Secretless Kubernetes Access
The easiest and most secure way to access all Kubernetes clusters
Consolidate identity-based access to Kubernetes clusters across all environments, self-hosted or in the Cloud. Meet compliance requirements, and have complete visibility into kubectl access and behavior.
Get Started
Certificate-based MFA, RBAC, and SSO
Implement industry best practices for Kubernetes access with minimal configuration. Easily enforce MFA, RBAC, and SSO using identity-based short-lived X.509 certificates for engineers and service accounts.
Prevent phishing attacks
Move away from vulnerable keys and passwords towards auto-expiring certificates for users and service accounts to access Kubernetes clusters.
Meet compliance requirements
Continuously maintain compliance and pass audits with minimal effort. The supported standards include SOC 2, FedRAMP, HIPAA, ISO 27001, PCI and more.
Enhanced Visibility and Accountability
Track real-time activities and identify responsible actors through live session view, historical replays, and consolidated audit logs across all Kubernetes clusters.
Free yourself from network boundaries
You can access Kubernetes clusters running anywhere. From clouds and data centers to third party private networks behind NAT and firewalls.
Access that doesn't get in the way
Login once and easily switch between environments. No need to juggle passwords or hop between VPNs. Seamlessly use kubectl and other Kubernetes tools without compromises.
Scale without the overhead
Auto-discover and enroll cloud hosted Kubernetes clusters for efficient and secure infrastructure scaling operations.
Features
SSO for all Kubernetes clusters
A single login provides engineers with frustration-free access to Kubernetes clusters across all environments.
Granular RBAC
With seamless integration of Kubernetes RBAC authorization resources, control access down to individual Kubernetes API groups, resources, and verbs.
Per-session MFA
Render credential exfiltration attacks useless by implementing hardware based multi-factor authorization for privileged operations like `kubectl exec`. Support for Apple TouchID, YubiKeys, or any PIV compatible device.
Access requests
Move away from the default admin and cluster-admin roles with just-in-time Kubernetes privilege escalation for administrative and sensitive tasks. Build access approval workflows with Slack, PagerDuty, Jira, and more.
Session controls
Implement moderated sessions, enforce concurrent session restrictions, proactive session termination and identity locking across your entire infrastructure footprint.
Session recording
Every interactive kubectl session by an engineer or service account is recorded for future replay and can be audited and analyzed by other tools for behavior anomalies.
Auto discovery
Eliminate provisioning headaches with Kubernetes Auto-Discovery for cloud hosted clusters.
Cloud & Self-hosted
Support for cloud Kubernetes clusters on AWS, Azure or GCP, as well as self-hosted clusters.
Maintain Existing Workflows
Seamless integration with existing workflows and tools like kubectl, Helm, Terraform, and more.
Works with everything you have
Kubernetes
Amazon EKS
Google GKE
Azure AKS
Rancher
OpenShift
Tanzu
MiniKube
Helm
Traefik
Istio
Envoy
Linkerd
Consul
Fluentd
etcd
...and many more
How it works
Teleport is a certificate authority and identity-aware, multi-protocol access proxy which implements protocols such as SSH, RDP, HTTPS, Kubernetes API, and a variety of SQL and NoSQL databases. It is completely transparent to client-side tools and designed to work with everything in today's DevSecOps ecosystem.
Teleport Components
- Teleport Auth Service: The certificate authority of the cluster. It issues certificates to clients and maintains the audit log.
- Teleport Proxy Service: The proxy allows access to cluster resources from the outside. Typically it is the only service available from the public network.
- Teleport Agents: A Teleport agent runs in the same network as a target resource and speaks its native protocol, such as the SSH, Kubernetes API, HTTPS, PostgreSQL, and MySQL wire protocols. Think of a "smart sidecar" that routes user requests to its target resource.
Kubernetes Demo
