I’m getting close to get the Kubernetes integration working (I can
kubectl get nodes from my machine), but now I’m trying to understand and apply the Kubernetes Impersonation.
First question, when in the doc you say “Teleport is running inside the cluster”, does it mean as a Kubernetes pod, or does it mean on a Kubernetes cluster node?
Reading the doc, it looks clear for all the other cases than “If Teleport is running outside of the Kubernetes cluster”, but for this case, there a very short line and you’re done. So I’m honestly lost on what shall I do here.
I’m assuming “running outside of the Kubernetes cluster” means not as a pod within Kubernetes, and as I’ve deployed the Teleport proxy on a node of my k8s cluster, I consider being in the outside case.
So here is the documentation for my case :
If Teleport is running outside of the Kubernetes cluster, you will need to ensure that the principal used to connect to Kubernetes via the
kubeconfigfile has the same impersonation permissions as are described in the
Question 1 : Is there a missing word in “the principal used to connect”? I don’t really get if it’s the principal account/cluster/… ?
Question 2 : I guess I should use the same file as the Helm chart to create the service account and then re-use the same name in the
Question 3 : How can I check my config is working fine?
I think the main point of my topic is that the Kubernetes documentation needs some more love .
(There are some “old” links like in the Kubernetes Integration from the Admin guide which says
take a look at Kubernetes Integration with SSH section in the Architecture chapter, which seems to be actually the current chapter as this chapter doesn’t exist in the Architecture chapter.)
Thank you in advance.