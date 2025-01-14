Version: 15.x

On this page

Kubernetes Clusters Discovery

Kubernetes Clusters Discovery allows Kubernetes clusters hosted on cloud providers to be discovered and enrolled automatically.

While discovering a new Kubernetes cluster, Teleport does not install any component on the cluster. Instead, it requires direct access to the cluster's API and minimal access permissions.

AWS: Discovery for AWS EKS clusters.

Azure: Discovery for Azure AKS clusters.

Google Cloud: Discovery for Google Kubernetes Engine clusters.

Kubernetes Clusters Discovery consists of two steps:

The Teleport Discovery Service is responsible for scanning the configured cloud providers and identifying if any Kubernetes clusters match a set of filtering labels. When the process identifies a new Kubernetes cluster, it creates a dynamic resource within Teleport. This resource includes information imported from the cloud provider such as:

Name: Cluster name

Labels Cluster tags. Cluster location. Identification of which cloud account the cluster belongs to — AWS Account ID / Azure Subscription ID.



tip You can import the cluster under a different name into Teleport's registry. To achieve this, you must attach the following tag to the resources — EKS, AKS, GKE — in your cloud provider: key : TeleportKubernetesName

: value: desired name The Discovery Service will check if the cluster includes the tag and use its value as the resource name in Teleport. You should use this feature whenever there are clusters in different regions/cloud providers with the same name to prevent them from colliding in Teleport.

In addition to detecting new Kubernetes clusters, the Discovery Service also removes — from Teleport's registry — the Kubernetes clusters that have been deleted or whose tags no longer meet the filtering labels.

warning Discovery Service exposes a configuration parameter - discovery_service.discovery_group - that allows you to group discovered resources into different sets. This parameter is used to prevent Discovery Agents watching different sets of cloud resources from colliding against each other and deleting resources created by another services. When running multiple Discovery Services, you must ensure that each service is configured with the same discovery_group value if they are watching the same cloud resources or a different value if they are watching different cloud resources. It is possible to run a mix of configurations in the same Teleport cluster meaning that some Discovery Services can be configured to watch the same cloud resources while others watch different resources. As an example, a 4-agent high availability configuration analyzing data from two different cloud accounts would run with the following configuration. 2 Discovery Services configured with discovery_group: "prod" polling data from Production account.

polling data from Production account. 2 Discovery Services configured with discovery_group: "staging" polling data from Staging account.

The following snippet describes the different configuration options for the Discovery Service and their default values.

discovery_service: enabled: "yes" discovery_group: "prod" aws: - types: [ "eks" ] regions: [ "us-east-1" , "us-west-1" ] tags: "env": "prod" assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role external_id: "example-external-id" setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role azure: - types: [ "aks" ] regions: [ "*" ] subscriptions: [ "*" ] resource_groups: [ "*" ] tags: "env": "prod" gcp: - types: [ "gke" ] locations: [ "*" ] project_ids: [ "myproject" ] tags: "*" : "*"

The Teleport Kubernetes Service is responsible for monitoring the dynamic resources created or updated by the Discovery Service and forwarding requests to the Kubernetes clusters they represent. To work correctly, it requires direct access to the target Kubernetes clusters and permissions to forward requests.

To turn on dynamic resource monitoring in the Kubernetes Service, you must configure the kubernetes_service.resources section as shown in the following snippet:

kubernetes_service: enabled: "yes" resources: - labels: "*" : "*" aws: assume_role_arn: arn:aws:iam::123456789012:role/iam-discovery-role external_id: "example-external-id"

When configuring the kubernetes_service.resources parameter, the Teleport Kubernetes Service is set to monitor EKS clusters that are discovered by the Teleport Discovery Service. The monitoring process involves a label matching mechanism to identify and manage the EKS clusters.

Discovery and Label Matching: The Discovery Service identifies available EKS clusters within the AWS environment. The Teleport Kubernetes Service checks the labels of these clusters against the labels specified in the kubernetes_service.resources[].labels configuration, which is the selector array. Role Selection: The first selector in the array that matches the labels of an EKS cluster determines the role that the Kubernetes Service will assume. This role is essential for the Teleport Kubernetes Service to retrieve necessary cluster details from the AWS API. If no match is found, the Kubernetes Service defaults to its own identity. Interaction with AWS and Kubernetes APIs: Once a match is found and a role is assumed, the Teleport Kubernetes Service uses this role to access the AWS API. It retrieves information about the EKS cluster, such as configuration and status. Subsequently, the Teleport Kubernetes Service forwards requests to the Kubernetes API, enabling interaction with the cluster.

Both services — Discovery and Kubernetes — can be configured in the same Teleport process or separate processes.