# Teleport Installation ## Introduction Teleport enables secure, role-based access to Kubernetes clusters and individual nodes for debugging, monitoring, and management operations. It is a solution for: * **Secure Remote Access**: SSH and web-based access to cluster resources * **Role-Based Access Control**: Granular permissions for different user roles * **Audit and Compliance**: Full logging and session recording * **Cross-Platform Access**: Unified access to multiple environments ### Prerequisites * Self-hosted Private cloude Directer is installed and configured * kubectl access to the **Management cluster** * Valid Teleport join token from Platform9 Support #### Installation Options #### Option 1: Kubernetes Agent Installation Install Teleport agent into a Kubernetes namespace for namespace-scoped access. ```bash ./install-teleport.sh --token \ --namespace \ --proxy-addr \ --cluster-name \ --version \ --access-namespace \ --access-level \ --resource kube ``` **Parameters:** * `--token`: Join token (required) * `--namespace`: Target namespace where the Teleport agent pod runs (default: `teleport`) * `--proxy-addr`: Teleport proxy address (default: `platform9.teleport.sh:443`) * `--cluster-name`: name for identification in Teleport interface(default: `example-k8s-cluster`) * `--version`: Teleport version (default: `18.1.4`) * `--access-namespace`: Namespace(s) to grant access (comma-separated) * `--access-level`: Access level - `admin` or `readonly` (default: `admin`) * `--resource`: Resource type - `kube` (default) **Examples:** ```bash # Basic installation with admin access to teleport namespace ./install-teleport.sh --token abc123 --namespace my-app --access-level admin # Cluster-wide admin access ./install-teleport.sh --token abc123 --access-level admin # Read-only access to specific namespaces ./install-teleport.sh --token abc123 --access-namespace app1,app2 --access-level readonly # Custom namespace and cluster name ./install-teleport.sh --token abc123 --namespace production --cluster-name prod-k8s-cluster ``` #### Option 2: Node Installation Install Teleport node agent on individual Kubernetes nodes for node-level access. ```bash ./install-teleport.sh --token \ --proxy-addr \ --version \ --resource node ``` **Parameters:** * `--token`: Join token (required) * `--proxy-addr`: Teleport proxy address (default: `platform9.teleport.sh:443`) * `--version`: Teleport version (default: `18.1.4`) * `--resource`: Resource type - `node` (required) **Example:** ```bash # Install Teleport on a worker node ./install-teleport.sh --token abc123 --resource node ``` ### Access Levels #### Admin Access * **Cluster Role**: `cluster-admin` (full cluster access) * **Namespace Role**: `admin` (full namespace access) * **Capabilities**: Create, read, update, delete resources #### Read-Only Access * **Cluster Role**: `teleport-view-only` (cluster-wide read-only) * **Namespace Role**: `teleport-namespace-view` (namespace read-only) * **Capabilities**: Get, list, watch resources only ### What Gets Installed #### Kubernetes Agent * **Helm Release**: `teleport-agent` in specified namespace * **RBAC**: ClusterRole and RoleBindings for specified access level * **Service Account**: Teleport service account with appropriate permissions * **Proxy Configuration**: Automatic connection to Platform9 Teleport proxy #### Node Agent * **System Service**: Teleport node service installed and started * **Configuration**: Node configured with join token and proxy settings * **System Integration**: Integrated with systemd for automatic startup ### Proxy Configuration The script automatically configures connection to Platform9's Teleport proxy: * **Default Proxy**: `platform9.teleport.sh:443` * **Custom Proxy**: Use `--proxy-addr` for alternative proxy * **Environment Variables**: HTTP\_PROXY, HTTPS\_PROXY, NO\_PROXY automatically configured ### Security Considerations #### Token Security * Join tokens are single-use and expire after first use * Store tokens securely and never commit to version control * Obtain fresh tokens for each installation #### Access Control * **Principle of Least Privilege**: Use read-only access when possible * **Namespace Scoping**: Limit access to specific namespaces when no cluster-wide access is needed #### Network Security * **Proxy Only**: All Teleport connections go through Platform9 proxy * **TLS Encryption**: All communications encrypted via TLS * **Firewall Rules**: Ensure outbound connections to proxy are allowed ### Troubleshooting #### Common Issues **Token Issues:** ```bash # Verify token format echo $JOIN_TOKEN | wc -c # Should be reasonable length # Check token expiration # Contact Platform9 Support if token fails ``` **Connection Issues:** ```bash # Test proxy connectivity curl -I https://platform9.teleport.sh:443 # Check network connectivity ping platform9.teleport.sh ``` #### Log Locations * **Kubernetes Agent**: Check pod logs: `kubectl logs -n teleport-agent-xxx` * **Node Agent**: Check system logs: `sudo journalctl -u teleport -f` * **Installation Logs**: Script outputs detailed progress and error messages #### Cleanup **Remove Kubernetes Agent:** ```bash helm uninstall teleport-agent -n kubectl delete rolebinding,role -n -l app.kubernetes.io/name=teleport ``` **Remove Node Agent:** ```bash sudo systemctl stop teleport sudo systemctl disable teleport sudo rm -f /etc/teleport.yaml ``` ### Advanced Configuration #### Multiple Namespace Access Grant access to multiple namespaces with comma-separated list: ```bash ./install-teleport.sh --token abc123 \ --access-namespace dev,staging,production \ --access-level readonly ``` This creates RoleBindings in each specified namespace with read-only permissions. ### Support For issues or questions: * Contact Platform9 Support * Verify network connectivity to Teleport proxy --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.platform9.com/private-cloud-director/getting-started/self-hosted/teleport-installation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.