tbot-spiffe-daemon-set Chart Reference
This chart deploys a daemon set of the Machine & Workload Identity agent, tbot, into your Kubernetes cluster to provide SPIFFE identities to workloads in the cluster. This is the recommended way of deploying MWI for SPIFFE into Kubernetes clusters.
To use it, you will need to know:
- The address of your Teleport Proxy Service or Auth Service
- The name of your Teleport cluster
- The name of a join token configured for Machine & Workload Identity and your Kubernetes cluster as described in the Machine & Workload Identity on Kubernetes guide
- A configured WorkloadIdentity resource for your cluster
By default, this chart is designed to use the kubernetes join method but it
can be customized to use any delegated join method. We do not recommend that
you use the token join method with this chart. Visit the
join method reference for more information
about alternatives to the kubernetes join method.
Minimal configuration
Follow steps 1 and 2 from the
Deploying tbot on Kubernetes guide
to create a Bot and Join Token for your tbot daemon set to use for
authentication.
You must have also created a WorkloadIdentity resource to be used when issuing a SPIFFE SVID. For example, the following configuration would produce a SPIFFE ID including the namespace and service account of the pod:
kind: workload_identity
version: v1
metadata:
name: example-workload-identity
spec:
spiffe:
id: /k8s/{{ workload.kubernetes.namespace }}/{{ workload.kubernetes.service_account }}
Ensure that your Bot has been granted access to issue this WorkloadIdentity via a role. See the WorkloadIdentity reference to learn more about customizing the structure of the SPIFFE IDs issued to your workloads.
The following are the minimal values you must set on the chart for it to function correctly:
# Set to the name of your Teleport cluster.
clusterName: example.teleport.sh
# Set to the name of the token you created.
token: example-token
# Set to the address of your Teleport Proxy Service.
teleportProxyAddress: example.teleport.sh:443
workloadIdentitySelector:
# Set to the name of the WorkloadIdentity resource you'd like to use when
# issuing SVIDs.
name: example-workload-identity
After deploying the chart, you will need to make the SPIFFE Workload API available to your workloads. You can manually mount the SPIFFE Workload API into your pods via hostPath, or you can deploy the SPIFFE CSI Driver to simplify this process.
Full reference
image
| Type | Default |
|---|---|
string | "public.ecr.aws/gravitational/tbot-distroless" |
image sets the container image used for tbot pods created by this
chart.
You can override this to use your own tbot image rather than a Teleport-published image.
clusterName
| Type | Default |
|---|---|
string | "" |
clusterName should be the name of the Teleport cluster that your
Bot will join. You can retrieve it by running tctl status.
For example: clusterName: "test.teleport.sh"
teleportProxyAddress
| Type | Default |
|---|---|
string | "" |
teleportProxyAddress is the teleport Proxy Service address the bot will connect to.
This must contain the port number, usually 443 or 3080 for Proxy Service.
Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
This is mandatory to connect to Teleport Enterprise (Cloud)
This setting is mutually exclusive with teleportProxyAddress and is ignored if tbotConfig is set.
For example:
teleportProxyAddress: "test.teleport.sh:443"
workloadIdentitySelector
| Type | Default |
|---|---|
object | {"labels":{},"name":""} |
workloadIdentitySelector controls which WorkloadIdentity resources
will be used when issuing SVIDs via the SPIFFE Workload API. You must set
either name or labels.
workloadIdentitySelector.name
| Type | Default |
|---|---|
string | "" |
workloadIdentitySelector.name selects the WorkloadIdentity resource by name.
workloadIdentitySelector.labels
| Type | Default |
|---|---|
object | {} |
workloadIdentitySelector.labels selects the WorkloadIdentity resource by labels.
tbotConfig
| Type | Default |
|---|---|
object | {} |
tbotConfig contains YAML teleport configuration to pass to the
tbot pods. The configuration will be merged with the chart-generated
configuration and will take precedence in case of conflict. Try to prefer to
use the more specific configuration values throughout this chart.
joinMethod
| Type | Default |
|---|---|
string | "kubernetes" |
joinMethod describes how tbot joins the Teleport cluster.
See the join method reference for a list fo supported values and detailed explanations.
Ignored if tbotConfig is set.
token
| Type | Default |
|---|---|
string | "" |
token is the name of the token used by tbot to join the Teleport cluster.
This value is not sensitive unless the joinMethod is set to "token".
Ignored if tbotConfig is set.
teleportVersionOverride
| Type | Default |
|---|---|
string | "" |
teleportVersionOverride controls the tbot image version deployed by
the chart.
Normally, the version of tbot matches the version of the chart. If you install chart version 15.0.0, you'll use tbot version 15.0.0. Upgrading tbot is done by upgrading the chart.
teleportVersionOverride is intended for development and MUST NOT be
used to control the Teleport version in a typical deployment. This
chart is designed to run a specific Teleport version. You will face
compatibility issues trying to run a different Teleport version with it.
If you want to run Teleport version X.Y.Z, you should use
helm install --version X.Y.Z instead.
anonymousTelemetry
| Type | Default |
|---|---|
bool | false |
anonymousTelemetry controls whether anonymous telemetry is enabled.
debug
| Type | Default |
|---|---|
bool | false |
debug controls whether the tbot agent runs in debug mode.
serviceAccount
serviceAccount controls the Kubernetes ServiceAccounts deployed and used by
the chart.
serviceAccount.create
| Type | Default |
|---|---|
bool | true |
serviceAccount.create controls whether Helm Chart creates the
Kubernetes ServiceAccount resources for the agent.
When off, you are responsible for creating the appropriate ServiceAccount
resources.
serviceAccount.name
| Type | Default |
|---|---|
string | "" |
serviceAccount.name sets the name of the ServiceAccount resource
used by the chart. By default, the ServiceAccount has the name of the
Helm release.
rbac
rbac controls the Kubernetes Role and RoleBinding creation
used by the serviceAccount
rbac.create
| Type | Default |
|---|---|
bool | true |
rbac.create controls whether Helm Chart creates the
Kubernetes Role & RoleBindings resources for the Kubernetes SA.
When off, you are responsible for creating the appropriate resources.
imagePullPolicy
| Type | Default |
|---|---|
string | "IfNotPresent" |
imagePullPolicy sets the pull policy for any pods created by the chart.
See the Kubernetes documentation
for more details.
extraLabels
extraLabels contains additional Kubernetes labels to apply on the resources
created by the chart.
See the Kubernetes label documentation
for more information.
extraLabels.role
| Type | Default |
|---|---|
object | {} |
extraLabels.role are labels to set on the Role.
extraLabels.roleBinding
| Type | Default |
|---|---|
object | {} |
extraLabels.roleBinding are labels to set on the RoleBinding.
extraLabels.config
| Type | Default |
|---|---|
object | {} |
extraLabels.config are labels to set on the ConfigMap.
extraLabels.daemonSet
| Type | Default |
|---|---|
object | {} |
extraLabels.daemonSet are labels to set on the DaemonSet.
extraLabels.pod
| Type | Default |
|---|---|
object | {} |
extraLabels.pod are labels to set on the Pods created by the
Deployment or StatefulSet.
extraLabels.serviceAccount
| Type | Default |
|---|---|
object | {} |
extraLabels.serviceAccount are labels to set on the ServiceAccount.
extraLabels.clusterRole
| Type | Default |
|---|---|
object | {} |
extraLabels.clusterRole are labels to set on the ClusterRole
extraLabels.clusterRoleBinding
| Type | Default |
|---|---|
object | {} |
extraLabels.clusterRoleBinding are labels to set on the
ClusterRoleBinding
annotations
annotations contains annotations to apply to the different Kubernetes
objects created by the chart. See the Kubernetes annotation
documentation
for more details.
annotations.role
| Type | Default |
|---|---|
object | {} |
annotations.role are annotations to set on the Role.
annotations.roleBinding
| Type | Default |
|---|---|
object | {} |
annotations.roleBinding are annotations to set on the RoleBinding.
annotations.config
| Type | Default |
|---|---|
object | {} |
annotations.config contains the Kubernetes annotations
put on the ConfigMap resource created by the chart.
annotations.daemonSet
| Type | Default |
|---|---|
object | {} |
annotations.daemonSet contains the Kubernetes annotations
put on the DaemonSet resource created by the chart.
annotations.pod
| Type | Default |
|---|---|
object | {} |
annotations.pod contains the Kubernetes annotations
put on the Pod resources created by the chart.
annotations.serviceAccount
| Type | Default |
|---|---|
object | {} |
annotations.serviceAccount contains the Kubernetes annotations
put on the ServiceAccount resource created by the chart.
extraLabels.clusterRole
| Type | Default |
|---|---|
object | {} |
extraLabels.clusterRole are annotations to set on the ClusterRole
extraLabels.clusterRoleBinding
| Type | Default |
|---|---|
object | {} |
extraLabels.clusterRoleBinding are annotations to set on the
ClusterRoleBinding
resources
| Type | Default |
|---|---|
object | {} |
resources sets the resource requests/limits for any pods created by the chart.
See the Kubernetes documentation
for more details.
affinity
| Type | Default |
|---|---|
object | {} |
affinity sets the affinities for any pods created by the chart.
See the Kubernetes documentation
for more details.
tolerations
| Type | Default |
|---|---|
list | [] |
tolerations sets the tolerations for any pods created by the chart.
See the Kubernetes documentation
for more details.
nodeSelector
| Type | Default |
|---|---|
object | {} |
nodeSelector sets the node selector for any pods created by the chart.
See the Kubernetes documentation
for more details.
imagePullSecrets
| Type | Default |
|---|---|
list | [] |
imagePullSecrets sets the image pull secrets for any pods created by the chart.
See the Kubernetes documentation
for more details.
extraVolumes
| Type | Default |
|---|---|
list | [] |
extraVolumes contains extra volumes to mount into the Teleport pods.
See the Kubernetes volume documentation
for more details.
For example:
extraVolumes:
- name: myvolume
secret:
secretName: testSecret
extraVolumeMounts
| Type | Default |
|---|---|
list | [] |
extraVolumeMounts contains extra volumes mounts for the main Teleport container.
See the Kubernetes volume documentation
for more details.
For example:
extraVolumesMounts:
- name: myvolume
mountPath: /path/on/host
extraArgs
| Type | Default |
|---|---|
list | [] |
extraArgs contains extra arguments to pass to tbot start for
the main tbot pod
extraEnv
| Type | Default |
|---|---|
list | [] |
extraEnv contains extra environment variables to set in the main
tbot pod.
For example:
extraEnv:
- name: HTTPS_PROXY
value: "http://username:[email protected]:3128"
securityContext
| Type | Default |
|---|---|
object | {"privileged":true} |
securityContext sets the container security context for any pods created by the chart.
The default high level of privileges are necessary to support the workload attestation feature of tbot as this
requires the ability to read sensitive information about other processes running on the system.
See the Kubernetes documentation
for more details.
podSecurityContext
| Type | Default |
|---|---|
object | {"runAsGroup":0,"runAsUser":0} |
podSecurityContext sets the pod security context for any pods created by the chart.
The default high level of privileges are necessary to support the workload attestation feature of tbot as this
requires the ability to read sensitive information about other processes running on the system.
See the Kubernetes documentation
for more details.