jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
a9c37f9a2e
charts/teleport-kube-agent/templates/NOTES.txt
Jonny Ervine b76e232ac2 Add teleport agent update
2024-08-15 22:45:43 +08:00

54 lines
2.2 KiB
Plaintext
Raw Blame History

{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }}
SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm
doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12
the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older.
Instead, we recommend you to configure Pod Security AdmissionControllers for
the namespace "{{.Release.Namespace}}" by adding the label
`pod-security.kubernetes.io/enforce: baseline` on the namespace resource.
See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
To remove this warning, explicitly set "podSecurityPolicy.enabled=false".
{{- end }}
{{- if .Values.teleportVersionOverride }}
DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
This chart is designed to run Teleport version {{ .Chart.AppVersion }}.
You will face compatibility issues trying to run a different Teleport version with it.
If you want to run Teleport version {{.Values.teleportVersionOverride}},
you should use `helm --version {{.Values.teleportVersionOverride}}` instead.
{{- end }}
{{- if contains "-gke." .Capabilities.KubeVersion.Version -}}
{{- $groupName := (coalesce .Values.adminClusterRoleBinding.name "cluster-admin") }}
WARNING: GKE Autopilot clusters forbid users from impersonating system-wide identities.
This means you won't be able to use the `system:masters` Kubernetes Group in
the Teleport Roles for GKE Autopilot clusters.
Given that you installed Teleport on a GKE cluster, we recommend you use the
Kubernetes Group `{{ $groupName }}` instead of `system:masters` in the Teleport Roles
for GKE Autopilot clusters.
To do so, you can use the following Teleport Role resource:
kind: role
metadata:
name: gke-kube-access
version: v7
spec:
allow:
kubernetes_labels:
'*': '*'
kubernetes_groups:
- "{{ $groupName }}"
This chart automatically created the `{{ $groupName }}` Kubernetes Group for you and
assigned it admin privileges on the Kubernetes cluster.
Consult the built-in security features that GKE Autopilot enforces:
https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-security#built-in-security
{{- end }}
Reference in New Issue View Git Blame Copy Permalink