Scaling Privileged Access for Modern Infrastructure: Real-World Insights
Apr 25
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Teleport Kubernetes Operator

Version 15.x

The Teleport Kubernetes Operator provides a way for Kubernetes users to manage some Teleport resources through Kubernetes, following the Operator Pattern.

The Teleport Kubernetes Operator is deployed alongside its custom resource definitions. Once deployed, users can use a Kubernetes client like kubectl or their existing CI/CD Kubernetes pipelines to create Teleport custom resources. The Teleport Kubernetes Operator watches for those resources and does API calls to Teleport to reach the desired state.

Since Teleport version 15, the operator can be deployed both:

  • alongside self-hosted Teleport clusters deployed with the teleport-cluster Helm chart. This deployment method differs from version 14. In version 15 and above, the operator is no longer deployed as a sidecar. An operator outage cannot affect Teleport's availability.
  • against a remote Teleport instance (such as Teleport Cloud or deployed with Terraform)

The operator supports multiple replicas within a single cluster by electing a leader with a Kubernetes lease.

Warning

Only one operator deployment should run against a Teleport cluster. Else, different operators could cause instability and non-deterministic behaviour.

Currently supported Teleport resources are:

  • users (TeleportUser)
  • roles
    • TeleportRole creates role v5
    • TeleportRoleV6 creates role v6
    • TeleportRoleV7 creates role v7
  • OIDC connectors (TeleportOIDCConnector)
  • SAML connectors (TeleportSAMLConnector)
  • GitHub connectors (TeleportGithubConnector)
  • provision tokens (TeleportProvisionToken)
  • Login Rules (TeleportLoginRules)

Setting up the operator

If you are self-hosting Teleport using the teleport-cluster Helm chart, follow the guide for Helm-deployed clusters.

If you are hosting Teleport out of Kubernetes (Teleport Cloud, Terraform, ...), follow the standalone operator guide.

Troubleshooting

The CustomResources (CRs) are not reconciled

The Teleport Operator watches for new resources or changes in Kubernetes. When a change happens, it triggers the reconciliation loop. This loop is in charge of validating the resource, checking if it already exists in Teleport and making calls to the Teleport API to create/update/delete the resource. The reconciliation loop also adds a status field on the Kubernetes resource.

If an error happens and the reconciliation loop is not successful, an item in status.conditions will describe what went wrong. This allows users to diagnose errors by inspecting Kubernetes resources with kubectl:

kubectl describe teleportusers myuser

For example, if a user has been granted a nonexistent role the status will look like:

apiVersion: resources.teleport.dev/v2
kind: TeleportUser
# [...]
status:
  conditions:
  - lastTransitionTime: "2022-07-25T16:15:52Z"
    message: Teleport resource has the Kubernetes origin label.
    reason: OriginLabelMatching
    status: "True"
    type: TeleportResourceOwned
  - lastTransitionTime: "2022-07-25T17:08:58Z"
    message: 'Teleport returned the error: role my-non-existing-role is not found'
    reason: TeleportError
    status: "False"
    type: SuccessfullyReconciled

Here SuccessfullyReconciled is False and the error is role my-non-existing-role is not found.

If the status is not present or does not give sufficient information to solve the issue, check the operator logs:

The CR doesn't have a status

  1. Check if the CR is in the same namespace as the operator. The operator only watches for resource in its own namespace.

  2. Check if the operator pods are running and healthy:

    kubectl get pods -n "$OPERATOR_NAMESPACE"`

  3. Check the operator logs:

    kubectl logs deploy/<OPERATOR_DEPLOYMENT_NAME> -n "$OPERATOR_NAMESPACE"
    Note

    In case of multi-replica deployments, only one operator instance is running the reconciliation loop. This operator is called the leader and is the only one producing reconciliation logs. The other operator instances are waiting with the following log:

    leaderelection.go:248] attempting to acquire leader lease teleport/431e83f4.teleport.dev...

    To diagnose reconciliation issues, you will have to inspect all pods to find the one reconciling the resources.

I cannot delete the Kubernetes CR

The operator protects Kubernetes CRs from deletion with a finalizer. It will not allow the CR to be deleted until the Teleport resource is deleted as well, this is a safety to avoid leaving dangling resources and potentially grant unintentional access.

There might be some reasons causing Teleport to refuse a resource deletion, the most frequent one is if another resource depends on it. For example: you cannot delete a role if it is still assigned to a user.

If this happens, the operator will report the error sent by Teleport in its log.

To resolve this lock, you can either:

  • resolve the dependency issue so the resource gets successfully deleted in Teleport. In the role example, this would imply removing any mention of the role from the various users who had it.

  • patch the Kubernetes CR to remove the finalizers. This will tell Kubernetes to stop waiting for the operator deletion and remove the CR. If you do this, the CR will be removed but the Teleport resource will remain. The operator will never attempt to remove it again.

    For example, if the role is named my-role:

    kubectl patch TeleportRole my-role -p '{"metadata":{"finalizers":null}}' --type=merge

Next steps