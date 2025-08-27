Version: 17.x

warning This document describes Managed Updates for Agents (v1), which is currently supported but may be removed in future versions of Teleport. For Managed Updates v2 instructions, see Managed Updates for Agents (v2).

Managed Updates v1 uses a script called teleport-upgrade that is provided by the teleport-ent-updater package and configured by the cluster_maintenance_config Teleport resource. Managed Updates v2 uses a binary called teleport-update that is provided by the teleport package and configured by the autoupdate_version and autoupdate_config resources. The original updater and resource are described in this document.

Only Enterprise versions of Teleport can use Managed Updates v1.

Please consider using Managed Updates for Agents (v2), as it provides a safer, simpler, more flexible, compatible, and reliable update experience compared to Managed Updates v1.

Compatibility between Managed Updates v1 and v2 The Managed Updates v2 teleport-update binary is backwards-compatible with the cluster_maintenance_config resource. The Managed Updates v1 teleport-upgrade script is forwards-compatible with the autoupdate_config and autoupdate_version resources. Agents connected to the same cluster will all update to the same version. If the autoupdate_config resource is configured, it takes precedence over cluster_maintenance_config . This allows for a safe, non-breaking, incremental migration between Managed Updates v1 and v2. If autoupdate_config is not present and autoupdate_version is present, the autoupdate_config settings are implicitly derived from cluster_maintenance_config . Users of cloud-hosted Teleport Enterprise will be migrated to Managed Updates v2 in the first half of 2025 and should plan to migrate their agents to teleport-update .

On cloud-hosted Teleport Enterprise accounts, users must set up Managed Updates for Teleport Agents to ensure that the version of Teleport running on agents remains compatible with the version running on the Auth Service and Proxy Service. If an agent does not maintain version compatibility with your Teleport cluster, connections to those agents will become degraded or lost.

Cloud-hosted Teleport clusters are updated on a weekly basis. Major version updates are performed every 4 months. You can monitor and subscribe to the Teleport Status page to be notified of scheduled updates.

Teleport supports managed agent updates for SystemD-based Linux distributions using apt , yum , and zypper package managers, as well as Kubernetes clusters.

This guide explains how to enable Managed Updates v1 for Teleport Agents on Teleport Enterprise clusters, including both self-hosted and cloud-hosted clusters.

When Managed Updates are enabled, a Teleport updater is installed alongside each Teleport Agent. The updater communicates with the Teleport Proxy Service to determine when an update is available. When an update is available, the updater will update the Teleport Agent during the next maintenance window. However, if a critical update is available, the Teleport Agent will be updated outside the regular maintenance window.

Familiarity with the Upgrading Compatibility Overview guide, which describes the sequence in which to upgrade components in your cluster.

Teleport Agents that are not yet enrolled in Managed Updates.

A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment. The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

If you are running a cloud-hosted Teleport Enterprise cluster, skip to Step 2.

Before enabling managed upgrades in your self-hosted Teleport cluster, you must enable a version server. This section shows you how to enable a version server in your cluster.

To enable Managed Updates in your cluster, you must create a cluster maintenance configuration. This configures a maintenance schedule for the Teleport cluster that agents use to determine when to check for upgrades.

Create a Teleport role that can manage cluster maintenance configurations through the cluster_maintenance_config dynamic resource. No preset Teleport roles provide this ability, so you will need to create one. Create a file called cmc-editor.yaml with the following content: kind: role version: v7 metadata: name: cmc-editor spec: allow: rules: - resources: [ 'cluster_maintenance_config' ] verbs: [ 'create' , 'read' , 'update' , 'delete' ] Create the role resource: tctl create cmc-editor.yaml tip You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit. Add the role to your Teleport user: Assign the cmc-editor role to your Teleport user by running the appropriate commands for your authentication provider: Local User

GitHub

SAML

OIDC Retrieve your local user's roles as a comma-separated list: ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")') Edit your local user to add the new role: tctl users update $(tsh status -f json | jq -r '.active.username') \ --set-roles "${ROLES?},cmc-editor" Sign out of the Teleport cluster and sign in again to assume the new role. Open your github authentication connector in a text editor: tctl edit github/github Edit the github connector, adding cmc-editor to the teams_to_roles section. The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization. Here is an example: teams_to_roles: - organization: octocats team: admins roles: - access + - cmc-editor Apply your changes by saving closing the file in your editor. Sign out of the Teleport cluster and sign in again to assume the new role. Retrieve your saml configuration resource: tctl get --with-secrets saml/mysaml > saml.yaml Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the saml.yaml file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource. Edit saml.yaml , adding cmc-editor to the attributes_to_roles section. The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: attributes_to_roles: - name: "groups" value: "my-group" roles: - access + - cmc-editor Apply your changes: tctl create -f saml.yaml Sign out of the Teleport cluster and sign in again to assume the new role. Retrieve your oidc configuration resource: tctl get oidc/myoidc --with-secrets > oidc.yaml Note that the --with-secrets flag adds the value of spec.signing_key_pair.private_key to the oidc.yaml file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource. Edit oidc.yaml , adding cmc-editor to the claims_to_roles section. The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization. Here is an example: claims_to_roles: - name: "groups" value: "my-group" roles: - access + - cmc-editor Apply your changes: tctl create -f oidc.yaml Sign out of the Teleport cluster and sign in again to assume the new role. Create a cluster maintenance config in a file called cmc.yaml . The following example allows maintenance on Monday, Wednesday and Friday between 02:00 and 03:00 UTC: kind: cluster_maintenance_config spec: agent_upgrades: utc_start_hour: 2 weekdays: - Mon - Wed - Fri Apply the manifest using tctl : tctl create cmc.yaml maintenance window has been updated

By default, the version server has a single default channel, serving the version of the Teleport Proxy Service. If you want to override the default version or add other channels you can use the automatic_upgrades_channels field in the Proxy Service configuration file:

proxy_service: enabled: true automatic_upgrades_channels: teleport.example.com:443 default: static_version: v14.2.1 teleport.example.com:443 my-static-channel: static_version: v14.2.0 my-remote-channel: forward_url: https://updates.releases.teleport.dev/v1/stable/cloud

You must ensure that all Proxy Service instances share the same automatic_upgrades_channels configuration. If some Proxy Service instances are configured differently, you will experience agents flickering between versions as the version served is not consistent across instances.

If your Proxy Service public address is teleport.example.com:443 , you can query the version server with the following command:

curl "https:// teleport.example.com:443 /v1/webapi/automaticupgrades/channel/default/version" 17.7.2

Use the tctl inventory ls command to list connected agents along with their current version. Use the --upgrader=none flag to list agents that are not enrolled in Managed Updates.

tctl inventory ls --upgrader=none Server ID Hostname Services Version Upgrader ------------------------------------ ------------- -------- ------- -------- 00000000-0000-0000-0000-000000000000 ip-10-1-6-130 Node v14.4.5 none ...

For each agent ID returned by the tctl inventory ls command, copy the ID and run the following tctl command to access the host via tsh : HOST=00000000-0000-0000-0000-000000000000 USER=root tsh ssh "${USER?}@${HOST?}" Determine the Teleport version to install by querying the Teleport Proxy Service. This way, the Teleport installation has the same major version as the automatic updater. Replace stable/cloud with the name of your automatic update channel. For cloud-hosted Teleport Enterprise accounts, this is always stable/cloud : TELEPORT_VERSION="$(curl https:// teleport.example.com:443 /v1/webapi/automaticupgrades/channel/ stable/cloud /version | sed 's/v//')" Ensure that the Teleport repository is properly configured to use the stable/cloud channel, and install the teleport-ent-updater package. You must install teleport-ent-updater on each agent you would like to enroll into Managed Updates: Managed Teleport Enterprise

Self-Hosted Teleport Enterprise curl https://cdn.teleport.dev/install.sh | bash -s ${TELEPORT_VERSION?} cloud Follow the instructions in the Teleport installation guide to install the teleport binary on your Linux server for your package manager. Using your package manager, install teleport-ent-updater on the server where you installed teleport . For example: apt-get install -y teleport-ent-updater The installation script detects the package manager on your Linux server and uses it to install Teleport binaries. To customize your installation, learn about the Teleport package repositories in the installation guide. Confirm that the version of the teleport binary is the one you expect: teleport version Running the agent as a non-root user If you changed the agent user to run as non-root, create /etc/teleport-upgrade.d/schedule and grant ownership to your Teleport user: sudo mkdir -p /etc/teleport-upgrade.d/ sudo touch /etc/teleport-upgrade.d/schedule sudo chown your-teleport-user /etc/teleport-upgrade.d/schedule Verify that the upgrader can see your version endpoint by checking for upgrades: sudo teleport-upgrade dry-run You should see one of the following messages, depending on the target version you are currently serving: no upgrades available (1.2.3 == 1.2.3) an upgrade is available (1.2.3 -> 2.3.4) teleport-upgrade may display warnings about not having a valid upgrade schedule. This is expected immediately after install as the maintenance schedule might not be exported yet.

This section assumes that the name of your teleport-kube-agent release is teleport-agent , and that you have installed it in the teleport namespace.

Confirm that you are using the Teleport Enterprise edition of the teleport-kube-agent chart. You should see the following when you query your teleport-kube-agent release: helm -n `teleport` get values `teleport-agent` -o json | jq '.enterprise' true If another value such as null is returned, update your existing agent values.yaml to use the Enterprise version: enterprise: true Add the following chart values to the values file for the teleport-kube-agent chart: updater: enabled: true Update the Teleport Helm repository to include any new versions of the teleport-kube-agent chart: helm repo update teleport Update the Helm chart release with the new values: Cloud-Hosted

Self-Hosted helm -n teleport upgrade teleport-agent teleport/teleport-kube-agent \ --values=values.yaml \ --version="17.5.6" helm -n teleport upgrade teleport-agent teleport/teleport-kube-agent \ --values=values.yaml \ --version="17.7.2" You can validate the updater is running properly by checking if its pod is ready: kubectl -n teleport-agent get pods NAME READY STATUS RESTARTS AGE <your-agent-release>-0 1/1 Running 0 14m <your-agent-release>-1 1/1 Running 0 14m <your-agent-release>-2 1/1 Running 0 14m <your-agent-release>-updater-d9f97f5dd-v57g9 1/1 Running 0 16m Check for any deployment issues by checking the updater logs: kubectl -n teleport logs deployment/ teleport-agent -updater 2023-04-28T13:13:30Z INFO StatefulSet is already up-to-date, not updating. {"controller": "statefulset", "controllerGroup": "apps", "controllerKind": "StatefulSet", "StatefulSet": {"name":"my-agent","namespace":"agent"}, "namespace": "agent", "name": "my-agent", "reconcileID": "10419f20-a4c9-45d4-a16f-406866b7fc05", "namespacedname": "agent/my-agent", "kind": "StatefulSet", "err": "no new version (current: \"v12.2.3\", next: \"v12.2.3\")"}

Teleport Agents are not updated immediately when a new version of Teleport is released, and agent updates can lag behind the cluster by a few days.

If the Teleport Agent has not been automatically updating for several weeks, you can consult the updater logs to help troubleshoot the problem:

journalctl -u teleport-upgrade

The updater is a controller that periodically reconciles expected Kubernetes resources with those in the cluster. The updater executes a reconciliation loop every 30 minutes or in response to a Kubernetes event. If you don't want to wait until the next reconciliation, you can trigger an event.

Any deployment update will send an event, so you can trigger the upgrader by annotating the resource: kubectl -n teleport annotate statefulset/ teleport-agent 'debug.teleport.dev/trigger-event=1' To suspend Managed Updates for an agent, annotate the agent deployment with teleport.dev/skipreconcile: "true" , either by setting the annotations.deployment value in Helm, or by patching the deployment directly with kubectl .