPolicy

TypeDefault
string"IfNotPresent"

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

initContainers

TypeDefault
list[]

initContainers sets the Teleport Pod's init-containers. See the Kubernetes init-container documentation for more details.

For example:

initContainers:
- name: "teleport-init"
  image: "alpine"
  args: ["echo test"]

resources

TypeDefault
object{}

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

initSecurityContext

TypeDefault
object{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":9807,"seccompProfile":{"type":"RuntimeDefault"}}

initSecurityContext sets the init container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

securityContext

TypeDefault
object{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":9807,"seccompProfile":{"type":"RuntimeDefault"}}

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

podSecurityContext

TypeDefault
object{"fsGroup":9807}

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

To unset the security context, set it to null or ~.

priorityClassName

TypeDefault
string""

priorityClassName sets the priority class used by any pods created by the chart. The user is responsible for creating the PriorityClass resource before deploying the chart. See the Kubernetes documentation for more details.

tolerations

TypeDefault
list[]

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

probeTimeoutSeconds

TypeDefault
int1

probeTimeoutSeconds sets the timeout for the readiness and liveness probes https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/