Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow kubernetes_service to serve only dynamic kube cluster resources #49332

Open
programmerq opened this issue Nov 21, 2024 · 0 comments
Open

Allow kubernetes_service to serve only dynamic kube cluster resources #49332

programmerq opened this issue Nov 21, 2024 · 0 comments
Labels
bug c-nw Internal Customer Reference helm teleport-kube-agent

Comments

@programmerq
Copy link
Contributor

Expected Behavior

Helm chart for teleport-kube-agent should support service dynamic clusters only.

Teleport itself supports this already. A valid kuberenetes_service section doesn't need kube_cluster_name or kubeconfig_file if it has a labels section. The chart should be able to produce a teleport.yaml with labels only, if the user has that use case.

Current Behavior

The kube_cluster_name is always set in the teleport.yaml generated by the chart. In a case where a user has both discovery_service and kubernetes_service, the discovery service can incorporate EKS tags into the labels of the dynamic cluster. If the dynamic object has the same name as the kube_cluster_name, then the dynamic object will be skipped/ignored from the user's perspective.

Use Case

For EKS auto-discovery, this can be confusing for the end-user:

actual output:

% tsh kube ls
Kube Cluster Name  Labels                                                                                                                                                                                                                                                                                    Selected
------------------ -------------
dev-eks-1          TeleportKubernetesName=dev-eks-1,account-id=000000000000,env=dev,region=eu-west-1,service=eks,terraform=true
dev-eks-2          env=dev
dev-eks-3          TeleportKubernetesName=dev-eks-3,account-id=000000000000,env=dev,region=us-east-2,terraform-aws-modules=eks,terraform=true

expected:

% tsh kube ls
Kube Cluster Name  Labels                                                                                                                                                                                                                                                                                    Selected
------------------ -------------
dev-eks-1          TeleportKubernetesName=dev-eks-1,account-id=000000000000,env=dev,region=eu-west-1,service=eks,terraform=true
dev-eks-2          TeleportKubernetesName=dev-eks-2,account-id=000000000000,env=dev,region=us-west-2,terraform-aws-modules=eks,service=eks,terraform=true
dev-eks-3          TeleportKubernetesName=dev-eks-3,account-id=000000000000,env=dev,region=us-east-2,terraform-aws-modules=eks,terraform=true

In this example, the dev-eks-2 is running the discovery+kube agent. It has kubeClusterName: dev-eks-2. The dynamic object for dev-eks-2 isn't loaded. If the dynamic dev-eks-2 object were loaded, it would show the AWS tag-derived labels.

Workarounds

Instead of setting kubeClusterName: dev-eks-2 in the helm values, an alternate name could be specified. Teleport RBAC could deny users from seeing the alternate name, allowing the discovered object to come through.

Manually edit the generated ConfigMap to remove kube_cluster_name from teleport.yaml. The MustMergeOverwrite helm function that the teleport-kube-agent chart uses to specify teleport.yaml overrides cannot remove the key from kubernetes_service.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug c-nw Internal Customer Reference helm teleport-kube-agent
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@programmerq