Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a guide on how to use teleport k8s with external proxy #2746

Open
klizhentas opened this issue May 28, 2019 · 1 comment
Assignees
Milestone

Comments

@klizhentas
Copy link
Contributor

@klizhentas klizhentas commented May 28, 2019

Description

The documentation on how to use Teleport Proxy that is external to kubernetes cluster:

  • Should explain that this feature won't work with EKS out of the box.
  • For other clusters, should use gen-cert.sh example and show the cluster role binding for the teleport proxy's user.
  • This should be a step by step guide I think that works with GKE/kops clusters.
@webvictim

This comment has been minimized.

Copy link
Contributor

@webvictim webvictim commented Jun 14, 2019

This should be fairly simple:

  1. Install UUID: yum -y install uuid/apt-get-y install uuid
  2. Install cfssl: go get -u github.com/cloudflare/cfssl/cmd/cfssl
  3. Install cfssljson: go get -u github.com/cloudflare/cfssl/cmd/cfssljson
  4. Download https://raw.githubusercontent.com/gravitational/teleport/master/examples/gke-auth/get-kubeconfig.sh
  5. chmod +x ./get-kubeconfig.sh
  6. ./get-kubeconfig.sh (must be run on a machine that has a working ~/.kube/config and access to the cluster)
  7. Copy build/kubeconfig to your Teleport proxy instance (for example to /var/lib/teleport/kubeconfig)
  8. Edit /etc/teleport.yaml to add kubeconfig:
proxy_service:
  kubernetes:
    kubeconfig_file: /var/lib/teleport/kubeconfig
  1. Restart Teleport proxy
  2. Log into Teleport proxy from your client machine (tsh login --proxy=proxy.tld:3080)
  3. Run kubectl get nodes and you should get a list of nodes

There's a missing part here with the Role and RoleBinding for impersonation, but the process I wrote above worked fine on the test kops cluster that I built.

@klizhentas klizhentas assigned benarent and unassigned benarent Jun 25, 2019
@benarent benarent added the kubernetes label Jul 30, 2019
@benarent benarent modified the milestones: 4.1 "Seattle", 4.2 "Alameda" Sep 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.