Access Kubernetes Using teleport

Introduction

This guide will help you to access kargo Kubernetes cluster using teleport as an authentication proxy.

Prerequisites

• Installed tsh. tsh is teleport CLI client
• Installed kubectl
• Your Github account is member of engineering team on kargotech org for accessing non-prod Kubernetes cluster)
• Your Github account is member of production-access team on kargotech org for accessing prod Kubernetes cluster

Step 1 - Login to teleport using GIthub

Login to the kargo’s internal teleport https://teleport.helios.kargo.tech

tsh login --proxy=teleport.helios.kargo.tech:443

Step 2 - List kubernetes cluster

Check all available kubernetes cluster in teleport

tsh kube ls

Step 3 - Login to Kubernetes cluster

Login to the desired kubernetes cluster

tsh kube login {cluster-name}

After this command executed, teleport automatically generate kubernetes credential for the cluster and set the current context of the kubectl

Step 4 - Test the connection

Use kubectl command to test teleport authentication

kubectl version
# The output should look like this
## Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-04T02:28:17Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}
## Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.15-gke.3400", GitCommit:"750002971a60d8a06e0a403c52724257f0f68481", GitTreeState:"clean", BuildDate:"2022-03-08T09:33:43Z", GoVersion:"go1.15.15b5", Compiler:"gc", Platform:"linux/amd64"}

# Or execute
kubectl get pod

Example

Access app-dev cluster using teleport

# Login to teleport
tsh login --proxy=helios.teleport.kargo.tech:443

# Connect to app-dev cluster
tsh kube login app-dev

# Check pod in `dev` namespace
kubectl get pod -n dev

FAQ

How can I access production cluster?

To access production cluster via teleport you need to be invited to production-access github team. Please contact maintainer for the team to request access to Production cluster.

I already invited to production github team but I still can’t access the cluster

Teleport will renew certificate for authorization every 30 minutes. To renew immediately relogin to teleport.

tsh logout
tsh login

Protip

• Use ohmyzsh kubectl plugin to add useful alias. You can shorten kubectl to k, change namespace using kcn {namespace name}, etc.

# .zshrc

plugins=(... kubectl ...)

• Add kubectl autocompletion