Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

teleport-operator Chart Reference

The teleport-operator Helm chart deploys the Teleport Kubernetes Operator. When deployed via the chart, the operator can join Teleport clusters living in Kubernetes or remote ones (such as Teleport Cloud). See the Kubernetes Operator for remote Teleport clusters guide for more details.

You can browse the source on GitHub.

Version requirement

The teleport-operator chart was introduced in Teleport 15. Prior versions don't support running the operator separately from the teleport-cluster chart.

The teleport-operator chart requires Kubernetes 1.20+ with projected volumes support.

Version Compatibility

The chart is versioned with the Teleport Kubernetes Operator. No compatibility guarantees are ensured if the operator and chart versions differ. It is strongly recommended to always align the chart and operator versions by using the --version Helm flag.

enabled

TypeDefault
booltrue

enabled controls if the operator should be enabled and deployed.

  • When true, the chart creates both the CustomResourceDefinition and operator Deployment Kubernetes resources.
  • When false, the chart creates the CustomResourceDefinition resources without the operator Deployment.

installCRDs

TypeDefault
string"dynamic"

installCRDs controls if the chart should install the CRDs. There are 3 possible values: dynamic, always, never.

  • "dynamic" means the CRDs are installed if the operator is enabled or if the CRDs are already present in the cluster. The presence check is here to avoid all CRDs to be removed if you temporarily disable the operator. Removing CRDs triggers a cascading deletion, which removes CRs, and all the related resources in Teleport.
  • "always" means the CRDs are always installed
  • "never" means the CRDs are never installed

teleportAddress

TypeDefault
string""

teleportAddress is the address of the Teleport cluster whose resources are managed by the operator. The address must contain both the domain name and the port of the Teleport cluster. It can be either the address of the Auth Service or the Proxy Service.

For example:

  • joining a Proxy: teleport.example.com:443 or teleport.example.com:3080
  • joining an Auth: teleport-auth.example.com:3025
  • joining a Cloud-hosted Teleport: example.teleport.sh:443

caPins

TypeDefault
list[string][]

caPins is a list of Teleport CA fingerprints that is used by the operator to validate the identity of the Teleport Auth Service. This is only used when joining an Auth Service directly (on port 3025) and is ignored when joining through a Proxy (port 443 or 3080).

joinMethod

TypeDefault
string"kubernetes"

joinMethod describes how the Teleport Kubernetes Operator joins the Teleport cluster. The operator does not store its Teleport-issued identity, it must be able to join the cluster again on each pod restart. To achieve this, it needs to use a delegated join method. kubernetes is the most common one.

teleportClusterName

TypeDefault
string""

teleportClusterName is the name of the joined Teleport cluster. Setting this value is required when joining via the Kubernetes JWKS join method.

token

TypeDefault
string""

token is the name of the token used by the operator to join the Teleport cluster.

teleportVersionOverride

TypeDefault
string""

teleportVersionOverride controls the Teleport Kubernetes Operator image version deployed by the chart.

Normally, the version of the Teleport Kubernetes Operator matches the version of the chart. If you install chart version 15.0.0, you'll use Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is done by upgrading the chart.

Warning

teleportVersionOverride is intended for development and MUST NOT be used to control the Teleport version in a typical deployment. This chart is designed to run a specific Teleport version. You will face compatibility issues trying to run a different Teleport version with it.

If you want to run Teleport version X.Y.Z, you should use helm install --version X.Y.Z instead.

image

TypeDefault
string"public.ecr.aws/gravitational/teleport-operator"

image sets the container image used for Teleport Kubernetes Operator pods run by the chart.

You can override this to use your own Teleport Kubernetes Operator image rather than a Teleport-published image.

annotations

annotations.deployment

TypeDefault
object{}

annotations.deployment contains the Kubernetes annotations put on the Deployment resource created by the chart.

annotations.pod

TypeDefault
object{}

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.serviceAccount

TypeDefault
object{}

annotations.serviceAccount contains the Kubernetes annotations put on the Deployment resource created by the chart.

annotations

labels.deployment

TypeDefault
object{}

labels.deployment contains the Kubernetes labels put on the Deployment resource created by the chart.

labels.pod

TypeDefault
object{}

labels.pod contains the Kubernetes labels put on the Pod resources created by the chart.

serviceAccount

serviceAccount.create

TypeDefault
booltrue

serviceAccount.create controls if the chart should create the Kubernetes ServiceAccount resource for the operator.

  • When true, the chart creates a ServiceAccount resource for the operator.
  • When false, the chart does not create the ServiceAccount resource. The user is responsible for deploying and maintaining it separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit ServiceAccount resources.

serviceAccount.name

TypeDefault
string""

serviceAccount.name controls the name of the operator Kubernetes ServiceAccount. The operator pods use by default a ServiceAccount named after the Helm chart release. This value overrides this behaviour, this is useful when serviceAccount.create is false and the operator must use an existing ServiceAccount.

rbac

rbac.create

TypeDefault
booltrue

rbac.create controls if the chart should create RBAC Kubernetes resources.

  • When true, the chart creates both Role and RoleBinding resources for the operator.
  • When false, the chart does not create the Role and RoleBinding resources. The user is responsible for deploying and maintaining them separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit RBAC resources.

imagePullPolicy

TypeDefault
string"IfNotPresent"

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

resources

TypeDefault
object{}

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

priorityClassName

TypeDefault
string""

priorityClassName sets the priority class used by any pods created by the chart. The user is responsible for creating the PriorityClass resource before deploying the chart. See the Kubernetes documentation for more details.

tolerations

TypeDefault
list[]

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

nodeSelector

TypeDefault
object{}

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

affinity

TypeDefault
object{}

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

imagePullSecrets

TypeDefault
list[]

imagePullSecrets sets the image pull secrets for any pods created by the chart. See the Kubernetes documentation for more details.

highAvailability

highAvailability.replicaCount

TypeDefault
int1

highAvailability.replicaCount controls the amount of operator pod replicas deployed by the chart.

When multiple pods are running, all pods join the Teleport cluster on startup but a single pod actively reconciles resources.

The operator replicas elect a replica leader using Kubernetes leases. If the leader fails, its lease will expire and another replica will start reconciling resources.

tls

tls.existingCASecretName

TypeDefault
string""

tls.existingCASecretName makes the operator pods trust an additional CA certificate. This is used to trust Proxy certificates if they're signed by a private CA. The operator trusts by default CAs part of Mozilla's Web PKI (the ca-certificates package).

To use this value, you must create a Kubernetes Secret containing the CA certs in the same namespace as the Teleport Kubernetes Operator using a command such as:

kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

podSecurityContext

TypeDefault
object{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value supports running under the restricted Pod Security Standard.

securityContext

TypeDefault
object{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value supports running under the restricted Pod Security Standard.