docker.recipes

Teleport

advanced

Zero trust access platform for infrastructure.

Overview

Teleport is an open-source zero trust access platform developed by Gravitational that consolidates access to SSH servers, Kubernetes clusters, web applications, and databases through a single unified interface. Built with modern security principles in mind, Teleport eliminates the need for VPNs and traditional bastion hosts by implementing certificate-based authentication, comprehensive audit logging, and role-based access controls. The platform addresses the growing complexity of managing secure access to distributed infrastructure while maintaining compliance requirements for session recording and access auditing. This Docker configuration deploys Teleport in a unified mode where all three core services - the authentication server, proxy server, and SSH node - run within a single container. The authentication server handles user management and certificate issuance, the proxy server provides the web interface and protocol translation, while the node service enables SSH access to the container itself. This all-in-one approach creates a complete zero trust access gateway that can authenticate users, manage certificates with short TTLs, and provide secure tunneled access to backend resources without exposing them directly to networks. Security teams, platform engineers, and DevOps professionals managing distributed infrastructure will find this stack particularly valuable for implementing zero trust network access without the overhead of traditional VPN solutions. The configuration is ideal for organizations seeking to modernize their remote access strategy while maintaining strict audit trails and eliminating long-lived SSH keys and passwords from their infrastructure.

Key Features

  • Certificate-based authentication with automatic short-lived certificate rotation
  • Comprehensive session recording with playback capabilities for SSH and web sessions
  • Role-based access control (RBAC) with time-based access requests and approval workflows
  • Multi-factor authentication support including hardware tokens, TOTP, and WebAuthn
  • Single Sign-On (SSO) integration with popular identity providers like Okta, Auth0, and SAML
  • Protocol-aware proxy supporting SSH, HTTPS, Kubernetes API, and database connections
  • Built-in audit logging with structured events for compliance and security monitoring
  • Dynamic resource discovery and labeling for automated access policy enforcement

Common Use Cases

  • 1Replacing VPN infrastructure with zero trust access for remote development teams
  • 2Implementing privileged access management (PAM) for production server administration
  • 3Creating secure access gateways for contractor and vendor access to specific resources
  • 4Establishing compliance-ready access controls for SOC2, HIPAA, or PCI environments
  • 5Centralizing access management across hybrid cloud and on-premises infrastructure
  • 6Enabling secure database access without embedding credentials in applications
  • 7Setting up temporary elevated access workflows with manager approval requirements

Prerequisites

  • Minimum 2GB RAM and 2 CPU cores for production workloads with multiple concurrent sessions
  • Valid DNS domain name and TLS certificates for secure web interface access
  • Network firewall rules allowing inbound connections on ports 3023, 3024, 3025, and 443
  • Understanding of certificate-based authentication and public key cryptography concepts
  • Administrative access to systems that will be managed through Teleport proxy
  • Storage planning for audit logs and session recordings based on retention requirements

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  teleport: 
3    image: public.ecr.aws/gravitational/teleport:latest
4    container_name: teleport
5    restart: unless-stopped
6    hostname: teleport.local
7    command: start --roles=node,proxy,auth
8    volumes: 
9      - teleport_config:/etc/teleport
10      - teleport_data:/var/lib/teleport
11    ports: 
12      - "3023:3023"
13      - "3024:3024"
14      - "3025:3025"
15      - "443:443"
16
17volumes: 
18  teleport_config: 
19  teleport_data:

.env Template

.env
1# Create teleport.yaml in config volume
2# See goteleport.com/docs for setup

Usage Notes

  1. 1Docs: https://goteleport.com/docs/
  2. 2Web UI at https://localhost:443 for SSH/K8s/DB access
  3. 3Create teleport.yaml config before starting
  4. 4Add user: docker exec teleport tctl users add admin --roles=editor,admin
  5. 5SSH through proxy: tsh ssh --proxy=teleport.local user@node
  6. 6Supports SSO, hardware keys, and session recording

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  teleport:
5    image: public.ecr.aws/gravitational/teleport:latest
6    container_name: teleport
7    restart: unless-stopped
8    hostname: teleport.local
9    command: start --roles=node,proxy,auth
10    volumes:
11      - teleport_config:/etc/teleport
12      - teleport_data:/var/lib/teleport
13    ports:
14      - "3023:3023"
15      - "3024:3024"
16      - "3025:3025"
17      - "443:443"
18
19volumes:
20  teleport_config:
21  teleport_data:
22EOF
23
24# 2. Create the .env file
25cat > .env << 'EOF'
26# Create teleport.yaml in config volume
27# See goteleport.com/docs for setup
28EOF
29
30# 3. Start the services
31docker compose up -d
32
33# 4. View logs
34docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/teleport/run | bash

Troubleshooting

  • Certificate validation failed: Ensure system clock is synchronized and DNS resolution works correctly for the Teleport hostname
  • Web interface shows 'proxy not available': Check that all required ports are accessible and not blocked by firewall rules
  • User authentication fails with SSO: Verify SAML/OIDC connector configuration matches identity provider settings exactly
  • Session recording not working: Confirm teleport_data volume has sufficient disk space and proper write permissions
  • tsh client cannot connect: Validate proxy address matches certificate SAN and client has latest Teleport client version
  • Database connections timeout: Ensure Teleport has network connectivity to database servers and proper authentication credentials

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

teleport

Tags

#teleport#zero-trust#access#ssh

Category

Security & Networking

Related Recipes

Ad Space