Teleport allows you to implement industry-best practices for SSH and Kubernetes access, meet compliance requirements, and have complete visibility into access and behavior. But invariably, change happens. Teleport allows users to request elevated privileges in the middle of their command-line sessions and create fully auditable dynamic authorizations . These requests can be approved or denied via ChatOps in Slack, in PagerDuty, or anywhere else via a flexible Authorization Workflow API.
-The Slack integration allows users to access role permission requests through Slack messages and approve from within the app.
-The PagerDuty integration allows Teleport permission requests to function as PagerDuty incidents. They can be approved or denied through a PagerDuty special action.
Link to video:
https://youtu.be/onyoT8BCSe0
2. Thanks for joining.
4 Facts and a Lie.
🕵 Teleport’s Director of Product
British
🐛 I’ve worked on Monitoring Systems,
Exception Tracker, and Databases
🏢 I love Enterprise Ticketing systems
🔐 Carefree SSH user until joining Gravitational
3. Who are you?
40% DevOps/SRE Engineers
10% Software Developers
25% Security Engineering
25% Director of Engineering / Risk
1% Future People of YouTube
Submit your questions in Q&A area
14. ChatOps
Term coined by Github for conversation-driven development
back in the Campfire days
- Code Deployments
- Git Notifications
- Security Event Response
- ( but little workflow in the tool )
18. kind: role
version: v3
metadata:
name: admin
spec:
# SSH options used for user sessions with default values:
options:
# max_session_ttl defines the TTL (time to live) of SSH certificates
# issued to the users with this role.
max_session_ttl: 8h
# forward_agent controls whether SSH agent forwarding is allowed
forward_agent: true
# port_forwarding controls whether TCP port forwarding is allowed
port_forwarding: true
# allow section declares a list of resource/verb combinations that are
# allowed for the users of this role. by default nothing is allowed.
allow:
# logins array defines the OS/UNIX logins a user is allowed to use.
# a few special variables are supported here (see below)
logins: [root, '{{external.logins}}']
# if kubernetes integration is enabled, this setting configures which
kubernetes_groups: ["system:masters", "{{external.trait_name}}"]]
# list of node labels a user will be allowed to connect to:
node_labels:
# a user can only connect to a node marked with 'test' label:
'environment': 'test'
# the wildcard ('*') means "any node"
'*': '*'
# labels can be specified as a list:
'environment': ['test', 'staging']
# regular expressions are also supported, for example the equivalent
# of the list example above can be expressed as:
'environment': '^test|staging$'
# defines roles that this user can can request.
request:
roles:
- dba
# list of allow-rules. see below for more information.
rules:
- resources: [role]
verbs: [list, create, read, update, delete]
https://gravitational.com/teleport/docs/enterprise/ssh-rbac/
21. Slack Summary
- Approve or deny requests from a Slack Room
- Audit log of approval and session recorded in Teleport
- Teleport Slack is a plugin that runs alongside Teleport
22. Slack Gotcha
Anyone in Slack can approve, best to limit to a private room or setup to
only notify.
Can be setup with tctl, Teleports Admin tool using `tctl requests ls`
Need an extra port open to communicate with Slack Webhooks
27. Teleport & PagerDuty
- Approve or deny requests from within PagerDuty,
directly from mobile app using Actions
- Audit log of approval and session recorded in Teleport
- Can be set up to auto approve
- Teleport PagerDuty is a plugin that runs alongside
Teleport
- Note: Anyone in PagerDuty can approve
33. RFD 3 - Extended Approval Workflows
https://github.com/gravitational/teleport/pull/4305/Extended Approval Workflows
● Being able to assign / request access to clusters vs roles.
● Access based on the ticket number
● Access to nodes
● New Flag to return access_request ID and let users poll it manually
35. Recommended Next Steps
Read “Teleport Approval Workflows - Docs.”
https://gravitational.com/teleport/docs/enterprise/workflow/
Check us out on Github
https://github.com/gravitational/teleport
Download Teleport
https://gravitational.com/teleport/download