Skip to content
GitLab
Next
Closed
Issue created by Devin Sylva@devinMaintainer

Re-evaluate Gravitational Teleport for rails console access and auditing

Several years ago, we evaluated the Teleport solution from Gravitational for ssh and kubernetes access and auditing. The result of that investigation was that it was too immature for production at the time. Given that it has been a few years and it continues to be suggested as a solution, we should probably give it another look to see if it has matured enough for our use.

This is motivated by the access control epic: &337

Architecture Diagram https://goteleport.com/teleport/docs/architecture/overview/

Previous findings

  • All users can view all session logs. There is no way to restrict session playback to admins which means everything you do via Teleport is shared with all other users.

  • Teleport does not update utmp or wtmp and logins do not appear in syslog or auth.log. The only records of a system login are kept in Teleport itself. This means we have to write custom Teleport audit log rules to monitor access with ELK and you cannot easily see who is logged into a host via Teleport from inside the host itself. I had no luck with the Teleport syslog output option.

  • I had a problem with session data being dropped in playback. Even simple commands will be missing portions of their output. Frequently the command prompt is missing or you only see the first 100 bytes of command output.

  • I was unable to get Chef knife to work via Teleport. Chef allows specifying a gateway and Teleport has the ability to act as a custom SSH agent for authentication, however I would always receive an error saying it couldn't determine a valid username on the remote host.

Questions

  • Can this be used to allow restricted and controlled access to run kubectl and helm commands (&263 (closed))?
  • Will the auditing be sufficient for our current and upcoming compliance requirements?
  • Is this an option for running knife commands, and how can that improve our current situation?
  • How will this solution cooperate or conflict with Okta, GCP Credentials, K8s credentials, etc.

Criteria

We will use the criteria established here: https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11729

  • Infra group or security group can approve access without much friction
  • Full session audit record with session playback
  • Time based access - No developer entitlements by role
  • No Chef data bags
Edited by Devin Sylva