Teleport allows you to implement industry-best practices for SSH and Kubernetes access, meet compliance requirements, and have complete visibility into access and behavior. But invariably, change happens. Teleport allows users to request elevated privileges in the middle of their command-line sessions and create fully auditable dynamic authorizations . These requests can be approved or denied via ChatOps in Slack, in PagerDuty, or anywhere else via a flexible Authorization Workflow API. -The Slack integration allows users to access role permission requests through Slack messages and approve from within the app. -The PagerDuty integration allows Teleport permission requests to function as PagerDuty incidents. They can be approved or denied through a PagerDuty special action. Link to video: https://youtu.be/onyoT8BCSe0

1. Webinar: We will be starting soon…

2. Thanks for joining.
4 Facts and a Lie.
🕵 Teleport’s Director of Product
󾓪 British
🐛 I’ve worked on Monitoring Systems,
Exception Tracker, and Databases
🏢 I love Enterprise Ticketing systems
🔐 Carefree SSH user until joining Gravitational

3. Who are you?
40% DevOps/SRE Engineers
10% Software Developers
25% Security Engineering
25% Director of Engineering / Risk
1% Future People of YouTube
Submit your questions in Q&A area

4. Photo by LYCS Architecture on Unsplash

5. Photo by Dillon Shook on Unsplash

6. Photo by CDC on Unsplash

7. Photo by Diego Fernandez on Unsplash

8. Secure Access for Developers that Doesn't Get in the Way
WE’RE OPEN SOURCE

9. SSH
Keys
SSH Certificates & Short
lived Kubeconfigsvs

10. What does Teleport a
deployment look like?

11. How Teleport Works?

12. Why ticket plugins
and
Access Workflows?

13. ChatOps

14. ChatOps
Term coined by Github for conversation-driven development
back in the Campfire days
- Code Deployments
- Git Notifications
- Security Event Response
- ( but little workflow in the tool )

15. TOOL CREEP
Keeping track of work in an ocean of tooling.
Challenge

16. INTRODUCING TELEPORT
Access Workflows

17. Demo
admin
intern
dba
travis@gravitational.com
ben@gravitational.com
Can Request
= Teleport Roles

18. kind: role
version: v3
metadata:
name: admin
spec:
# SSH options used for user sessions with default values:
options:
# max_session_ttl defines the TTL (time to live) of SSH certificates
# issued to the users with this role.
max_session_ttl: 8h
# forward_agent controls whether SSH agent forwarding is allowed
forward_agent: true
# port_forwarding controls whether TCP port forwarding is allowed
port_forwarding: true
# allow section declares a list of resource/verb combinations that are
# allowed for the users of this role. by default nothing is allowed.
allow:
# logins array defines the OS/UNIX logins a user is allowed to use.
# a few special variables are supported here (see below)
logins: [root, '{{external.logins}}']
# if kubernetes integration is enabled, this setting configures which
kubernetes_groups: ["system:masters", "{{external.trait_name}}"]]
# list of node labels a user will be allowed to connect to:
node_labels:
# a user can only connect to a node marked with 'test' label:
'environment': 'test'
# the wildcard ('*') means "any node"
'*': '*'
# labels can be specified as a list:
'environment': ['test', 'staging']
# regular expressions are also supported, for example the equivalent
# of the list example above can be expressed as:
'environment': '^test|staging$'
# defines roles that this user can can request.
request:
roles:
- dba
# list of allow-rules. see below for more information.
rules:
- resources: [role]
verbs: [list, create, read, update, delete]
https://gravitational.com/teleport/docs/enterprise/ssh-rbac/

19. Demo Time: Slack

21. Slack Summary
- Approve or deny requests from a Slack Room
- Audit log of approval and session recorded in Teleport
- Teleport Slack is a plugin that runs alongside Teleport

22. Slack Gotcha
Anyone in Slack can approve, best to limit to a private room or setup to
only notify.
Can be setup with tctl, Teleports Admin tool using `tctl requests ls`
Need an extra port open to communicate with Slack Webhooks

23. 📟
PagerDuty

24. PagerDuty

25. Demo Time: PagerDuty

27. Teleport & PagerDuty
- Approve or deny requests from within PagerDuty,
directly from mobile app using Actions
- Audit log of approval and session recorded in Teleport
- Can be set up to auto approve
- Teleport PagerDuty is a plugin that runs alongside
Teleport
- Note: Anyone in PagerDuty can approve

28. Auto
Approval
IdP Teleport PagerDuty
travis@gravitational.com
auto-approveben@gravitational.com
gus@gravitational.com
super-admin
Okta User PagerDuty User

29. [teleport]
auth_server = "ec2-18-237-27-178.us-west-2.compute.amazonaws.com:3025" # Teleport Auth Server GRPC API address
client_key = "/var/lib/teleport/auth.key" # Teleport GRPC client secret key
client_crt = "/var/lib/teleport/auth.crt" # Teleport GRPC client certificate
root_cas = "/var/lib/teleport/auth.cas" # Teleport cluster CA certs
[pagerduty]
api_key = "xxx" # PagerDuty API Key
user_email = "ben@gravitational.com" # PagerDuty bot user email (Could be admin email)
service_id = "PGUI4RH" # PagerDuty service id
auto_approve = true # Automatically approve access requests if requestor is on-call
[http]
public_addr = "https://teleport-pagerduty.asteroid.earth:8081" # URL on which callback server is accessible externally, e.g.
[https://]teleport-proxy.example.com:8081
# listen_addr = ":8081" # Network address in format [addr]:port on which callback server listens, e.g. 0.0.0.0:8081
https_key_file = "/etc/letsencrypt/live/teleport-pagerduty.asteroid.earth/privkey.pem" # TLS private key
https_cert_file = "/etc/letsencrypt/live/teleport-pagerduty.asteroid.earth/fullchain.pem" # TLS certificate
[http.tls]
verify_client_cert = true # The preferred way to authenticate webhooks on Pagerduty. See more:
https://developer.pagerduty.com/docs/webhooks/webhooks-mutual-tls
[log]
output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/teleport/pagerduty.log"
severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN".

30. Mattermost JIRA

31. Open-Source: GoLang Programs as templates to build your own.
https://github.com/gravitational/teleport-plugins

32. RFD 3 - Extended Approval Workflows
https://github.com/gravitational/teleport/pull/4305/

33. RFD 3 - Extended Approval Workflows
https://github.com/gravitational/teleport/pull/4305/Extended Approval Workflows
● Being able to assign / request access to clusters vs roles.
● Access based on the ticket number
● Access to nodes
● New Flag to return access_request ID and let users poll it manually

34. Any Questions?
(Type them in the Q&A box in Zoom)

35. Recommended Next Steps
Read “Teleport Approval Workflows - Docs.”
https://gravitational.com/teleport/docs/enterprise/workflow/
Check us out on Github
https://github.com/gravitational/teleport
Download Teleport
https://gravitational.com/teleport/download

36. Thanks!