tigrato
Repos
12
Following
2

Events

Add gRPC Kubernetes Service

This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.

This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles. The response does not leak the certificate nor the pod details other than name, namespace and labels.

sequenceDiagram
    participant User as User
    participant gRPC as grpc Server
    participant Auth as Auth Server
    participant KubeProxy as Kube Proxy
    participant KubeSVC as Kube Service
    User->>+gRPC: ListKubeResources(cluster,namespace)
    Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
    gRPC-->>+Auth: Sign cert with ProcessKubeCSR
    Auth-->>-gRPC: Signed certificate
    gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
    KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
    KubeSVC-->>-KubeProxy: filtered response
    Note left of KubeSVC: Applies Pod RBAC filtering!
    KubeProxy-->>-gRPC: response
    gRPC->>-User:Return name, namespace and labels

Part of #21107 and #19573

fix comment

add tsh request search pod

Created at 21 seconds ago

fix comment

Created at 15 minutes ago

add unit tests

Created at 18 minutes ago

Add gRPC Kubernetes Service

This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.

This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles. The response does not leak the certificate nor the pod details other than name, namespace and labels.

sequenceDiagram
    participant User as User
    participant gRPC as grpc Server
    participant Auth as Auth Server
    participant KubeProxy as Kube Proxy
    participant KubeSVC as Kube Service
    User->>+gRPC: ListKubeResources(cluster,namespace)
    Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
    gRPC-->>+Auth: Sign cert with ProcessKubeCSR
    Auth-->>-gRPC: Signed certificate
    gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
    KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
    KubeSVC-->>-KubeProxy: filtered response
    Note left of KubeSVC: Applies Pod RBAC filtering!
    KubeProxy-->>-gRPC: response
    gRPC->>-User:Return name, namespace and labels

Part of #21107 and #19573

Created at 45 minutes ago

Add gRPC Kubernetes Service

This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.

This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles. The response does not leak the certificate nor the pod details other than name, namespace and labels.

sequenceDiagram
    participant User as User
    participant gRPC as grpc Server
    participant Auth as Auth Server
    participant KubeProxy as Kube Proxy
    participant KubeSVC as Kube Service
    User->>+gRPC: ListKubeResources(cluster,namespace)
    Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
    gRPC-->>+Auth: Sign cert with ProcessKubeCSR
    Auth-->>-gRPC: Signed certificate
    gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
    KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
    KubeSVC-->>-KubeProxy: filtered response
    Note left of KubeSVC: Applies Pod RBAC filtering!
    KubeProxy-->>-gRPC: response
    gRPC->>-User:Return name, namespace and labels

Part of #21107 and #19573

add tsh request search pod

Created at 46 minutes ago

Add gRPC Kubernetes Service

This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.

This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles. The response does not leak the certificate nor the pod details other than name, namespace and labels.

sequenceDiagram
    participant User as User
    participant gRPC as grpc Server
    participant Auth as Auth Server
    participant KubeProxy as Kube Proxy
    participant KubeSVC as Kube Service
    User->>+gRPC: ListKubeResources(cluster,namespace)
    Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
    gRPC-->>+Auth: Sign cert with ProcessKubeCSR
    Auth-->>-gRPC: Signed certificate
    gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
    KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
    KubeSVC-->>-KubeProxy: filtered response
    Note left of KubeSVC: Applies Pod RBAC filtering!
    KubeProxy-->>-gRPC: response
    gRPC->>-User:Return name, namespace and labels

Part of #21107 and #19573

Created at 46 minutes ago

Add gRPC Kubernetes Service

This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.

This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles. The response does not leak the certificate nor the pod details other than name, namespace and labels.

sequenceDiagram
    participant User as User
    participant gRPC as grpc Server
    participant Auth as Auth Server
    participant KubeProxy as Kube Proxy
    participant KubeSVC as Kube Service
    User->>+gRPC: ListKubeResources(cluster,namespace)
    Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
    gRPC-->>+Auth: Sign cert with ProcessKubeCSR
    Auth-->>-gRPC: Signed certificate
    gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
    KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
    KubeSVC-->>-KubeProxy: filtered response
    Note left of KubeSVC: Applies Pod RBAC filtering!
    KubeProxy-->>-gRPC: response
    gRPC->>-User:Return name, namespace and labels

Part of #21107 and #19573

Created at 49 minutes ago
pull request opened
Add `tsh request search --kind=pod` support
Created at 14 hours ago

Attempt to reconnect a closed LDAP connection (#20991)

When desktop discovery via LDAP is enabled, there is enough traffic on the connection for it to remain open for long periods of time. If discovery is disabled and there are not frequent connections to desktops, the LDAP server may close the connection.

In this case, future connection attempts will fail when making an LDAP query for the user's SID. Now we detect closed connections in this code path and attempt to open a new LDAP connection.

The first connection attempt after the connection is closed will incur some extra latency, as we obtain a new cert when refreshing the LDAP connection.

Additionally, increase the heartbeat period for static hosts from 5s to 5m. These hosts are infrequently changing, so heartbeating every 5 seconds is an inefficient use of resources.

Fixes #20904

Batched Dependabot updates (#21043)

  • Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

Bumps go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.37.0 to 0.38.0.


updated-dependencies:

  • dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191

Bumps github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191.


updated-dependencies:

  • dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2

Bumps sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2.


updated-dependencies:

  • dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0

Bumps github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0.


updated-dependencies:

  • dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0 in /api

Bumps go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0.


updated-dependencies:

  • dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump cloud.google.com/go/container from 1.10.0 to 1.13.0

Bumps cloud.google.com/go/container from 1.10.0 to 1.13.0.


updated-dependencies:

  • dependency-name: cloud.google.com/go/container dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Revert "Bump cloud.google.com/go/container from 1.10.0 to 1.13.0"

This reverts commit 8987cba9a0aa8bd26743dabee99f8336637e35be.

  • go mod tidy

  • bring back coreos/pkg

  • add container to ingores deps

  • Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.37.0 to 0.38.0

  • Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace from 1.11.2 to 1.12.0

  • Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from 1.11.2 to 1.12.0

  • Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.11.2 to 1.12.0

  • Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc


Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tobiasz Heller tobiasz.heller@goteleport.com

Add IdP options to role and auth preferences. (#20999)

  • Add IdP options to role and auth preferences.

Both role and auth preferences have IdP options added to them. At the auth preferences level, if the SAML IdP option is set to false, the IdP will be disabled globally. At the role level, it will control which roles allow access to the IdP.

  • Make SAML access by default.

  • Fix tests.

  • Fix config test.

add grpc server

add tsh request search pod

Created at 14 hours ago

Attempt to reconnect a closed LDAP connection (#20991)

When desktop discovery via LDAP is enabled, there is enough traffic on the connection for it to remain open for long periods of time. If discovery is disabled and there are not frequent connections to desktops, the LDAP server may close the connection.

In this case, future connection attempts will fail when making an LDAP query for the user's SID. Now we detect closed connections in this code path and attempt to open a new LDAP connection.

The first connection attempt after the connection is closed will incur some extra latency, as we obtain a new cert when refreshing the LDAP connection.

Additionally, increase the heartbeat period for static hosts from 5s to 5m. These hosts are infrequently changing, so heartbeating every 5 seconds is an inefficient use of resources.

Fixes #20904

Batched Dependabot updates (#21043)

  • Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

Bumps go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.37.0 to 0.38.0.


updated-dependencies:

  • dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191

Bumps github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191.


updated-dependencies:

  • dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2

Bumps sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2.


updated-dependencies:

  • dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0

Bumps github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0.


updated-dependencies:

  • dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0 in /api

Bumps go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0.


updated-dependencies:

  • dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Bump cloud.google.com/go/container from 1.10.0 to 1.13.0

Bumps cloud.google.com/go/container from 1.10.0 to 1.13.0.


updated-dependencies:

  • dependency-name: cloud.google.com/go/container dependency-type: direct:production update-type: version-update:semver-minor ...

Signed-off-by: dependabot[bot] support@github.com

  • Revert "Bump cloud.google.com/go/container from 1.10.0 to 1.13.0"

This reverts commit 8987cba9a0aa8bd26743dabee99f8336637e35be.

  • go mod tidy

  • bring back coreos/pkg

  • add container to ingores deps

  • Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.37.0 to 0.38.0

  • Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace from 1.11.2 to 1.12.0

  • Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from 1.11.2 to 1.12.0

  • Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.11.2 to 1.12.0

  • Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc


Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tobiasz Heller tobiasz.heller@goteleport.com

Add IdP options to role and auth preferences. (#20999)

  • Add IdP options to role and auth preferences.

Both role and auth preferences have IdP options added to them. At the auth preferences level, if the SAML IdP option is set to false, the IdP will be disabled globally. At the role level, it will control which roles allow access to the IdP.

  • Make SAML access by default.

  • Fix tests.

  • Fix config test.

add grpc server

Created at 15 hours ago
pull request opened
Add gRPC Kubernetes Service
sequenceDiagram
    participant User as User
    participant gRPC as grpc Server
    participant Auth as Auth Server
    participant KubeProxy as Kube Proxy
    participant KubeSVC as Kube Service
    User->>+gRPC: ListKubeResources(cluster,namespace)
    Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
    gRPC-->>+Auth: Sign cert with ProcessKubeCSR
    Auth-->>-gRPC: Signed certificate
    gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
    KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
    KubeSVC-->>-KubeProxy: filtered response
    KubeProxy-->>-gRPC: response
    gRPC->>-User:Return name, namespace and labels

Created at 15 hours ago

Fix forwarding of impersonated headers for kubectl exec/portforward

This PR fixes the impersonation headers propagation when using the SPDY roundtrip. SPDY roundtrip creates a new http request and loses the impersonation headers received from the client. When this happens for users that define multiple kubernetes_groups, the requests are denied because Teleport forces you to select a user.

With the changes introduced we conserve the headers received from the client.

Fixes #21088

Created at 15 hours ago
pull request opened
Fix forwarding of impersonated headers for `kubectl exec/portforward`

This PR fixes the impersonation headers propagation when using the SPDY roundtrip. SPDY roundtrip creates a new HTTP request and loses the impersonation headers received from the client. When this happens for users that define multiple kubernetes_groups, the requests are denied because Teleport forces you to select a user.

With the changes introduced, we keep the headers received from the client.

Fixes #21088

Created at 15 hours ago
create branch
tigrato create branch tigrato/fix-header-forward-kube
Created at 15 hours ago

add grpc server

add tsh request search pod

Created at 16 hours ago

add grpc server

Created at 16 hours ago

add grpc server

Created at 18 hours ago
create branch
tigrato create branch tigrato/add-grpc-client-tsh-search-pod
Created at 18 hours ago

add

add

add

add

add

add

add

add

Created at 20 hours ago

Update grpc-generated files (#21056)

In a previous PR some grpc-generated files were not included in the commit. This PR is the result of running make grpc.

add

add

add

add

add

add

add

Created at 23 hours ago