| title | description |
|---|---|
teleport-kube-agent Chart Reference |
Values that can be set using the teleport-kube-agent Helm chart |
The teleport-kube-agent Helm chart is used to configure a Teleport Agent that
runs in a remote Kubernetes cluster to provide access to resources in your
infrastructure.
You can browse the source on GitHub.
This reference details available values for the teleport-kube-agent chart.
(!docs/pages/includes/backup-warning.mdx!)
The teleport-kube-agent chart can run any or all of three Teleport services:
| Teleport service | Name for roles and tctl tokens add |
Purpose |
|---|---|---|
kubernetes_service |
kube |
Uses Teleport to handle authentication with and proxy access to a Kubernetes cluster |
application_service |
app |
Uses Teleport to handle authentication with and proxy access to web-based applications |
database_service |
db |
Uses Teleport to handle authentication with and proxy access to databases |
discovery_service |
discovery |
Uses Teleport to discover new resources and dynamically add them to the cluster |
jamf_service |
jamf |
Uses Teleport to integrate with Jamf Pro and sync devices with Device Trust inventory |
Releases of this chart installed before version 11 are considered legacy
releases, which launch the Teleport pod as a Deployment if no storage was
configured.
In version 11 and above, the chart launches the Teleport pod as a StatefulSet
even when the chart is configured not to use external storage, and the Teleport pod
reads its state from a Kubernetes Secret.
While the Teleport pod does not require external storage, you can still use the
storage.enabled field to configure the way the Teleport pod
reads data from a persistent volume.
To learn how upgrading from a legacy release to version 11 will affect resources launched by this chart, see the resource list.
The teleport-kube-agent chart deploys the following Kubernetes resources:
| Kind | Default Name | Description | When Deployed |
|---|---|---|---|
StatefulSet |
The release name | Running a user-configured Teleport pod. | Always. |
Secret |
joinTokenSecret.name (default: teleport-kube-agent-join-token) |
Used for managing the state of the Teleport pod. | joinTokenSecret.secret is true. |
Secret |
jamfCredentialsSecret.name (default: teleport-jamf-api-credentials) |
Used for integrating Jamf Prod with Teleport (jamf_service). |
jamfCredentialsSecret.create is true |
Deployment |
The release name | Runs a user-configured Teleport pod. | storage.enabled is false and the chart is being upgraded. Fresh installs will deploy a StatefulSet instead. |
Role |
The roleName option, if given, or the release name. |
Used to manage the state of the Teleport pod via Kubernetes secrets. | Always. |
ClusterRole |
clusterRoleName, if given, or the release name. |
Allows impersonating users, groups, and service accounts, getting pods, and creating SelfSubjectAccessReviews so the Teleport pod can manage access to resources in its Kubernetes cluster. |
Always. |
ClusterRoleBinding |
clusterRoleBindingName, if provided, or the release name |
Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | Always. |
RoleBinding |
roleBindingName, if given, or the release name |
Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | Always. |
ServiceAccount |
serviceAccount.name, if given, or the release name |
Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | serviceAccount.create is true |
PodDisruptionBudget |
The release name | Ensure high availability for the Teleport pod. | highAvailability.podDisruptionBudget.enabled is true. |
ServiceAccount |
The release name, suffixed by -hook |
Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete. |
If the teleport-kube-agent release contains a legacy Deployment resource. |
Role |
The release name, suffixed by -hook |
Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete. |
If the teleport-kube-agent release contains a legacy Deployment resource. |
RoleBinding |
The release name, suffixed by -hook |
Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete. |
If the teleport-kube-agent release contains a legacy Deployment resource. |
Job |
The release name, suffixed by -hook |
Used to delete legacy Deployments in order to deploy a StatefulSet instead. Removed once the upgrade is complete. |
If the teleport-kube-agent release contains a legacy Deployment resource. |
ConfigMap |
The release name | Contains the configuration for the Teleport pod. | Always. |
PodSecurityPolicy |
The release name | Enforces security requirements for pods deployed by teleport-kube-agent. |
podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23. |
Role |
The release name, suffixed by -psp |
Enforces security requirements for pods deployed by teleport-kube-agent. |
podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23. |
RoleBinding |
The release name, suffixed by -psp |
Enforces security requirements for pods deployed by teleport-kube-agent. |
podSecurityPolicy.enabled is true and the Kubernetes cluster version is < 1.23. |
(!docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx!)