Skip to main content
Version: 15.x

Teleport AKS Auto-Discovery

AKS Auto-Discovery can automatically discover any AKS cluster and enroll it in Teleport if its tags match the configured labels.

Teleport Kubernetes auto-discovery involves two components.

The first, the Discovery Service, is responsible for watching your cloud provider and checking if there are any new clusters or if there have been any modifications to previously discovered clusters. It dynamically registers each discovered cluster as a kube_cluster resource in your Teleport cluster. The second, the Kubernetes Service, monitors the dynamic kube_cluster resources registered by the Discovery Service. It proxies communications between users and the cluster.

tip

This guide presents the Discovery Service and Kubernetes Service running in the same process, however both can run independently and on different machines.

For example, you can run an instance of the Kubernetes Service in the same private network as the clusters you want to register with your Teleport cluster, and an instance of the Discovery Service in any network you wish.

Prerequisites

  • A running Teleport cluster version 15.4.22 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    On Teleport Enterprise, you must use the Enterprise version of tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading tctl and tsh for Teleport Community Edition.

  • An Azure identity with permissions to create and attach AD Groups.
  • One or more AKS clusters running.
  • Access to AKS clusters.
  • A host to run the Teleport Discovery and Kubernetes services.

Step 1/2. Set up Azure Identity with the required permissions

Depending on each cluster's authentication and authorization settings, Azure uses a different way to configure the necessary permissions for Teleport to forward requests to the server.

Check the authentication modes used on your clusters and choose one or more permissions scenarios. In some configurations, Teleport has the ability to automatically configure the access to the cluster if you include the necessary permissions to do so.

In this scenario, the Teleport's authentication happens through Active Directory, and the permissions required to access the Kubernetes cluster are associated with the roles assigned to its identity.

This mode allows you to grant permissions to multiple Kubernetes clusters without requiring specific settings for each one of them.

To grant access to the AKS clusters running with this setting, create an AD role with the following content and assign it to the identity that the Teleport process will use.

  {
      "Name": "AKS Teleport Discovery",
      "Description": "Required permissions for Teleport auto-discovery.",
      "Actions": [
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "NotActions": [],
      "DataActions": [
        "Microsoft.ContainerService/managedClusters/groups/impersonate/action",
        "Microsoft.ContainerService/managedClusters/users/impersonate/action",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/impersonate/action",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/authorization.k8s.io/selfsubjectaccessreviews/write",
        "Microsoft.ContainerService/managedClusters/authorization.k8s.io/selfsubjectrulesreviews/write",
      ],
      "NotDataActions": [],
      "assignableScopes": [
          "/subscriptions/{subscription_id}"
      ]
  }

Replace the {subscription_id} with the desired Subscription ID or a wildcard if you want to guarantee permissions on all subscriptions.

Step 2/2. Configure Teleport to discover AKS clusters

Teleport AKS Auto-Discovery requires a valid auth token for the Discovery and Kubernetes services to join the cluster. Generate one by running the following command against your Teleport Auth Service and save it in /tmp/token on the machine that will run Kubernetes Discovery:

$ tctl tokens add --type=discovery,kube

Enabling AKS Auto-Discovery requires that the discovery_service.azure section include at least one entry and that discovery_service.azure.types include aks. It also requires configuring the kubernetes_service.resources.tags to use the same labels configured at discovery_service.azure.tags or a subset of them to make the Kubernetes Service listen to the dynamic resources created by the Discovery Service.

warning

Discovery Service exposes a configuration parameter - discovery_service.discovery_group - that allows you to group discovered resources into different sets. This parameter is used to prevent Discovery Agents watching different sets of cloud resources from colliding against each other and deleting resources created by another services.

When running multiple Discovery Services, you must ensure that each service is configured with the same discovery_group value if they are watching the same cloud resources or a different value if they are watching different cloud resources.

It is possible to run a mix of configurations in the same Teleport cluster meaning that some Discovery Services can be configured to watch the same cloud resources while others watch different resources. As an example, a 4-agent high availability configuration analyzing data from two different cloud accounts would run with the following configuration.

  • 2 Discovery Services configured with discovery_group: "prod" polling data from Production account.
  • 2 Discovery Services configured with discovery_group: "staging" polling data from Staging account.
version: v3
teleport:
  join_params:
    token_name: "/tmp/token"
    method: token
  proxy_server: teleport.example.com:443    
auth_service:
  enabled: off
proxy_service:
  enabled: off
ssh_service:
  enabled: off
discovery_service:
  enabled: "yes"
  discovery_group: "aks-prod"
  azure:
  - types: ["aks"]
    regions: ["*"]
    subscriptions: ["*"]
    resource_groups: ["*"]
    tags:
      "env": "prod"
kubernetes_service:
  enabled: "yes"
  resources:
  - labels:
      "env": "prod" # Match Kubernetes Cluster labels specified earlier

Once you have added this configuration, start Teleport. AKS clusters matching the tags and regions specified in the Azure section will be added to the Teleport cluster automatically.

Troubleshooting

Discovery Service

To check if the Discovery Service is working correctly, you can check if any Kubernetes clusters have been discovered. To do this, you can use the tctl get kube_cluster command and check if the expected Kubernetes clusters have already been registered with your Teleport cluster.

If some Kubernetes clusters do not appear in the list, check if the Discovery Service selector labels match the missing Kubernetes cluster tags or look into the Discovery Service logs for permission errors.

If you are running multiple Discovery Services, you must ensure that each service is configured with the same discovery_group value if they are watching the same cloud Kubernetes clusters or a different value if they are watching different cloud Kubernetes clusters. If this is not configured correctly, a typical symptom is kube_cluster resources being intermittently deleted from your Teleport cluster's registry.

Kubernetes Service

If the tctl get kube_cluster command returns the discovered clusters, but the tctl kube ls command does not include them, check that you have set the kubernetes_service.resources section correctly.

kubernetes_service:
  enabled: "yes"
  resources:
  - labels:
      "env": "prod"

If the section is correctly configured, but clusters still do not appear or return authentication errors, please check if permissions have been correctly configured in your target cluster or that you have the correct permissions to list Kubernetes clusters in Teleport.