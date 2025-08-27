Deploying tbot on Kubernetes with OIDC
This guide shows you how to deploy the Machine ID daemon
tbot on a Kubernetes
cluster that supports OIDC. The Kubernetes OIDC join method is a good fit for
use inside Kubernetes clusters on a cloud platform that can be configured to
provide a public OpenID Connect (OIDC) endpoint, including EKS, AKS, and GKE.
How it works
In the setup we demonstrate in this guide,
tbot runs as a Kubernetes
deployment. It writes output credentials to a Kubernetes secret, which can then
be mounted in the pods that need to use the credentials. While
tbot can also
run as a sidecar within the same pod as the service that needs to use the
credentials it generates, we recommend running
tbot as a standalone deployment
due the limited support Kubernetes has for sidecars.
In this guide, we demonstrate the
kubernetes join method using its OIDC
support, in which
tbot proves its identity to the Teleport Auth Service by
presenting a JSON web token (JWT) signed by the platform OIDC issuer. This JWT
is projected into pods by Kubernetes, and identifies the service account, the
pod, and the namespace in which
tbot is running. The Teleport Auth Service
checks the signature of the JWT against the Kubernetes OIDC provider's published
signing keys to verify the pod identity.
Not all Kubernetes providers support Service Account Issuer Discovery, which is required for this guide. If your provider does not support this feature, refer to our Kubernetes with Static JWKS guide instead.
Using another join method
When deploying
tbot to a Teleport cluster, it is generally recommended to use
the
kubernetes join method. This will work with most Kubernetes clusters.
The guide that follows will demonstrate configuring this join method.
However, when using certain cloud Kubernetes services, it is possible to use the
join method associated with that platform rather than the
kubernetes join
method. This may be beneficial if you wish to manage the joining of
tbot
within the Kubernetes clusters and on standard VMs on the same platform with
a single join token. These services are:
- Google Kubernetes Engine: Where
GCP Workload Identity
is configured for the cluster, it is possible to use the
gcpjoin method. See the GCP Platform Guide for further information.
- Amazon Elastic Kubernetes Service: Where
IAM Roles for Service Accounts (IRSA)
is configured for the cluster, it is possible to use the
iamjoin method. See the AWS Platform Guide for further information.
It is recommended to use Kubernetes OIDC joining on Azure (AKS) whenever possible.
Prerequisites
-
-
The
tctland
tshclients.
Installing
tctland
tshclients
-
Determine the version of your Teleport cluster. The
tctland
tshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at
/v1/webapi/findand use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:TELEPORT_DOMAIN=teleport.example.com:443TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
-
Follow the instructions for your platform to install
tctland
tshclients:
- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctland
tshclients:curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg
In Finder double-click the
pkgfile to begin installation.danger
Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip
Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctland
tshclients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gztar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gzcd teleportsudo ./install
Teleport binaries have been copied to /usr/local/bin
-
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 19.0.0-dev
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
- A Kubernetes cluster with support for Token Request Projection (which graduated to a generally available feature in Kubernetes 1.20).
kubectlauthenticated with the ability to create resources in the cluster you wish to deploy
tbotinto.
- A Kubernetes platform that supports Service Account Issuer Discovery, which became generally available in Kubernetes 1.21
The examples in this guide will install a
tbot deployment in the
default
Namespace of the Kubernetes cluster. Adjust references to
default to the
Namespace you wish to use.
Step 1/6. Verify support for Service Account Issuer Discovery
Before continuing, verify that your Kubernetes cluster can issue tokens that Teleport will be able to verify. To do so, we'll want to perform the following steps:
- Fetch the cluster's OpenID configuration endpoint and extract the
issuerfield
- Attempt to fetch the same OpenID configuration endpoint from its public
address, derived from the
issuerfield value, and extract the public
jwks_uri
- Attempt to fetch the
jwks_urito ensure Teleport will be able to do so when your agents attempt to join
To do so, ensure you have
kubectl,
curl, and
jq available. Start by
running this command to determine the public OIDC configuration URL:
kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer + "/.well-known/openid-configuration"'https://oidc.eks.us-west-2.amazonaws.com/id/cluster-id/.well-known/openid-configuration
If this command fails, the Service Account Issuer Discovery feature is not enabled on your Kubernetes cluster.
Next, we'll attempt to fetch the configuration document returned by the previous command. Note that this should be run over the public internet, such as your home internet connection, to help ensure the endpoint will be accessible to Teleport:
curl https://oidc.eks.us-west-2.amazonaws.com/id/cluster-id/.well-known/openid-configuration | jq{ "issuer": "https://oidc.eks.us-west-2.amazonaws.com/id/cluster-id", "jwks_uri": "https://oidc.eks.us-west-2.amazonaws.com/id/cluster-id/keys", "authorization_endpoint": "urn:kubernetes:programmatic_authorization", "response_types_supported": [ "id_token" ], "subject_types_supported": [ "public" ], "claims_supported": [ "sub", "iss" ], "id_token_signing_alg_values_supported": [ "RS256" ]}
If this command succeeds, make a note of the
issuer value for future steps.
Note that the particular
issuer value will vary depending on your cloud
provider, region, individual cluster; the example here roughly matches an Amazon
EKS cluster.
As one final check, you can also attempt to fetch the
jwks_uri:
curl https://oidc.eks.us-west-2.amazonaws.com/id/cluster-id/keys{"keys":[{...snip...}]}
There's no need to record anything from this response - we just want to be certain that Teleport will be able to access this URL.
If any of these commands fail, additional steps may be needed to enable public Service Account Issuer Discovery is enabled for your Kubernetes provider.
Refer to your cloud provider documentation to enable this feature, including:
- AWS: Enabling OIDC for EKS clusters
- Azure: Enabling OIDC for AKS clusters
- GKE clusters should work out of the box
If your provider does not support this feature, consider using either Static JWKS joining or an alternative Teleport join method better suited to your cloud provider.
Step 2/6. Prepare Kubernetes RBAC
In order to prepare the Kubernetes cluster for Machine ID, several Kubernetes RBAC resources must be created.
A ServiceAccount will be created and later assigned to the Pod that will run
tbot. This creates a static identity that we can allow access to join the
Teleport Cluster and also provides an identity to which we can assign Kubernetes
privileges.
A Kubernetes Role granting the ability to read and write to secrets in the
Namespace will be created and then assigned to the ServiceAccount using a
RoleBinding. This will allow the
tbot Pod to read and write credentials to a
Secret.
Create a file called
k8s-rbac.yaml:
# This ServiceAccount will be used to give the `tbot` pods a discrete identity
# which can be validated by the Teleport Auth Service.
apiVersion: v1
kind: ServiceAccount
metadata:
name: tbot
namespace: default
---
# This role grants the ability to manage secrets within the namespace - this is
# necessary for the `kubernetes_secret` destination to work correctly.
#
# You may wish to add the `resourceNames` field to the role to further restrict
# this access in sensitive environments.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secrets-admin
namespace: default
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
---
# Bind the role to the service account created for tbot.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tbot-secrets-admin
namespace: default
subjects:
- kind: ServiceAccount
name: tbot
roleRef:
kind: Role
name: secrets-admin
apiGroup: rbac.authorization.k8s.io
Apply this file to your Kubernetes cluster:
kubectl apply -f ./k8s-rbac.yaml
Step 3/6. Create a Bot
Next, you need to create a Bot. A Bot is a Teleport identity for a machine or group of machines. Like users, bots have a set of roles and traits which define what they can access.
Create
bot.yaml:
kind: bot
version: v1
metadata:
# name is a unique identifier for the Bot in the cluster.
name: example
spec:
# roles is a list of roles to grant to the Bot. Don't worry if you don't know
# what roles you need to specify here, the Access Guides will walk you through
# creating and assigning roles to the already created Bot.
roles: []
Make sure you replace
example with a unique, descriptive name for your Bot.
Use
tctl to apply this file:
tctl create bot.yaml
Step 4/6. Create a join token
Next, a join token needs to be configured. This will be used by
tbot to join
the cluster, and will require the issuer URL determined in Step 1.
Create
bot-token.yaml, ensuring you insert the
issuer value in
spec.kubernetes.oidc.issuer:
kind: token
version: v2
metadata:
# name will be specified in the `tbot` to use this token
name: example-bot
spec:
roles: [Bot]
# bot_name should match the name of the bot created earlier in this guide.
bot_name: example
join_method: kubernetes
kubernetes:
# oidc configures the Auth Service to validate the JWT presented by `tbot`
# using the public keys published by the configured OIDC issuer.
type: oidc
oidc:
# Insert the OIDC issuer value here, it will vary depending on your
# cluster and cloud provider.
issuer: https://oidc.eks.us-west-2.amazonaws.com/id/cluster-id
# allow specifies the rules by which the Auth Service determines if `tbot`
# should be allowed to join.
allow:
- service_account: "default:tbot" # service_account
Use
tctl to apply this file:
tctl create -f bot-token.yaml
Step 5/6. Create a
tbot deployment
First, create a ConfigMap to contain the configuration file for
tbot. This
will then be mounted into the Pod.
Create
k8s-deployment-config.yaml, replacing the value of
token with the
name of the token you created earlier and the value of
proxy_server with the
address of your Teleport Proxy Service:
apiVersion: v1
kind: ConfigMap
metadata:
name: tbot-config
namespace: default
data:
tbot.yaml: |
version: v2
onboarding:
join_method: kubernetes
# ensure token is set to the name of the join token you created earlier
token: bot-kubernetes
storage:
# a memory destination is used for the bots own state since the kubernetes
# join method does not require persistence.
type: memory
# ensure this is configured to the address of your Teleport Proxy Service.
proxy_server: example.teleport.sh:443
# outputs will be filled in during the completion of an access guide.
outputs: []
Apply this file to your Kubernetes cluster:
kubectl apply -f k8s-deployment-config.yaml
With the ConfigMap created, you can now create the
tbot deployment itself.
Create
k8s-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: tbot
namespace: default
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: tbot
template:
metadata:
labels:
app.kubernetes.io/name: tbot
spec:
containers:
- name: tbot
image: public.ecr.aws/gravitational/tbot-distroless:19.0.0-dev
args:
- start
- -c
- /config/tbot.yaml
env:
# POD_NAMESPACE is required for the `kubernetes_secret` destination
# type to work correctly.
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# KUBERNETES_TOKEN_PATH specifies the path to the service account
# JWT to use for joining.
# This path is based on the configuration of the volume and
# volumeMount.
- name: KUBERNETES_TOKEN_PATH
value: /var/run/secrets/tokens/join-sa-token
# TELEPORT_ANONYMOUS_TELEMETRY enables the submission of anonymous
# usage telemetry. This helps us shape the future development of
# `tbot`. You can disable this by omitting this.
- name: TELEPORT_ANONYMOUS_TELEMETRY
value: "1"
volumeMounts:
- mountPath: /config
name: config
- mountPath: /var/run/secrets/tokens
name: join-sa-token
serviceAccountName: tbot
volumes:
- name: config
configMap:
name: tbot-config
- name: join-sa-token
projected:
sources:
- serviceAccountToken:
path: join-sa-token
# 600 seconds is the minimum that Kubernetes supports. We
# recommend this value is used.
expirationSeconds: 600
# `example.teleport.sh` must be replaced with the name of
# your Teleport cluster.
audience: example.teleport.sh
Replace
example.teleport.sh with the name of your Teleport cluster - this is
not necessarily the public address (the port should not be included).
This is an example manifest, consider modifying it to fit within the conventions of deployments to your clusters (e.g customizing labels).
The default
tbot-distroless image does not contain the FIPS-compliant
binaries. If you operate in an environment where FIPS compliance is required,
please use the
tbot-fips-distroless image instead.
Apply this file to your Kubernetes cluster:
kubectl apply -f ./k8s-deployment.yaml
Use
kubectl to verify that the deployment is healthy:
kubectl describe deployment/tbotkubectl logs deployment/tbot
With this complete,
tbot is now successfully deployed to your cluster.
However, it is not yet producing any useful output.
Step 6/6. Configure outputs
Follow one of the access guides to configure an output that meets your access needs.
In order to adjust the access guides to work well with Kubernetes, use the Kubernetes Secret destination type. This will write the generated artifacts to a specified Kubernetes Secret, for example:
outputs:
- type: identity
destination:
type: kubernetes_secret
name: identity-output
The output can then be consumed by mounting this secret within another pod:
apiVersion: v1
kind: Pod
metadata:
name: tsh
namespace: default
spec:
containers:
- name: tsh
image: public.ecr.aws/gravitational/teleport-distroless:19.0.0-dev
command:
- tsh
args:
- -i
- /identity-output/identity
- --proxy
- example.teleport.sh:443
- ls
volumeMounts:
- name: identity-output
mountPath: /identity-output
volumes:
- name: identity-output
secret:
secretName: identity-output
Next steps
- Follow the access guides to finish configuring
tbotfor your environment.
- Read the configuration reference to explore all the available configuration options.
- More information about
