12
2
Events
Add gRPC Kubernetes Service
This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.
This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles.
The response does not leak the certificate nor the pod details other than name, namespace and labels.
sequenceDiagram
participant User as User
participant gRPC as grpc Server
participant Auth as Auth Server
participant KubeProxy as Kube Proxy
participant KubeSVC as Kube Service
User->>+gRPC: ListKubeResources(cluster,namespace)
Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
gRPC-->>+Auth: Sign cert with ProcessKubeCSR
Auth-->>-gRPC: Signed certificate
gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
KubeSVC-->>-KubeProxy: filtered response
Note left of KubeSVC: Applies Pod RBAC filtering!
KubeProxy-->>-gRPC: response
gRPC->>-User:Return name, namespace and labels
Part of #21107 and #19573
fix comment
add tsh request search pod
Add gRPC Kubernetes Service
This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.
This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles.
The response does not leak the certificate nor the pod details other than name, namespace and labels.
sequenceDiagram
participant User as User
participant gRPC as grpc Server
participant Auth as Auth Server
participant KubeProxy as Kube Proxy
participant KubeSVC as Kube Service
User->>+gRPC: ListKubeResources(cluster,namespace)
Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
gRPC-->>+Auth: Sign cert with ProcessKubeCSR
Auth-->>-gRPC: Signed certificate
gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
KubeSVC-->>-KubeProxy: filtered response
Note left of KubeSVC: Applies Pod RBAC filtering!
KubeProxy-->>-gRPC: response
gRPC->>-User:Return name, namespace and labels
Part of #21107 and #19573
Add gRPC Kubernetes Service
This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.
This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles.
The response does not leak the certificate nor the pod details other than name, namespace and labels.
sequenceDiagram
participant User as User
participant gRPC as grpc Server
participant Auth as Auth Server
participant KubeProxy as Kube Proxy
participant KubeSVC as Kube Service
User->>+gRPC: ListKubeResources(cluster,namespace)
Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
gRPC-->>+Auth: Sign cert with ProcessKubeCSR
Auth-->>-gRPC: Signed certificate
gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
KubeSVC-->>-KubeProxy: filtered response
Note left of KubeSVC: Applies Pod RBAC filtering!
KubeProxy-->>-gRPC: response
gRPC->>-User:Return name, namespace and labels
Part of #21107 and #19573
add tsh request search pod
Add gRPC Kubernetes Service
This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.
This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles.
The response does not leak the certificate nor the pod details other than name, namespace and labels.
sequenceDiagram
participant User as User
participant gRPC as grpc Server
participant Auth as Auth Server
participant KubeProxy as Kube Proxy
participant KubeSVC as Kube Service
User->>+gRPC: ListKubeResources(cluster,namespace)
Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
gRPC-->>+Auth: Sign cert with ProcessKubeCSR
Auth-->>-gRPC: Signed certificate
gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
KubeSVC-->>-KubeProxy: filtered response
Note left of KubeSVC: Applies Pod RBAC filtering!
KubeProxy-->>-gRPC: response
gRPC->>-User:Return name, namespace and labels
Part of #21107 and #19573
Add gRPC Kubernetes Service
This PR introduces a gRPC service to retrieve the pods available using the search_as_roles configured in the user's roles.
This gRPC service receives a TLS identity and manipulates it to access the Teleport Kubernetes Proxy and retrieve the pods available for a hypothetical user that has the search_as_roles defined for its roles.
The response does not leak the certificate nor the pod details other than name, namespace and labels.
sequenceDiagram
participant User as User
participant gRPC as grpc Server
participant Auth as Auth Server
participant KubeProxy as Kube Proxy
participant KubeSVC as Kube Service
User->>+gRPC: ListKubeResources(cluster,namespace)
Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
gRPC-->>+Auth: Sign cert with ProcessKubeCSR
Auth-->>-gRPC: Signed certificate
gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
KubeSVC-->>-KubeProxy: filtered response
Note left of KubeSVC: Applies Pod RBAC filtering!
KubeProxy-->>-gRPC: response
gRPC->>-User:Return name, namespace and labels
Part of #21107 and #19573
Add `tsh request search --kind=pod` support
Attempt to reconnect a closed LDAP connection (#20991)
When desktop discovery via LDAP is enabled, there is enough traffic on the connection for it to remain open for long periods of time. If discovery is disabled and there are not frequent connections to desktops, the LDAP server may close the connection.
In this case, future connection attempts will fail when making an LDAP query for the user's SID. Now we detect closed connections in this code path and attempt to open a new LDAP connection.
The first connection attempt after the connection is closed will incur some extra latency, as we obtain a new cert when refreshing the LDAP connection.
Additionally, increase the heartbeat period for static hosts from 5s to 5m. These hosts are infrequently changing, so heartbeating every 5 seconds is an inefficient use of resources.
Fixes #20904
Batched Dependabot updates (#21043)
- Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
Bumps go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.37.0 to 0.38.0.
updated-dependencies:
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Bump github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191
Bumps github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191.
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ...
Signed-off-by: dependabot[bot] support@github.com
- Bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2
Bumps sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2.
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-patch ...
Signed-off-by: dependabot[bot] support@github.com
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0
Bumps github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0.
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Bump go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0 in /api
Bumps go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0.
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Bump cloud.google.com/go/container from 1.10.0 to 1.13.0
Bumps cloud.google.com/go/container from 1.10.0 to 1.13.0.
updated-dependencies:
- dependency-name: cloud.google.com/go/container dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Revert "Bump cloud.google.com/go/container from 1.10.0 to 1.13.0"
This reverts commit 8987cba9a0aa8bd26743dabee99f8336637e35be.
-
go mod tidy
-
bring back coreos/pkg
-
add container to ingores deps
-
Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.37.0 to 0.38.0
-
Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace from 1.11.2 to 1.12.0
-
Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from 1.11.2 to 1.12.0
-
Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.11.2 to 1.12.0
-
Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tobiasz Heller tobiasz.heller@goteleport.com
Add IdP options to role and auth preferences. (#20999)
- Add IdP options to role and auth preferences.
Both role and auth preferences have IdP options added to them. At the auth preferences level, if the SAML IdP option is set to false, the IdP will be disabled globally. At the role level, it will control which roles allow access to the IdP.
-
Make SAML access by default.
-
Fix tests.
-
Fix config test.
add grpc server
add tsh request search pod
Attempt to reconnect a closed LDAP connection (#20991)
When desktop discovery via LDAP is enabled, there is enough traffic on the connection for it to remain open for long periods of time. If discovery is disabled and there are not frequent connections to desktops, the LDAP server may close the connection.
In this case, future connection attempts will fail when making an LDAP query for the user's SID. Now we detect closed connections in this code path and attempt to open a new LDAP connection.
The first connection attempt after the connection is closed will incur some extra latency, as we obtain a new cert when refreshing the LDAP connection.
Additionally, increase the heartbeat period for static hosts from 5s to 5m. These hosts are infrequently changing, so heartbeating every 5 seconds is an inefficient use of resources.
Fixes #20904
Batched Dependabot updates (#21043)
- Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
Bumps go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.37.0 to 0.38.0.
updated-dependencies:
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Bump github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191
Bumps github.com/aws/aws-sdk-go from 1.44.189 to 1.44.191.
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ...
Signed-off-by: dependabot[bot] support@github.com
- Bump sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2
Bumps sigs.k8s.io/controller-tools from 0.11.1 to 0.11.2.
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-patch ...
Signed-off-by: dependabot[bot] support@github.com
- Bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0
Bumps github.com/aws/aws-sdk-go-v2/service/ec2 from 1.80.1 to 1.83.0.
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Bump go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0 in /api
Bumps go.opentelemetry.io/otel/sdk from 1.11.2 to 1.12.0.
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Bump cloud.google.com/go/container from 1.10.0 to 1.13.0
Bumps cloud.google.com/go/container from 1.10.0 to 1.13.0.
updated-dependencies:
- dependency-name: cloud.google.com/go/container dependency-type: direct:production update-type: version-update:semver-minor ...
Signed-off-by: dependabot[bot] support@github.com
- Revert "Bump cloud.google.com/go/container from 1.10.0 to 1.13.0"
This reverts commit 8987cba9a0aa8bd26743dabee99f8336637e35be.
-
go mod tidy
-
bring back coreos/pkg
-
add container to ingores deps
-
Bumps go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.37.0 to 0.38.0
-
Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace from 1.11.2 to 1.12.0
-
Bumps go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc from 1.11.2 to 1.12.0
-
Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.11.2 to 1.12.0
-
Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tobiasz Heller tobiasz.heller@goteleport.com
Add IdP options to role and auth preferences. (#20999)
- Add IdP options to role and auth preferences.
Both role and auth preferences have IdP options added to them. At the auth preferences level, if the SAML IdP option is set to false, the IdP will be disabled globally. At the role level, it will control which roles allow access to the IdP.
-
Make SAML access by default.
-
Fix tests.
-
Fix config test.
add grpc server
Add gRPC Kubernetes Service
sequenceDiagram
participant User as User
participant gRPC as grpc Server
participant Auth as Auth Server
participant KubeProxy as Kube Proxy
participant KubeSVC as Kube Service
User->>+gRPC: ListKubeResources(cluster,namespace)
Note left of gRPC: Includes search_as_roles <br/> and preview_as_roles <br/>into identity!
gRPC-->>+Auth: Sign cert with ProcessKubeCSR
Auth-->>-gRPC: Signed certificate
gRPC->>+KubeProxy: list pods "v1.../namespaces/{namespace}/pods"
KubeProxy-->>+KubeSVC: list pods "v1.../namespaces/{namespace}/pods"
KubeSVC-->>-KubeProxy: filtered response
KubeProxy-->>-gRPC: response
gRPC->>-User:Return name, namespace and labels
Fix forwarding of impersonated headers for kubectl exec/portforward
This PR fixes the impersonation headers propagation when using the SPDY
roundtrip. SPDY roundtrip creates a new http request and loses the
impersonation headers received from the client. When this happens for
users that define multiple kubernetes_groups, the requests are denied
because Teleport forces you to select a user.
With the changes introduced we conserve the headers received from the client.
Fixes #21088
Fix forwarding of impersonated headers for `kubectl exec/portforward`
This PR fixes the impersonation headers propagation when using the SPDY roundtrip. SPDY roundtrip creates a new HTTP request and loses the impersonation headers received from the client. When this happens for users that define multiple kubernetes_groups, the requests are denied because Teleport forces you to select a user.
With the changes introduced, we keep the headers received from the client.
Fixes #21088
add grpc server
add tsh request search pod
add
add
add
add
add
add
add
add
Update grpc-generated files (#21056)
In a previous PR some grpc-generated files were not included in the
commit.
This PR is the result of running make grpc.
add
add
add
add
add
add
add
