| title | description |
|---|---|
Get started with Teleport on DigitalOcean Kubernetes |
How to get started with Teleport on DigitalOcean Kubernetes |
This guide will show you how to get started with Teleport on DigitalOcean Kubernetes.
If you are already running Teleport on another platform, you can use your existing Teleport deployment to access your Kubernetes cluster. Follow our guide to connect your Kubernetes cluster to Teleport.
(!docs/pages/includes/cloud/call-to-action.mdx!)
- DigitalOcean account.
- Your workstation configured with kubectl, Helm, doctl, and the Teleport tsh client.
Create a new DigitalOcean Kubernetes Cluster
While the Kubernetes cluster is being provisioned, follow the "Getting Started" guide as shown below:
(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)
Install Teleport in your Kubernetes cluster using the teleport-cluster Helm
chart:
$ CLUSTERNAME=tele.example.com # replace with your preferred domain name
$ [email protected] # replace with your email
$ helm install teleport-cluster teleport/teleport-cluster \
--create-namespace \
--namespace=teleport-cluster \
--set clusterName=$CLUSTERNAME \
--set acme=true \
--set acmeEmail=$EMAIL_ADDR \
--version (=teleport.version=)
NAME: teleport-cluster
LAST DEPLOYED: Tue Oct 26 17:01:21 2021
NAMESPACE: teleport-cluster
STATUS: deployed
REVISION: 1
TEST SUITE: None
Create a namespace for your Teleport cluster resources and configure the PodSecurityAdmission:
$ kubectl create namespace teleport-cluster
namespace/teleport-cluster created
$ kubectl label namespace teleport-cluster 'pod-security.kubernetes.io/enforce=baseline'
namespace/teleport-cluster labeled
(!docs/pages/includes//enterprise/obtainlicense.mdx!)
Create a secret called "license" in the namespace you created:
$ kubectl -n teleport-cluster create secret generic license --from-file=license.pem
Install Teleport:
$ CLUSTERNAME=tele.example.com # replace with your preferred domain name
$ [email protected] # replace with your email
$ helm install teleport-cluster teleport/teleport-cluster \
--namespace=teleport-cluster \
--set clusterName=$CLUSTERNAME \
--set acme=true \
--set acmeEmail=$EMAIL_ADDR \
--set enterprise=true \
--version (=teleport.version=)
NAME: teleport-cluster
LAST DEPLOYED: Tue Oct 26 17:01:21 2021
NAMESPACE: teleport-cluster
STATUS: deployed
REVISION: 1
TEST SUITE: None
First, get the external IP (from the EXTERNAL-IP field) for the Kubernetes cluster.
$ kubectl --namespace=teleport-cluster get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
teleport-cluster LoadBalancer 10.245.163.12 192.168.200.200 443:31959/TCP,3023:30525/TCP,3026:30079/TCP,3024:32437/TCP 19m
teleport-cluster-auth ClusterIP 10.245.164.28 <none> 3025/TCP,3026/TCP 19m
Once you get the value for the external IP (it may take a few minutes for this field to be populated), update your DNS record such that the clusterName's A record points to this IP address. For example 192.168.200.200 is the external IP in the above case.
Now we create a Teleport user by executing the tctl command with kubectl.
User "tadmin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h: https://tele.example.com:443/web/invite/
NOTE: Make sure tele.example.com:443 points at a Teleport proxy which users can access.
</TabItem>
<TabItem scope={["enterprise", "cloud"]} label="Commercial">
```code
$ kubectl --namespace teleport-cluster exec deployment/teleport-cluster-auth -- tctl users add tadmin --roles=access,editor,reviewer --logins=ubuntu
User "tadmin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://tele.example.com:443/web/invite/<invite-token>
NOTE: Make sure tele.example.com:443 points at a Teleport proxy which users can access.
Copy the link shown after executing the above command and open the link in a web browser to complete the user registration process (the link is https://tele.example.com:443/web/invite/<invite-token> in the above case).
After you complete the registration process by setting up a password and enrolling in multi-factor authentication, you will be logged in to Teleport Web UI.
In this step, we created a user tadmin with roles access, edit. These are the default roles available in Teleport. However, to allow this user to access the Kubernetes cluster, we will need to assign tadmin a role authorized to access the Kubernetes cluster. So first, let's create a role named member with the Kubernetes privilege system:master.
Create a file named member.yaml with the following spec:
(!docs/pages/includes/kubernetes-access/member-role.mdx!)
<Admonition type="warning" title="Warning"
system:masters is a Kubernetes built-in role that is similar to sudo permissions in Linux systems. It is used here for demonstration purposes and should be used in production only when necessary.
Next, create this role in Kubernetes with the command:
$ kubectl --namespace=teleport-cluster exec -i deployment/teleport-cluster-auth -- tctl create -f < member.yaml
Now we will assign Teleport user tadmin with this role. The example below shows a process using Teleport Web UI: First, lets select user edit menu:
Second, update the tadmin user role to assign the member role:
We've updated the user tadmin to have the member role, which is allowed to access a Kubernetes cluster with privilege system:master.
The following steps show how to access the Kubernetes cluster using tsh.
First, authenticate to Teleport using tsh as the tadmin user we created in the third step.
<Admonition type="note" title="Note"
The following process will override your global kubectl configuration file. To write your kubectl configuration to a separate file instead of having your global kubectl configuration modified, run the following command:
$ export KUBECONFIG=${HOME?}/teleport-kubeconfig.yaml
$ tsh kube login tele.example.com
Logged into kubernetes cluster "tele.example.com". Try 'kubectl version' to test the connection.
$ kubectl --namespace=teleport-cluster get pods
NAME READY STATUS RESTARTS AGE
teleport-cluster-6cc679b6f6-7xr5h 1/1 Running 0 14h
Voila! User tadmin was able to list the pods in their DigitalOcean Kubernetes cluster.
Teleport keeps an audit log of access to a Kubernetes cluster. In the screenshot below, the Teleport audit log shows that the user tadmin has logged into the cluster.
To see all of the options you can set in the values file for the
teleport-cluster Helm chart, consult our reference
guide.
Read our guides to additional ways you can protect a Kubernetes cluster with Teleport:
- Connect another Kubernetes cluster to Teleport by deploying the Teleport Kubernetes Service
- Set up Machine ID with Kubernetes
- Single-Sign On and RBAC for Kubernetes Clusters