teleport-kube-agent Chart Reference

The teleport-kube-agent Helm chart is used to configure a Teleport agent that runs in a remote Kubernetes cluster to provide access to resources in your infrastructure.

You can browse the source on GitHub.

This reference details available values for the teleport-kube-agent chart.

Warning

Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.

What the chart deploys

Teleport services

The teleport-kube-agent chart can run any or all of three Teleport services:

Teleport service	Name for roles and tctl tokens add	Purpose
kubernetes_service	kube	Uses Teleport to handle authentication with and proxy access to a Kubernetes cluster
application_service	app	Uses Teleport to handle authentication with and proxy access to web-based applications
database_service	db	Uses Teleport to handle authentication with and proxy access to databases

Legacy releases

Releases of this chart installed before version 11 are considered legacy releases, which launch the Teleport pod as a Deployment if no storage was configured.

In version 11 and above, the chart launches the Teleport pod as a StatefulSet even when the chart is configured not to use external storage, and the Teleport pod reads its state from a Kubernetes Secret.

While the Teleport pod does not require external storage, you can still use the storage.enabled field to configure the way the Teleport pod reads data from a persistent volume.

To learn how upgrading from a legacy release to version 11 will affect resources launched by this chart, see the resource list.

Kubernetes resources

The teleport-kube-agent chart deploys the following Kubernetes resources:

Kind	Default Name	Description	When Deployed
StatefulSet	The release name	Running a user-configured Teleport pod.	Always.
Secret	joinTokenSecret.name (default: teleport-kube-agent-join-token)	Used for managing the state of the Teleport pod.	joinTokenSecret.secret is true.
Deployment	The release name	Runs a user-configured Teleport pod.	storage.enabled is false and the chart is being upgraded. Fresh installs will deploy a StatefulSet instead.
Role	The roleName option, if given, or the release name.	Used to manage the state of the Teleport pod via Kubernetes secrets.	Always.
ClusterRole	clusterRoleName, if given, or the release name.	Allows impersonating users, groups, and service accounts, getting pods, and creating SelfSubjectAccessReviews so the Teleport pod can manage access to resources in its Kubernetes cluster.	Always.
ClusterRoleBinding	clusterRoleBindingName, if provided, or the release name	Enables the Teleport pod to manage access to resources in the Kubernetes cluster.	Always.
RoleBinding	roleBindingName, if given, or the release name	Enables the Teleport pod to manage access to resources in the Kubernetes cluster.	Always.
ServiceAccount	serviceAccount.name, if given, or the release name	Enables the Teleport pod to manage access to resources in the Kubernetes cluster.	serviceAccount.create is true
PodDisruptionBudget	The release name	Ensure high availability for the Teleport pod.	highAvailability.podDisruptionBudget.enabled is true.
ServiceAccount	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
Role	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
RoleBinding	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
Job	The release name, suffixed by -hook	Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete.	If the teleport-kube-agent release contains a legacy Deployment resource.
ConfigMap	The release name	Contains the configuration for the Teleport pod.	Always.
PodSecurityPolicy	The release name	Enforces security requirements for pods deployed by teleport-kube-agent.	podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.
Role	The release name, suffixed by -psp	Enforces security requirements for pods deployed by teleport-kube-agent.	podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.
RoleBinding	The release name, suffixed by -psp	Enforces security requirements for pods deployed by teleport-kube-agent.	podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23.

roles

This parameter is not mandatory to preserve backwards compatibility with older chart versions, but we recommend it is set.

Type	Default value
string	kube

roles is a comma-separated list of services which should be enabled when running the teleport-kube-agent chart.

Services	Value for roles	Mandatory additional settings for this role
Teleport Kubernetes service	kube	kubeClusterName
Teleport Application service	app	apps
Teleport Database service	db	databases

values.yaml example:

roles: kube,app,db

enterprise

Type	Default value
bool	false

When enterprise is set to true, the container image used for Teleport agent pods run by the teleport-kube-agent chart will be the enterprise version. This should be set to true for connecting to Teleport Cloud and self-hosted Teleport Enterprise clusters to use enterprise features within the Kube Agent.

values.yaml example:

enterprise: true

updater

updater controls whether the Kube Agent Updater should be deployed alongside the teleport-kube-agent. The updater fetches the target version, validates the image signature, and updates the teleport deployment. The enterprise value should have been set to true.

All Kubernetes-specific fields such as tolerations, affinity, nodeSelector, ... default to the agent values. However, they can be overridden from the updater object. For example:

# the agent pod requests 1cpu and 2 GiB of memory. It also has a memory limit.
resources:
  requests:
    cpu: "1"
    memory: "2Gi"
  limits:
    memory: "2Gi"

# the updater pod requests 0.5 cpu and 512MiB of memory. The memory limit has also been unset.
updater:
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits: ~

Other updater-specific values that can be defined in updater are described below:

updater.enabled

Type	Default value	Required?
bool	false	No

Enables the Kube Agent Updater and deploys it alongside the Teleport Agent. You can enable this when:

• using Teleport Cloud and your tenant is enrolled into automatic updates. (You can check this through the web UI, choose Add Kubernetes and Enroll New Resource of type Kubernetes, and check if the value is turned on.)
• using self-hosted Teleport and you maintain your own version server.

You must not enable this if:

• you are a Teleport Cloud customer not enrolled in automatic updates.
• you are a self-hosted Teleport user and have not set up your Teleport cluster to support automatic updates.

updater.versionServer

Type	Default value	Required?
string	"https://updates.releases.teleport.dev/v1/"	Yes if not using Teleport Cloud

updater.versionServer is the URL of the version server the agent fetches the target version from. The complete version endpoint is built by concatenating versionServer and releaseChannel.

You must set this if the updater is enabled, and you are not a Teleport Cloud user.

You must not change the default values if you are a Teleport Cloud user.

updater.releaseChannel

Type	Default value	Required?
string	"stable/cloud"	No

updater.releaseChannel is the release channel the updater subscribes to. The complete version endpoint is built by concatenating versionServer and releaseChannel. You must not change the default value if you are a Teleport Cloud user unless instructed by Teleport support.

You can change this value if the updater is enabled, you are not a Teleport Cloud user, and manage your own version server.

updater.image

Type	Default value	Required?
string	"public.ecr.aws/gravitational/teleport-kube-agent-updater"	No

image sets the container image used for Teleport updater pods run when updater.enabled is true.

You can override this to use your own Teleport Kube Agent Updater image rather than a Teleport-published image.

updater.extraArgs

Type	Default value	Required?
list	[]	No

extraArgs contains additional arguments to pass to the updater binary.

updater.extraVolumes

Type	Default
list	[]

updater.extraVolumes contains extra volumes to mount into the Updater pods. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumes:
  - name: myvolume
    secret:
      secretName: testSecret

updater.extraVolumeMounts

Type	Default
list	[]

updater.extraVolumeMounts contains extra volumes mounts for the updater. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumesMounts:
  - name: myvolume
    mountPath: /path/on/host

roleBindingName

Type	Default value	Required?
string	""	No

roleBindingName provides a custom name for the RoleBinding resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the RoleBinding has the name of the Helm release.

You should set this value if there is a RoleBinding resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

values.yaml example:

roleBindingName: myrolebinding

roleName

Type	Default value	Required?
string	""	No

roleName provides a custom name for the Role resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the Role has the name of the Helm release.

You should set this value if there is a Role resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

values.yaml example:

roleName: myrole

serviceAccountName

This field is deprecated and will be removed in a future version. Use serviceAccount.name instead.

authToken

Type	Default value	Required?
string	nil	No

authToken provides a Teleport join token which will be used to join the Teleport instance to a Teleport cluster.

The value joinParams supports more methods to join the Teleport cluster and takes precedence if both authToken and joinParams are set.

A token must be specified for the agent to join the Teleport cluster, either though authToken, joinParams, or an existing Kubernetes Secret.

Services	Service Name	tctl tokens add example	teleport.yaml static token example
Kubernetes	kube	tctl tokens add --type=kube	"kube:<replace-with-actual-token>"
Kubernetes, Application	kube,app	tctl tokens add --type=kube,app	"kube,app:<replace-with-actual-token>"
Kubernetes, Application, Database	kube,app,db	tctl tokens add --type=kube,app,db	"kube,app,db:<replace-with-actual-token>"

note

When you use a token, all of the services that it provides must be used.

For example, you cannot use a token of type app,db to only join a Teleport app service by itself. It must join both app and db services at once.

Also, each static token you configure must be unique, as the token itself is used to define which services will be supported.

You cannot reuse the same static token and specify a different set of services.

If you do not have the correct services (Teleport refers to these internally as Roles) assigned to your join token, the Teleport instance will fail to join the Teleport cluster.

values.yaml example:

authToken: <replace-with-actual-token>

joinParams

joinParams controls how the Teleport agent joins the Teleport cluster. These sub-values must be configured for the agent to connect to a cluster.

joinParams.method

Type	Default value	Required?
string	token	Yes

joinParams.method defines which join method will be used to join the Teleport cluster. Possible values are token, iam and ec2.

• For iam, see Joining Nodes Via AWS IAM Role.
• For ec2, see Joining Nodes Via AWS EC2 Identity Document.
• For token (default value), the token must be provided through joinParams.tokenName or through an existing Kubernetes Secret.

IAM joining requirements

Using the IAM joining method requires either the pods to have access to instance metadata, or IAM roles for service accounts to be set up on the pods's service account. For access to instance metadata (the quickest solution), see AWS's examples on how to restrict instance metadata access to a few pods.

values.yaml example:

joinParams:
  method: "token"|"ec2"|"iam"

joinParams.tokenName

Type	Default value	Required?
string	nil	Yes

When joinParams.method is iam or ec2, joinParams.tokenName contains the name of the token that will be used to join the cluster. In this case, the value is not sensitive as authorization is checked through AWS IAM or EC2.

When joinParams.method is token (by default), joinParams.tokenName contains the join token itself. In this case, the value is sensitive and is automatically stored in a Kubernetes Secret instead of being directly included in the agent's configuration.

If method is token, joinParams.tokenName can be empty if the token is provided through an existing Kubernetes Secret, see joinTokenSecret for more details and instructions.

values.yaml example:

joinParams:
  tokenName: "my-token"

proxyAddr

Type	Default value	Required?
string	nil	Yes

proxyAddr provides the public-facing Teleport proxy endpoint which should be used to join the cluster. This is the same URL that is used to access the web UI of your Teleport cluster. It is the same as the value configured for proxy_service.public_addr in a traditional Teleport cluster. The port used is usually either 3080 or 443.

Here are a few examples:

Deployment method	Example proxy_service.public_addr
On-prem Teleport cluster	teleport.example.com:3080
Teleport Cloud cluster	example.teleport.sh:443
teleport-cluster Helm chart	teleport.example.com:443

kubeClusterName

Type	Default value	Required?
string	nil	When kube chart role is used

kubeClusterName sets the name used for the Kubernetes cluster proxied by the Teleport agent. This name will be shown to Teleport users connecting to the cluster.

values.yaml example:

kubeClusterName: my-gke-cluster

kubernetesDiscovery

Type	Required?
list	No

kubernetesDiscovery is a YAML list object detailing the Kubernetes App Discovery Configuration

You can specify multiple discovery configurations by adding additional list elements.

values.yaml example:

kubernetesDiscovery:
- types: ["app"]
  namespaces: [ "toronto", "porto" ]
  labels:
    env: staging
- types: ["app"]
  namespaces: [ "seattle", "oakland" ]
  labels:
    env: testing

kubernetesDiscovery.types

Type	Required?
list	Yes

kubernetesDiscovery.types is a list of Teleport resource types to be created from the discovered Kubernetes Services. Currently only supports app.

kubernetesDiscovery.namespaces

Type	Default	Required?
list	All Namespaces	No

kubernetesDiscovery.namespaces is a list of Kubernetes namespaces to be scanned for resources.

kubernetesDiscovery.labels

Type	Default	Required?
map	{"*":"*"}	No

kubernetesDiscovery.labels is a map of labels to be matched against the Kubernetes Services. Only Services with matching labels will be imported to Teleport.

apps

Type	Default value	Required?
list	[]	When app chart role is used at least one of apps and appResources is required.

apps is a YAML list object detailing the applications that should be proxied by Teleport Application access.

You can specify multiple apps by adding additional list elements.

values.yaml example:

apps:
- name: grafana
  uri: http://localhost:3000
  labels:
    purpose: monitoring
- name: jenkins
  uri: http://jenkins:8080
  labels:
    purpose: ci

Supported values

You can see a list of all the supported values which can be used in a Teleport application access configuration here.

appResources

Type	Default value	Required?
list	[]	When app chart role is used at least one of apps and appResources is required.

appResources is a YAML list object detailing the resource selectors of the applications that should be proxied by the Teleport Application Service.

You can specify multiple selectors by including additional list elements.

values.yaml example:

appResources:
- labels:
    "env": "prod"
- labels:
    "env": "test"

Example

Once appResources is set, you can dynamically register application with tsh by following this guide.

clusterDomain

Type	Default
string	"cluster.local"

clusterDomain sets the domain name used by the Kubernetes cluster. This value is used to build the FQDN application URIs. For example, if the cluster domain is anything.local, the agent will proxy the application my-app running in the default namespace at http://my-app.default.svc.anything.local. You must manually set this value to match your cluster domain if it is different from the default value cluster.local.

awsDatabases

AWS database auto-discovery

This section configures AWS database auto-discovery. You can configure databases for other platforms using the azureDatabases or databases sections.

IAM roles

For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the database documentation.

After configuring a role, you can use an eks.amazonaws.com/role-arn annotation with the annotations.serviceAccount value to associate it with the service account and grant permissions:

annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

Type	Default value	Required?
list	[]	When the db chart role is used at least one of databases, awsDatabases, azureDatabases, databaseResources is required.

awsDatabases is a YAML list object detailing the filters for the AWS databases that should be discovered and proxied by Teleport Database access.

You can specify multiple database filters by adding additional list elements.

• types is a list containing the types of AWS databases that should be discovered.
• regions is a list of AWS regions which should be scanned for databases.
• tags can be used to set AWS tags that must be matched for databases to be discovered.

values.yaml example:

roles: db
awsDatabases:
  - types: ["rds"]
    regions: ["us-east-1", "us-west-2"]
    tags:
      "environment": "production"
  - types: ["rds"]
    regions: ["us-east-1"]
    tags:
      "environment": "dev"
  - types: ["rds"]
    regions: ["eu-west-1"]
    tags:
      "*": "*"
annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

azureDatabases

Azure database auto-discovery

This section configures Azure database auto-discovery. You can configure databases for other platforms using the awsDatabases or databases sections.

Azure IAM

For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the database documentation.

After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. The easiest way is to use an Azure client secret.

First, create in the chart installation namespace a Kubernetes Secret containing the azure client secret:

$ kubectl create secret generic teleport-azure-client-secret --from-literal=client_secret=<your-azure-client-secret>
secret/teleport-azure-client-secret created

Then, use the extraEnv value to set the pods environment variables:

extraEnv:
- name: AZURE_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
    name: teleport-azure-client-secret
    key: client_secret
    optional: false
- name: AZURE_TENANT_ID
  value: "11111111-2222-3333-4444-555555555555"
- name: AZURE_CLIENT_ID
  value: "11111111-2222-3333-4444-555555555555"

Type	Default value	Required?
list	[]	When the db chart role is used at least one of databases, awsDatabases, azureDatabases, databaseResources is required.

azureDatabases is a YAML list object detailing the filters for the Azure databases that should be discovered and proxied by Teleport Database access.

You can specify multiple database filters by adding additional list elements.

Required fields for each filter:

• types is a list containing the types of Azure databases that should be discovered.
• tags can be used to set Azure resource tags that must be matched for databases to be discovered.

Optional fields for each filter:

• regions is a list of Azure regions which should be scanned for databases.
• subscriptions can be used to discover databases within matching Azure subscriptions.
• resource_groups can be used to discover databases within matching Azure resource groups.

The default for each of these optional settings is *, which will auto-discover in all subscriptions, regions, or resource groups accessible by the Teleport service principal in Azure.

values.yaml example:

roles: db
azureDatabases:
- types: ["mysql", "postgres"]
  tags:
    "*": "*"
- types: ["mysql"]
  tags:
    "env": ["dev", "staging"]
    "origin": "alice"
  regions: ["eastus", "centralus"]
  subscriptions: ["subID1", "subID2"]
  resource_groups: ["group1", "group2"]
extraEnv:
- name: AZURE_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
    name: teleport-azure-client-secret
    key: client_secret
    optional: false
- name: AZURE_TENANT_ID
  value: "11111111-2222-3333-4444-555555555555"
- name: AZURE_CLIENT_ID
  value: "11111111-2222-3333-4444-555555555555"

databases

Type	Default value	Required?
list	[]	When the db chart role is used at least one of databases, awsDatabases, azureDatabases, databaseResources is required.

databases is a YAML list object detailing the databases that should be proxied by Teleport Database access.

You can specify multiple databases by adding additional list elements.

values.yaml example:

databases:
- name: aurora-postgres
  uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432
  protocol: postgres
  aws:
    region: us-east-1
  static_labels:
    env: staging
- name: mysql
  uri: mysql-instance-1.xxx.us-east-1.rds.amazonaws.com:3306
  protocol: mysql
  aws:
    region: us-east-1
  static_labels:
    env: staging

Supported values

You can see a list of all the supported values which can be used in a Teleport database service configuration here.

Trusting Database CA

Database CAs can be trusted on a per-database basis. You must create a secret containing the database CA certificate in the same namespace as Teleport using a command like:

$ kubectl create secret generic my-postgres-ca --from-file=ca.pem=/path/to/database-ca.pem

Then, deploy the Helm chart with the following values:

databases:
- name: my-postgres
  uri: postgres.example.com:5432
  protocol: postgres
  tls:
    ca_cert_file: "/etc/teleport-tls-db/my-postgres/ca.pem"
extraVolumes:
  - name: my-postgres-ca
    secret:
      secretName: my-postgres-ca
extraVolumeMounts:
  - name: my-postgres-ca
    mountPath: /etc/teleport-tls-db/my-postgres
    readOnly: true

databaseResources

Type	Default value	Required?
list	[]	When the db chart role is used at least one of databases, awsDatabases, azureDatabases, databaseResources is required.

databaseResources is a YAML list object detailing the resource selectors of the databases that should be proxied by the Teleport Database Service.

You can specify multiple selectors by adding elements to the list.

values.yaml example:

databaseResources:
- labels:
    "env": "prod"
    "engine": "postgres"
- labels:
    "env": "test"
    "engine": "mysql"

Example

Once databaseResources is set, you can dynamically register database with tsh by following this guide.

teleportVersionOverride

Type	Default value
string	nil

Normally the version of Teleport being used will match the version of the chart being installed. If you install chart version 10.0.0, you'll be using Teleport 10.0.0. Upgrading the Helm chart will use the latest version from the repo.

You can optionally override this to use a different published Teleport Docker image tag like 10.1.2 or 11.

danger

teleportVersionOverride is intended for development and MUST NOT be used to control the Teleport version in a typical deployment. This chart is designed to run a specific Teleport version. You will face compatibility issues trying to run a different Teleport version with it.

If you want to run Teleport version X.Y.Z, you should use helm --version X.Y.Z instead.

values.yaml example:

teleportVersionOverride: "11"

caPin

Type	Default value
list	[]

When caPin is set, the Teleport pod will use its values to check the Auth Service's identity when first joining a cluster. This enables a more secure way of adding new Teleport instances to a cluster. See "Adding Nodes to the Cluster".

Each list element can be the pin itself (recommended, works out of the box), or a path to a file containing the pin. For the latter it is your responsibility to mount the file using extraVolumes.

values.yaml example:

caPin: ["sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"]

insecureSkipProxyTLSVerify

Type	Default value
bool	false

When insecureSkipProxyTLSVerify is set to true, the Teleport instance will skip the verification of the TLS certificate presented by the Teleport Proxy Service specified using proxyAddr.

This can be used for joining a Teleport instance to a Teleport cluster which does not have valid TLS certificates for testing.

values.yaml example:

insecureSkipProxyTLSVerify: false

warning

Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads.

One option might be to use Teleport's built-in ACME support or enable cert-manager support.

teleportConfig

teleportConfig contains YAML teleport configuration to pass to the Teleport pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict.

See the Teleport Configuration Reference for the list of supported fields.

teleportConfig:
  app_service:
    debug_app: true
  discovery_service:
    enabled: true
    azure:
    - types: ["aks"]
      tags:
        "*":"*"

tls

existingCASecretName

Type	Default value
string	""

tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods. This can be set to inject a root and/or intermediate CA so that Teleport can build a full trust chain on startup. The injected CA will be used to validate TLS communications, with the Proxy Service, with upstream applications or databases.

note

The recommended way to trust a database CA is to do it per-database instead of adding the CA to the global Teleport trust store. It allows to trust multiple CAs while limiting the trust scope to their specific databases. See the databases section.

You must create a secret containing the CA certs in the same namespace as Teleport using a command like:

$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

Root CA filename

The key containing the root CA in the secret must be ca.pem.

values.yaml example:

tls:
  existingCASecretName: my-root-ca

existingDataVolume

Type	Default value
string	""

When existingDataVolume is set to the name of an existing volume, the /var/lib/teleport mount will use this volume instead of creating a new emptyDir volume.

values.yaml example:

existingDataVolume: my-volume

podSecurityPolicy

podSecurityPolicy.enabled

Type	Default value
bool	true for < 1.23 false for >= 1.23

By default, Teleport charts used to install a podSecurityPolicy.

PodSecurityPolicy resources (PSP) have been removed in Kubernetes 1.25 and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs. The steps are documented in the PSP removal guide.

To disable PSP creation, you can set enabled to false.

Kubernetes reference

values.yaml example:

podSecurityPolicy:
  enabled: false

labels

Type	Default value
object	{}

labels can be used to add a map of key-value pairs for the kubernetes_service which is deployed using the teleport-kube-agent chart. These labels can then be used with Teleport's RBAC policies to define access rules for the cluster.

note

These are Teleport-specific RBAC labels, not Kubernetes labels.

note

For historical/backwards compatibility reasons, these labels will only be applied to the Kubernetes cluster being joined via the Teleport Kubernetes service.

To set labels for applications, add a labels element to the apps section. To set labels for databases, add a static_labels element to the databases section.

For more information on how to set static/dynamic labels for Teleport services, see labelling nodes and applications.

values.yaml example:

labels:
  environment: production
  region: us-east

storage

storage.enabled

Type	Default value
bool	false

Enables the creation of a Kubernetes persistent volume to hold Teleport instance state.

Kubernetes reference

Chart upgrades for legacy releases

If you are upgrading a legacy teleport-kube-agent release (pre-v11), the way the teleport-kube-agent chart handles upgrades differs depending on the value of storage.enabled. Prior to v11, the chart ran the Teleport pod as a Deployment if storage.enabled was false and a StatefulSet if it was true. In v11 and after, the chart always runs the Teleport pod as a StatefulSet.

During an upgrade, if storage.enabled is false, the chart installs a StatefulSet resource to run the Teleport pod alongside the existing Deployment. Once the StatefulSet joins the cluster and becomes healthy, the chart deletes the Deployment using a Helm hook, and the upgrade finishes.

If storage.enabled is true, then during the upgrade, the teleport-kube-agent chart will use the existing StatefulSet resource to run the Teleport pod. The chart will import the pod's identify from the previously configured external storage into a Kubernetes Secret.

New chart installations

New installations of teleport-kube-agent always launch the Teleport pod as a StatefulSet, and the pod reads its state from a Kubernetes Secret. Setting storage.enabled to true is not required for the Teleport pod to maintain its state.

If storage.enabled is true, the chart creates a volume mount for the Teleport pod that persists across the lifetimes of all Teleport pods deployed on a particular node. The Teleport pod uses this volume mount to manage its data, which is useful for storing session recordings locally.

You can configure this persistent storage using storage.storageClassName and storage.requests.

If storage.enabled is false, the chart configures the Teleport pod to manage its data with a temporary directory that exists until the Teleport pod stops running.

values.yaml example:

storage:
  enabled: true

storage.storageClassName

Type	Default value
string	nil

The storage class name the persistent volume should use when creating persistent volume claims. The provided storage class name needs to exist on the Kubernetes cluster for Teleport to use.

Kubernetes reference

values.yaml example:

storage:
  storageClassName: teleport-storage-class

storage.requests

Type	Default value
string	128Mi

The size of persistent volume to create.

values.yaml example:

storage:
  requests: 128Mi

image

Type	Default value
string	public.ecr.aws/gravitational/teleport

image sets the container image used for Teleport agent pods run by the teleport-kube-agent chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

Interaction with Teleport Kube Agent Updater

When using the Teleport Kube Agent Updater you must ensure the image is available before the updater version target gets updated and Kubernetes tries to pull the image.

For this reason, it is strongly discouraged to set a custom image when connecting to a Teleport Cloud instance enrolled in automatic updates.

values.yaml example:

image: my.docker.registry/teleport-image-name

imagePullSecrets

Type	Default value
list	[]

Kubernetes reference

A list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

values.yaml example:

imagePullSecrets:
- name: my-docker-registry-key

highAvailability

highAvailability.replicaCount

Type	Default value
int	1

highAvailability.replicaCount can be used to set the number of replicas used in the deployment.

Set to a number higher than 1 for a high availability mode where multiple Teleport pods will be deployed.

Sizing guidelines

As a rough guide, we recommend configuring one replica per distinct availability zone where your cluster has worker nodes.

2 replicas/availability zones will be fine for smaller workloads. 3-5 replicas/availability zones will be more appropriate for bigger clusters with more traffic.

values.yaml example:

highAvailability:
  replicaCount: 3

highAvailability.requireAntiAffinity

Type	Default value
bool	false

Kubernetes reference

Setting highAvailability.requireAntiAffinity to true will use requiredDuringSchedulingIgnoredDuringExecution to require that multiple Teleport pods must not be scheduled on the same physical host.

warning

This can result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.

Setting highAvailability.requireAntiAffinity to false (the default) uses preferredDuringSchedulingIgnoredDuringExecution to make node anti-affinity a soft requirement.

note

This setting only has any effect when highAvailability.replicaCount is greater than 1.

values.yaml example:

highAvailability:
  requireAntiAffinity: true

highAvailability.podDisruptionBudget

highAvailability.podDisruptionBudget.enabled

Type	Default value
bool	false

Kubernetes reference

Enable a Pod Disruption Budget for the Teleport Pod to ensure HA during voluntary disruptions.

values.yaml example:

highAvailability:
  podDisruptionBudget:
    enabled: true

highAvailability.podDisruptionBudget.minAvailable

Type	Default value
int	1

Kubernetes reference

Ensures that this number of replicas is available during voluntary disruptions, can be a number of replicas or a percentage.

values.yaml example:

highAvailability:
  podDisruptionBudget:
    minAvailable: 1

podMonitor

podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) that monitors the workload (Auth and Proxy Services) deployed by the chart. This custom resource configures Prometheus and makes it scrape Teleport metrics.

The CRD is deployed by the prometheus-operator and allows workload to get monitored. You need to deploy the prometheus-operator in the cluster prior to configuring the podMonitor section of the chart. See the prometheus-operator documentation for setup instructions.

podMonitor.enabled

Type	Default value
bool	false

Whether the chart should deploy a PodMonitor resource. This is disabled by default as it requires the PodMonitor CRD to be installed in the cluster.

podMonitor.additionalLabels

Type	Default value
object[string]string	{"prometheus":"default"}

Additional labels to put on the created PodMonitor Resource. Those labels are used to be selected by a specific Prometheus instance.

podMonitor.interval

Type	Default value
string	30s

interval is the interval between two metrics scrapes by Prometheus.

clusterRoleName

Type	Default value
string	nil

clusterRoleName can be optionally used to override the name of the Kubernetes ClusterRole used by the teleport-kube-agent chart's ServiceAccount.

note

Most users will not need to change this.

values.yaml example:

clusterRoleName: kubernetes-clusterrole

clusterRoleBindingName

note

Most users will not need to change this.

Type	Default value
string	nil

clusterRoleBindingName can be optionally used to override the name of the Kubernetes ClusterRoleBinding used by the teleport-kube-agent chart's ServiceAccount.

values.yaml example:

clusterRoleBindingName: kubernetes-clusterrolebinding

priorityClassName

Type	Default value
string	nil

priorityClassName allows to specify a priority class for the teleport-kube-agent deployment/statefulset.

values.yaml example:

priorityClassName: "teleport-kube-agent"

serviceAccount.create

Type	Default value	Required?
boolean	true	No

Kubernetes reference

Boolean value to control whether Helm Chart should create the ServiceAccount. When off, the serviceAccount.name parameter should be set to the existing ServiceAccount name.

values.yaml example:

serviceAccount:
  create: false
  name: kubernetes-serviceaccount

serviceAccount.name

Type	Default value	Required?
string	""	No

serviceAccount.name provides a custom name for the ServiceAccount resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the ServiceAccount has the name of the Helm release.

You should set this value if there is a ServiceAccount resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

values.yaml example:

serviceAccount:
  name: kubernetes-serviceaccount

joinTokenSecret

joinTokenSecret.create

Type	Default value
bool	true

Boolean value to control whether Helm Chart should create the Secret. When off, the joinTokenSecret.name parameter should be set to the existing Secret name.

joinTokenSecret.name

Type	Default value
string	teleport-kube-agent-join-token

name is the name of the Kubernetes Secret containing the Teleport join token used by the chart.

If joinTokenSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing secret. joinTokenSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext join token stored in your Teleport chart values.

To create your own join token secret, you can use a command like this:

$ kubectl --namespace teleport create secret generic teleport-kube-agent-join-token --from-literal=auth-token=<replace-with-actual-token>

note

The key used for the auth token inside the secret must be auth-token, as in the command above.

values.yaml example:

joinTokenSecret:
  create: false
  name: "secret-i-created-before"

joinParams:
  method: "token"
  tokenName: ""

log

log.level

note

This field used to be called logLevel. For backwards compatibility this name can still be used, but we recommend changing your values file to use log.level.

Type	Default value
string	INFO

log.level sets the log level used for the Teleport process.

Available log levels (in order of most to least verbose) are: DEBUG, INFO, WARNING, ERROR.

The default is INFO, which is recommended in production.

DEBUG is useful during first-time setup or to see more detailed logs for debugging.

values.yaml example:

log:
  level: DEBUG

log.output

Type	Default value	teleport.yaml equivalent
string	stderr	teleport.log.output

log.output sets the output destination for the Teleport process.

This can be set to any of the built-in values: stdout, stderr or syslog to use that destination.

The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.

values.yaml example:

log:
  output: stderr

log.format

Type	Default value	teleport.yaml equivalent
string	text	teleport.log.format.output

log.format sets the output type for the Teleport process.

Possible values are text (default) or json.

values.yaml example:

log:
  format: json

log.extraFields

Type	Default value	teleport.yaml equivalent
list	["timestamp", "level", "component", "caller"]	teleport.log.format.extra_fields

log.extraFields sets the fields used in logging for the Teleport process.

See the Teleport config file reference for more details on possible values for extra_fields.

values.yaml example:

log:
  extraFields: ["timestamp", "level"]

affinity

Type	Default value
object	{}

Kubernetes reference

Kubernetes affinity to set for pod assignments.

note

You cannot set both affinity and highAvailability.requireAntiAffinity as they conflict with each other.

values.yaml example:

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: gravitational.io/dedicated
          operator: In
          values:
          - teleport

dnsConfig

Type	Default value
object	{}

Kubernetes reference

Kubernetes pod DNS configuration. This value can reduce the DNS load by setting ndots to 0.

dnsConfig:
  nameservers:
    - 1.2.3.4
  searches:
    - ns1.svc.cluster-domain.example
    - my.dns.search.suffix
  options:
    - name: ndots
      value: "2"

dnsPolicy

Type	Default value
string	""

Kubernetes reference

Kubernetes pod DNS policy.

dnsPolicy: "Default"

nodeSelector

Type	Default value
object	{}

nodeSelector can be used to add a map of key-value pairs to constrain the nodes that Teleport pods will run on.

Kubernetes reference

values.yaml example:

nodeSelector:
  role: node
  region: us-east

extraLabels.clusterRole

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the ClusterRole created by the chart.

values.yaml example:

extraLabels:
  clusterRole:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.clusterRoleBinding

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the ClusterRoleBinding created by the chart.

values.yaml example:

extraLabels:
  clusterRoleBinding:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.role

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the Role created by the chart for the Teleport pod.

values.yaml example:

extraLabels:
  role:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.roleBinding

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the RoleBinding created by the chart for the Teleport pod.

values.yaml example:

extraLabels:
  roleBinding:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.config

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the ConfigMap created by the chart.

values.yaml example:

extraLabels:
  config:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.deployment

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the Deployment or StatefulSet created by the chart.

values.yaml example:

extraLabels:
  deployment:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.job

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the post-delete hook Job created by the chart.

values.yaml example:

extraLabels:
  job:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.pod

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to every Pod in the Deployment or StatefulSet created by the chart.

values.yaml example:

extraLabels:
  pod:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.podDisruptionBudget

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the PodDisruptionBudget created by the chart (if enabled).

values.yaml example:

extraLabels:
  podDisruptionBudget:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.podSecurityPolicy

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the PodSecurityPolicy created by the chart (if enabled).

values.yaml example:

extraLabels:
  podSecurityPolicy:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.secret

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the Secret created by the chart (if enabled).

values.yaml example:

extraLabels:
  secret:
    app.kubernetes.io/name: teleport-kube-agent

extraLabels.serviceAccount

Type	Default value
object	{}

Kubernetes reference

Kubernetes labels that should be applied to the ServiceAccount created by the chart for the Teleport pod.

values.yaml example:

extraLabels:
  serviceAccount:
    app.kubernetes.io/name: teleport-kube-agent

annotations.config

Type	Default value	teleport.yaml equivalent
object	{}	None

Kubernetes reference

Kubernetes annotations which should be applied to the ConfigMap created by the chart.

values.yaml example:

annotations:
  config:
    kubernetes.io/annotation: value

annotations.deployment

Type	Default value
object	{}

Kubernetes reference

Kubernetes annotations which should be applied to the Deployment created by the chart.

values.yaml example:

annotations:
  deployment:
    kubernetes.io/annotation: value

annotations.pod

Type	Default value
object	{}

Kubernetes reference

Kubernetes annotations which should be applied to each Pod created by the chart.

values.yaml example:

annotations:
  pod:
    kubernetes.io/annotation: value

annotations.secret

Type	Default value
object	{}

Kubernetes reference

Kubernetes annotations which should be applied to the Secret created by the chart.

values.yaml example:

annotations:
  secret:
    kubernetes.io/annotation: value

annotations.serviceAccount

Type	Default value
object	{}

Kubernetes reference

Kubernetes annotations which should be applied to the ServiceAccount created by the chart.

values.yaml example:

annotations:
  serviceAccount:
    kubernetes.io/annotation: value

extraVolumes

Type	Default value
list	[]

Kubernetes reference

A list of extra Kubernetes Volumes which should be available to any Pod created by the chart. These volumes will also be available to any initContainers configured by the chart.

values.yaml example:

extraVolumes:
- name: myvolume
  secret:
    secretName: mysecret

extraArgs

Type	Default value
list	[]

A list of extra arguments to pass to the teleport start command when running a Teleport Pod.

values.yaml example:

extraArgs:
- "--debug"

extraEnv

Type	Default value
list	[]

Kubernetes reference

A list of extra environment variables to be set on the main Teleport container.

values.yaml example:

extraEnv:
- name: HTTPS_PROXY
  value: "http://username:[email protected]:3128"

extraVolumeMounts

Type	Default value
list	[]

Kubernetes reference

A list of extra Kubernetes volume mounts which should be mounted into any Pod created by the chart. These volume mounts will also be mounted into any initContainers configured by the chart.

values.yaml example:

extraVolumeMounts:
- name: myvolume
  mountPath: /path/to/mount/volume

hostAliases

Type	Default value
list	[]

Configure aliases in the pod's /etc/hosts. This can be used to have the agent join the Teleport cluster through a different non-public route, or to allow the agent to access applications or databases that are not resolvable. See the Kubernetes documentation for more details.

hostAliases:
  - ip: "127.0.0.1"
    hostnames:
      - "foo.local"
      - "bar.local"
  - ip: "10.1.2.3"
    hostnames:
      - "foo.remote"
      - "bar.remote"

imagePullPolicy

Type	Default value
string	IfNotPresent

Kubernetes reference

Allows the imagePullPolicy for any pods created by the chart to be overridden.

values.yaml example:

imagePullPolicy: Always

initContainers

Type	Default value
list	[]

Kubernetes reference

A list of initContainers which will be run before the main Teleport container in any pod created by the chart.

values.yaml example:

initContainers:
- name: teleport-init
  image: alpine
  args: ['echo test']

resources

Type	Default value
object	{}

Kubernetes reference

Resource requests/limits which should be configured for each container inside the pod. These resource limits will also be applied to initContainers.

values.yaml example:

resources:
  requests:
    cpu: 1
    memory: 2Gi

initSecurityContext

Container security context to set for the initContainer. Defaults to:

initSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - all
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 9807

To unset the security context, set it to null or ~.

securityContext

Container security context to set for the main Teleport container. Defaults to:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - all
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 9807

To unset the security context, set it to null or ~.

podSecurityContext

Pod security context to set for the main Teleport container. Defaults to:

podSecurityContext:
  fsGroup: 9807

To unset the security context, set it to null or ~.

tolerations

Type	Default value
list	[]

Kubernetes reference

Kubernetes Tolerations to set for pod assignment.

values.yaml example:

tolerations:
- key: "dedicated"
  operator: "Equal"
  value: "teleport"
  effect: "NoSchedule"

probeTimeoutSeconds

Type	Default value
integer	1

Kubernetes reference

Kubernetes timeouts for the liveness and readiness probes.

values.yaml example:

probeTimeoutSeconds: 5