0:58 Introduction

0:58 Hello, and welcome to today's episode of Rawkode Live. I'm your host, Rawkode. Before we get started, I just wanna take ten seconds to say thank you to Equinix Medal. They are my employer, and they provide the time and resources for me to put the show together and find the people to present all of these awesome cloud native technologies so that we can all learn together. Today, we're gonna be taking a look at Teleport. Teleport is a application for providing secure access to servers, Kubernetes, and applications. And to tell us more about that, I am joined by

1:17 What is Teleport?

1:29 Steven Martin, a solutions engineer for Teleport. Hey, Steven. How are you? Hi. I'm great, David. Thanks for having us. Oh, my pleasure. Do you want to kick us off by just spending a little bit of time to first introduce yourself, tell us a little bit about you, and then we'll talk about what Teleport is a problem that solves and why we want it. Sure. I and I myself, I joined Teleport, about a year ago. Most most folks knew us as Gravitational. We just recently changed our name to Focal Fully Teleport as that's our, you know, ongoing

1:48 Guest Introduction & Teleport Overview

2:01 focus, as we've seen a lot of response in the market. And myself, I came from, you know, a mix of legacy cloud, on prem hosted environments, all kinds of SSH, Kubernetes, Docker. And, you know, excited me about joining Teleport was, you know, the ability to provide that kind of access and also in a secure and audit auditable way. And that's what really Teleport is doing is trying to provide access to resources that enterprises and individuals, want, and making sure that it's, you know, easily done, though very secure. And I think as you go through this,

2:41 you'll see, you know, the checks and balances we have, to make sure that that that is the case. But I, yeah, I can step through a little die high level of diagram of, you know, how it works and maybe make it more clear about what we're doing. Yeah. It'd be awesome. Okay. So Wait. Go ahead. Teleport, you know, we're calling it the unified access plane, and, essentially, that's, again, providing that access to multiple resources. And as you can see on the right, you know, we have these set of typically, your SSH nodes, those can be, you know, bare metal

3:02 Teleport Architecture: Unified Access Plane

3:19 machines. Those can be e c two instances, Google VMs, you know, whatever you're running, and we provide those specifically for, Linux machines. Also, typically popular is getting access to Kubernetes clusters. That could be micro Kubernetes. That could be EKS, AKS. And, you know, we have one of the most in-depth coverage of that, providing access to Kubernetes. And in terms of beyond writing access, we're also recording activity both for SSH activity as well as Kubernetes. So whether a person's getting a list of pods, executing a session, you know, we can record it all. And then lastly, we just added in our

4:05 5.0 web application access. So that's the ability to, you know, provide either to public URLs or internal URLs. And, David, you probably have better list of, you know, those kind of applications to do. But if you're exposing Grafana, Jenkins, whatever, you can now expose that through Teleport. And the way we secure that is through using, short lived certificates. So a user would authenticate through our proxy that works with the auth service, and receive a short lived certificate, whether they're using that in the web, or in the command line. And the reason we specifically went with short lived certificates

4:31 Security Concepts: Short-Lived Certificates

4:47 instead of some folks were using static keys, the certificates allow us to designate a time, which for users is a max of twelve hours, as well as other metadata, you know, what roles and users do they have, and the other other relevant information to control their access. Now when a user connects to a particular resource, they go to the proxy. The proxy is the same Go based Teleport binary running on the proxy in the auth as well as in, like, in the node and Kubernetes cluster access. And, essentially, you know, they pass through the proxy.

5:23 The proxy confirms, going through the auth to the node, and they're they're allowed in. So it's a very secure environment, and it go there's a way with, you know, static keys or ways that people could potentially, you know, circumvent environments or use keys that have been laying around for years. And we think this is this is the best way to go for these kind of resources. In the case of Kubernetes, you know, beyond what you typically do with SSH, we have a number of ways you can access. We can have the kube config from the cluster. We can run, you know, as

6:00 I think we're gonna do today, David, is, you know, run a service within the cluster that allows access, and really try to provide multiple ways to give that access. And lastly, with the with the web app, you can have a Teleport agent that runs within, a single deployment or outside that's connecting in and providing that web app access. And that's really, again, to allow you to connect to services that may not always be publicly available or directly available, from the user's environment. And then all of this is tracked in terms of, you know, when these access happen,

6:32 Auditing and Session Recording

6:35 tracking an audit log. You can control the number of connections people have the nodes. You know, there's a whole host of detailed connect configurations you can do. But often, it's you know, the best thing is you can get this up and going, you know, very shortly. Nice. Yeah. I was actually going through the documentation, and I said earlier, and I was trying to, you know, equate it to tools that I'm familiar with from my past. You know? And the first thing when I see an SSH and the server access was to go, it's like a jump box or a

6:51 Live Demo: Setting up Teleport

7:00 bastion box that gives me a way to secure and restrict access to my customers which we all want. We all want better security and then it later done the Kubernetes stuff and I was oh, this is getting quite interesting and then the the web app one that was this like wow because so many times just in the last three months alone, I like to build static sites from YAML files and get and then host them as websites and like JavaScript things. They never come without any authentication because it's just a static site and I do this

7:28 for loads of internal stuff within Equinix Medal and I end up sticking NGINX in front of it was like this really crappy basic off just to try and keep it a little bit secure even though it's not really secure and I thought this could be what I need inside of our clusters or bare metal machines to just actually secure that in a slightly better fashion. So I'm really excited to see how this is gonna work out today. Yeah. Great. Alright. Is there anything else you wanna share or should we get over to my screen and No. Let's let's get into it and

7:54 I think we'll, you know, we'll discuss more of the technical as we go. Alright. Awesome. Cool. So one of the things I'm really I advocate a lot in this show is I don't really wanna do anything upfront, but at the same time, I also don't want people sitting watching me spin up a Kubernetes cluster. So what I have done is I got a six node Kubernetes cluster, three control planes, three working on. Hopefully, that should be enough for us to play around with us today and just in case we need it or if we choose to do this first, I've also

8:00 Installing Teleport

8:24 got just a standard machine running Ubuntu as well. Not a Kubernetes cluster which we could play with I also have access to the documentation here and I believe today are we going through the getting started guide? Yes. Right. Okay. So quick start. The website for anyone who wants to check us out in their own time which is goteleport.com. So let's see. Do you wanna start with Ubuntu box or do you wanna go straight to the Kubernetes box? Do have that? Start with the Ubuntu because I I you certainly could do it on Kubernetes. I think it's gonna be a little more

9:00 straightforward to see it from the the Teleport instance. Alright. Let's just get myself on this. Alright. Easy. So the easiest way to get this installed is just gonna be the Linux tarpaul. Alright? Hopefully, it's nice and fast. There we go. Did that do it? It did. Yep. You're you've you've got installed, so you do a Teleport version, and let's see what have Well, that I was messing around with my transparency earlier, and now that's really painful to read. Now we can I I would like to come back and probably make this a Linux service as that system d has?

9:49 But before that, we can continue with the other steps and then do the configuration. Okay. No problem. So let's just cut this and then I'll go through it. So I'm struggling to talk and type. Is so cold in Scotland today. So I think and and this is the point, when we'd want to decide what public address. We wanna put here the DNS entry. So that proxy service, that's where you put the the DNS. Okay. So down here? Yeah. Alright. Is this in the docs or am I just I think there's a if you go down a little further, I think it

10:13 Configuring TLS (and Troubleshooting)

10:32 has it. Alright. So Yeah. See that public address part? So we we can use those instructions. I think I was jumping a little bit ahead Alright. Because well, because of the TLS part. So that's why I was saying it's good for us to decide, what we wanna what DNS entry we wanna use for this. Okay. Well, let's get that in the right directory. Okay. Now it's telling me I wanna set up. And it's giving you you see that the the DNS while yeah. It's using it's doing a wildcard certs there. Yes. Now I barely just grab cert bot.

11:19 Software on. I think Oh, there we go. Do I need to pick something here? Yeah. Command lane. That's what I want. Okay. It's telling me what command lane means. Oh, there we go. Snap. Do I really need to snap it? Let's just see. App to update. There we go. Maybe. Yes. There we go. Okay. So we just want to generate some certificates and use the correct DNS names. So Yep. We're just gonna use the NetBIOS service. So I just need the IP address of this machine again and format it with oh, it doesn't matter if it's dashes or

12:36 dots. Perfect. Okay. We'll do dashes so that we can do this. And then we'll do the star version. I don't know if cert bot will complain at me if I don't update this too. Did I break it? I haven't gone from rendered again. It's took off the I I knew that I should have just put that into a file and modified it. I I sometimes do that. Yeah. Alright. Let's do that again. So I need my IP address. So where are you joining me from today, Steven? I live outside of Annapolis, Maryland. And what's the weather like for you?

13:42 We're we're getting into winter, so we're we're seeing the forties and fifties. I think today it's a little warmer. Yeah. We are just below freezing today and this office is not is not good at containing heat anyway. I'm sitting here literally shipping in and shaking, but unrecognized arguments. I'm gonna put this into a fail. And maybe that slash there. Yep. You're correct, I think. Getting tripped up by Sherpa. Okay. Command. So that looks okay. Let's go along, make sure there's no weird new lanes. Change this. Oh, there's commands here twice. Emails. I don't know if that makes a difference, but oh,

14:39 I see. Oh, it oh, got in there twice. How weird. Yeah. Right. Okay. So well, that is really weird. Right. So cert bot let me just make sure I got this right. Cert only before the manual. Right. We're good now. Yeah. I'm seeing this with confidence. Yeah. Okay. Okay. We don't we actually, we can do it without it and then I can because it it's we can go insecure. Okay. Yeah. Alright. That's annoying. That would've been good. So so what what does that mean then for Teleport? Is it it's just gonna be serving over regular HTTP?

15:41 It it'll automatically generate a self signed key TLS, and then and then you can you can still connect to it from the command line or the web. You'll simply have to confirm it. In this case, you know, I I don't believe you can use the the application part, but I can demo that myself and just show you some examples. Oh, yeah. That would be cool. Okay. Let's do that. Yeah. So that's one rep that's a one place you do need the TLSI link. But, otherwise, it's we we try to make it so you can still use it. We we,

16:12 of course, wouldn't recommend that in production. But Okay. Alright. So I need the IP address again. Alright. Nip. Yeah. I've been bitten by that less encrypt limit before. Yeah. I I've never actually tried to do it before for an IP address. Just thought it would be okay. Do you wanna go in and remove those those key pairs? Because it'll it'll generate it for us. Gotcha. So if those are missing, it does a self signed certificate. Yes. And I think we wanna line up it may not matter, but may wanna yeah. Just move yeah. It's fine.

17:02 Alright. Let's see. So we don't have a system to service, do we? We just installed a That's where I wanted to go. If you go into the examples part of the when you extracted the tar, there'll be an example of a Teleport service. Example system d. K. So we just copy this teleport.service here. Daemon reload and restart Teleport. Okay to go? Yeah. It should should be running. You can and then we could let yeah. Let's check the status. Or or you already did? You already did? Or you We we can check the status explicitly, but it seems to be it seems

17:10 Running Teleport as a Service

17:55 to be running. Yeah. There we go. Active and running. So So why why don't we see if from from the web, let's see if we can access that site, and then we can create it then we'll create a user. Okay. So Teleport runs a web interface? Yes. On port thirty eighty. On port thirty eighty. And it's secure. There we go. Yeah. Chrome gets a bit funny with those. Yeah. We may may may may need we use Safari. I don't think I've ever opened Safari before. Alright. View this set. Are you sure you're sure? Wow. There we go.

18:00 Accessing the Web UI

18:58 Alright. We made it. Okay. We don't we don't have a user yet, and let's go back to the command line, and we can and I can show you how to create one. Okay. So run t CTL or t what we call t cuddle. Yep. So t cuddle is essentially your, you know that that's your command line tool to interface with the actual settings within Teleport. And you can do things like step like t cuddle status. So in there, you'll see the CA pin. So as part of that installation, it went ahead and generated a certificate.

19:03 Creating a Teleport User

19:39 And there you can see the CA pin. So when you do things like install to a node, two things are done there. One is if you if you saw on the Teleport YAML, there was a token that was part that was listed. And so that token is gonna be used by the nodes or other services to register themselves with the auth service. Now as you can imagine, that's just like regular SSH. Okay. Well, if I SSH in to a machine and give a password, well, I then I'm then I in a lot of cases, you then trust that machine.

20:19 Right? If you use the CA pin as well, if you do a Teleport configure I'll I'll show you where it's set. So if you scroll up a bit, see that CA pin? Yep. Here. Yep. So you would take that same CA pin, and you would put you can see the auth token is there. I'm pointing at a different location. You can see it has the auth token, the auth server, and then the CA pin. So that's that's a secure way of connecting in. And tokens can either be dynamic or static. For production, we'd recommend using that dynamic

20:59 and periodically pulling down the latest token. You can always use static as well. If you in this case, it's the thirty twenty five is the default off service port. You can also point at the thirty eighty, the same as the web uses, and that will use a reverse tunnel. So then you don't need to expose a port on the SSH node. Okay. So just so I understand what's happened here. When we downloaded the Teleport binary, created the system d service and started it. Teleport is running a web interface, which I'm assuming has some admin functions. It runs on

21:35 off service, and it runs on SSH server. Is that right? An SSH service. Yes. And that sits by d it doesn't have it here, but that sits by default on port thirty twenty two Mhmm. Or uses the reverse tunnel approach and doesn't have to expose a port. And we use thirty twenty two because SSH is 22. So is it common practice for Teleport customers, once they have Teleport running on their infrastructure to just uninstall open SSH and just remove that from existence? So some completely uninstall it. We do have clients who will they'll have it start up briefly

22:13 on the machine and then shut down just just in case they want to keep that. So everyone has a a different preference there. I think, you know, most most would make Teleport their primary interaction. Now the what you've done when you've installed it this way, it's it's storing its configuration. And if you go into the Varlib Teleport directory So this this is using a local directory storage. So we have things like a back end directory, a cache, and that's and then those those TLS self signed TLS, as I mentioned, those are generated here. So this is an example of

22:55 a local directory storage. If we used, either etcd or, DynamoDB or the Google Firestore, you would not see the back end, for example. So those would be stored off. And in this case, you have a proxy off and SSH on one machine. As you in the diagram I showed, you saw that it would separate out, and you would typically have a different node running each of those services. And we have, you know, we have that full details on our documentation, you know, in terms of a high availability kind of configuration. But the good thing is you can get

23:30 this up and going quickly. And then from here, we can we can go ahead and create a user to get you in. Alright. So users We go back to the the instructions you're in. I think I had a little bit more info on that. Oh, yeah. The docs. Our friendly I'm busy going off script there. Yeah. Yeah. Alright. So okay. Let's do this. So he yeah. Here'd be good to know on your other machines what users you'd wanna go in, whether you wanna I don't know if you have a David user or, you know, what what's

23:53 Logging into the Web UI

24:04 your typical usernames you use on those other machines? So all the machines are only have a a root user at the moment. Okay. So I should just be doing root? You can do root you can add other users, and I can show you how it can automatically add users. Okay. So this first parameter here to users add is my Teleport username for logging in to the admin interface, and then this is the users on the other on the servers that I want to support? Yes. Exactly. So that user would have access to that. We'll also come back. Let's go ahead and

24:41 create this, and I'll show you in a bit how we will update it for your Kubernetes setting as well. Opened in the wrong browser. Let's get Safari back. Alright. My two factor talk? Oh, I have to scan the thing. Yeah. Okay. I just have one password to it then. Sure. Save it. Teleport. And that should allow me to choose a button here, right, for scanning a thing. Oh, yes. No. I I I tend to use my phone, but I, yeah, I thought there was a way to do that. Yeah. There I'll just do I'll use my phone.

25:57 The Teleport is pretty secure by default then if it's That you can disable that, but it's on by default. And there's other options like, you know, UTF, the UV key thing. We've also if we have time, I'll show know, there's an option for using, like, Duo when you go into a node, in addition to this initial, you know, user authentication. I'm in. There we go. Okay. So what you're seeing now is that SSH note the SSH service for your that is part of that one installation. Typically, when you have your full you wouldn't expose the SSH on that. But

26:30 SSH Recordings and Auditing

26:43 for initial startup, that's that's very typical. And then if you connect, you can open up a a session there. Okay. Let's I've got my choice of user. So let's just do it. Cool. What happens if I try Rawkode? Will it fail? Yeah. Okay. And on user and then and then well, let's go look at the activity so we can see what's been happening. And we can see the session we can see the session then session recordings so you can replay. Ah, k. And you can move that back and forth. You should be able to copy and you

26:48 Active Sessions and Audit Log

27:32 should be able to select the text. Woah. Hey. Is that great? That's not a video. Yeah. Yeah. No. It it plays like that. And it will if you have, like, a twenty minute hour long session and it's idle, it will skip ahead in a replay, but it's still recording. Yeah. That's a that's a big feature people I'm gonna I'm gonna need a minute to process this. That's wild. Yeah. If you go if you if you go back in and, like, do a top and, you know, or h top, whatever colors, it'll it'll show. Looks just like whatever you

28:06 see. Okay. Let's do that again. Yeah. Let's do In fact, I'm curious now. So hold on. Let's do two. So if I do read the what's is there not a password flag on read? I was wondering if if if I have to take the input of Teleport which I know about it and I thought it was dash p. It's not important. A prompt. Let's see. No. Alright. Never mind. Okay. So let's try the htop recorded session. So how is that working? Oh, that's the red one. I mean, I seen on the documentation when I was

29:05 having a look earlier. I mentioned e b p f. Is that what's powering this or is it That because I'm going through the the terminal session. If I ask the session normally, does that still get recorded as a session? You the the so there are various options for that. If you're the what by default, it's gonna record the session text you do, whether colors and everything, just put all the characters. There is the option to use EPF, and maybe we wanna go back to the we can go back to the documentation. We can highlight a couple things there.

29:40 Okay. And and I don't know if you answered that there, I I was still confused and shocked at how awesome that was. If I SSHN normally, does that get recorded as a session, or is it only going through the SSH service? Oh, it it would be recorded. The difference is when you set up an open SSH server, which can still be recorded, there's just a little bit of a different setting. For SSH, we would have to set up if you go there is on our documentation, there is a method on how you do SSH. Alright.

30:10 Okay. So that's something I would enable afterwards then. Oh, you I mean, you could do it quickly, but it it it the difference is you have to send in you're using the certificate that's been issued locally, and and, yeah, yeah, this is a good point to use your command line, but you're using a local issue certificate to authenticate yourself. So the SSH has to has to also present that, which our TSH does automatically. Okay. Nice. And, yeah, the audit log is gonna I mean, it's gonna have the session, but it's also gonna have all of the you know,

30:45 when do you start, when did you disconnect. If you enabled, the eBPF, then you would see every command here as well that people are running. Wow. That's pretty cool. I'm always impressed by stuff to integrate eBPF into the technologies because it just seems so cutting. Well, I mean, it is cutting edge. Yeah. And and people can you know, if you obfuscate, if you doing net if you're doing weird network stuff, it's gonna catch that. So it it is very helpful for those kind of environments. Okay. Should we go back to our our guide then? I mean, we're we've only executed, like,

31:22 half of this getting started thing, haven't we? And I'm already just like, wow. So let's see what else comes. Yeah. So we did the user. We looked at the note. Okay. So this is just walking through some of the stuff. Yeah. This is this would be a good point to get a a local client, the TSH. Okay. Do I have this command? Is that something I have to If it's on your Mac, you'd want to get yeah. You'd wanna get the the actual TSH client. MacOS. I'm not sure what the difference between these is. So I just click.

31:35 Using the TSH Client

32:10 So this is just a Teleport SSH client for Yeah. My command line access. Alright. Got it. Alright. I think that's installed. Let's go. Oh, where's the docs? Copy this. And then you'd wanna do that in your own Yeah. Yeah. Oh, is that your local environment? This bottom one is now. Although I lost my paste buffer. There we go. Okay. So we need 147Dash7532. I wish I had prepared a nice DNS name in advance now. And I called my username Rawkode. And we do we do because it's running insecure, we need to pass in the command

33:12 dash dash insecure. Does dash k work with curl? No. There's a feature request. Oh, sure. Yeah. Oh, that's kinda good. So the same password you put in wait. Yeah. You copy maybe copy it from there. Yeah. It was randomly generated. I flashed my password enough on the stream now. So And now if you do, type t s h. Just, yeah, just t s h so we can look at the options. So this gives you and and we'll come back to this for the Kubernetes part. But you can see the the SSH, so then we connect to a node.

33:59 Typically, you use, like, LS to list the nodes that are available. You can join an active session. That'll that'll be something, I think, good that we can show there, SCP, navigating clusters. So a cluster is in this case, you've installed one Teleport instance. Mhmm. And then that has nodes, Kubernetes applications that are available. In a lot of cases, there's a reason just to install another Teleport instance that has its own set of SSH nodes, apps, and Kubernetes, but then you want to be able to access that. And and you that other instance can trust back to your instance,

34:36 map its roles, and the user can then go through that Teleport that root Teleport instance to get access to those resources. Alright. Yeah. Fun stuff. Yeah. Yeah. Definitely. And and that uses reverse tunneling. Usually, it's in case of either a network issue of why they wanna do that or regional based. You know, if you're Eastern Western US or Europe, you know, you don't necessarily want one instance having all thousands of the SSH nodes or something. Yeah. Yeah. Okay. So what what should I be? Yeah. Let's let's do a t s h l s so we can see the nodes that are

35:15 available. And then just s s h entered. We have to use the the root at. I'll try dashing on there. Okay. Cool. And now if you go if you go back to the webs the app the web version of it. Yep. Oh, okay. Active sessions. You can join that session. And if you put if you wanna overlay them, if that's possible Yes. Whatever you type, they'll see whatever they type, you'll you'll see. Yeah. It's fine. See, I'm I'm still But if you as you go back and forth, you'll see that, you know, it's the same

36:06 view. I'm still learning how to Mac. I'm a Linux user, like, a forced I I I keep giving the option to do Mac, and I've I've I've stuck with Linux PCs for now. Alright. So I think I should now be able to yeah. There we go. Okay. So There you go. And you notice that number two in the upper left? So you can hover over that on the on the on the web. Oh, yeah. Oh, okay. So that's telling you there's two people in the system. If you go back if you go back to the

36:39 sessions tab, if you look at the audit log, it'll it'll indicate that someone else has joined. So all that's being tracked. Whether or not the session's being recorded, which is something you can turn off, you don't have to have session recordings. Some of our clients decide to disable that. They're more worried about just access, and they don't necessarily wanna record the sessions. But you're still getting those events recorded. So each of those are events. You know, who's joined, where did they join from, because each of you are individual logins that are being tracked. So, you know, when,

37:15 you know, when we talk about security, like, it's normally much more something we can there's usually tell when something's been breached about understanding and doing the the detective work to work out what was compromised can be really difficult. And I can see why session recording here can actually get people they say, oh, this is, you know, they go in through here and this is all the files they accessed. When we enable the BPF integration, do we have the ability to restrict what is audited? Like, can we just say, oh, this is the file that was opened rather

37:44 than the actual full playback or can we see just a list of the commands? Like or do you need to do the recording? How does that kinda work together? The the so the the will log to the audit log, the act the individual commands, network, and file activity. Those are three options that you can log. It doesn't actually restrict the commands, but that can be fed in real time to, like, an Elastic or Splunk, and you could have something monitoring for that. I'd say the other option that people and we just released this as well,

38:21 is limiting the number of connections you have. So you can restrict how many connection like, you could just say five max connections based on their role. And that way, you're you're both you're monitoring at that, but then you're being proactive and saying, well, if someone compromised you, then you can't they can't just explode and do a hundred connections across all of your nodes and then start downloading things or, you know, altering data. So those are some of the active productions. I'd say in terms of, you know, monitoring and usage, that's where, yeah, we would have

38:52 people doing real time controls through their Splunk or Elastic and then alerting admins. And it's pretty it's one of the things I did was I set up an Elastic service that my app service sits in front of and gives me access to that Elastic. So I don't expose that. I don't I don't wanna go through all the all all the controls of Elastic, but then I run that behind it, and then my Teleport actually exposes that. Nice. Something you could do. Alright. So we got this going, and we can we can close that we can close those

39:30 Adding an SSH Node

39:30 sessions, and then maybe you wanna add one of those other nodes. Yeah. Sure. Okay. So it's just SSH into this one. Yeah. There we go. So we're just gonna install Teleport on this one the same way we did before? Yeah. We can just we can download it and just run the install. And I'll I'll show you. There's a there's a quick way to to get it up and running. Alright. So it did the downloaded thing. CD in there. And do we still run install again? Yep. Yes. Okay. And then from if you go back to

40:25 the the proxy auth, and you can do it in here or or from the SSH already had opened. Oh, alright. Okay. I gotcha. So from here. And then run that run t cuddle again, and we'll see the list of commands. Yep. So there's a t cuddle nodes add. That. Now we just wanna make sure that that's the IP that you think it can reach that, or does it we might need to change that to the the DNS entry. No. It's okay. I can go over the private network. Okay. And you're off. That's it. Go back if we go back

41:13 to the web service, it should should be available. Okay. There we go. Yeah. That's too cool. Yep. Yeah. It's I mean, that's that's the fast that's the fastest way to do it. You know, it's typically, you'd also have like, if you notice that there's a labeling for the the Teleport Linux one. So often you would have you'd use that Teleport YAML, put in the SSH service, and then you could also and then you can also put in things like our PAM control, our PAM configuration to automatically like, you can create users or other kind of things

41:51 like setting up, you know, dual integration, things like that. So there's a you know, you start off very small, and then you can, you know, quickly do all these hoops and things that people wanna do. Alright. I like it. Mhmm. What do you wanna do next, Toby? Is there more on this quick start? Let's see. I think that's most of it. I think the you know, from here, I think for SSH, you would tip and I think they're doing the same thing there. Let me go back go up a little bit. Okay. Oh, the one thing I didn't oh,

42:27 so that's a that's a good example they have there on that Teleport start where they actually show you can put a label in. So you could've you could've put a label in there, directly as well. So that's very helpful. And those labels could be things like, what region my machine is in, what its use case is, who the owner is, what just any arbitrary key value pairs I want. Well, if if we go back to the to the TSH command line, you can use that to search for nodes. So from your Oh, from my machine. Okay.

42:40 Node Labels and Discovery

43:00 Yeah. Your your machine. Is there a search command? Oh, I'm sorry. The l s. When you do l s t s h l s. And if you do t s h l s environment equal staging, it should only return that one line. Okay. Cool. Yeah. And you can actually you you can use that to also open an SSH session. So you could say, go find me this, you know, label. Maybe maybe instead you used a you used a ID like, machine ID, you know, addition. That's usually what I do is I have machine ID, the environment, and then some any other relevant

43:42 information. Alright. Very cool. Yeah. Which one what what do we what do we do next? I think the the Kubernetes setup would be good. Alright. So let's see. So there we go. Okay. Yep. Helm repo ads. We don't need these other machines anymore, do we? If I just close these tabs so I don't get too confused. Yeah. Yeah. I'm easily confused. Oh, I know. It it it adds up. That it's Oh, I'm actually wanted the in terms of the getting access to that Kubernetes, I I wanted to deploy it through one of our other charts,

44:00 Installing Teleport to Kubernetes

44:37 which if you pull if you go to our our I I think this is not yet out yet. So what unless you go go to the multiple Kubernetes clusters. I think there's on the right. Oh, yep. That's fine. That's, yeah. Let's let's do, oh, I I yeah. That that. So there's if you go to our GitHub, I'll show you the the the chart, I I mean. Is it GoTeleport? Grab so gravitational. Gravitational. Gravitational. It'll it'll change eventually. Teleport, that'll come up. First one. And then go if you go into oh, look. There I am. I just added something.

45:25 And you go to examples, chart, and then the Teleport, cube agent. So I should probably clone this down? Yes. And then the one other thing we'll have to add a Cube token. Right now, we do not have a Cube token. Alright. Let's grab this first. And what? Teleport examples chart. Teleport cube agent. Alright. Always goes to the wrong window. So let's get the read me which had an install command. And we need to drop a few things in here. So can these just be done through values fail? Yes. Okay. So this off token is just a join

46:44 token. Right? Yes. And in in our if you go back to our service, we'll we'll wanna add a new line of a a cube token. Right right now, it does not. It only has app proxy and node. So we need to go back to the existing Teleport that we set up? Yes. On the or via the UI? We can do either way. Oh, I'm sorry. No. From here, you'd have to open up an SSH session to do it. Yeah. Unfortunately, that's trivial now. So Yeah. If you do that you can do it remotely, but I I was

47:26 through a t cuddle. Oh, yep. Oh, you know what you're doing? So the yeah. The if we do a t cuddle if we do a t cuddle tokens l s, You can see we don't we don't have a queue one. So if we go into the Etsy Teleport YAML, we can add a new queue line. Alright. So is that just a new service here? Or or is that a token here? Yeah. Yeah. Just dash cube colon and then a then a token. And that's the join token from my Kubernetes cluster? Yes. For the yeah. Because you're basic you can basically give different

48:11 types of tokens. You don't you don't always want them to be the same the same. Alright. Let me just jump onto one of these machines and grab that then. Curl. There should be a join token available in the metadata. I know the user data. Oh oh, usually just make it up. It doesn't or or have it generate one through a randomizer. Oh, so it's not actually a real No. No. I'm sorry. Not not that. No. It's it's just it's a it's a random ID, like a password. Alright. Okay. Thought you actually went to the cube ADM No. No. No. That that is

48:59 good distinction. No. That that does not have to be related to that. Alright. Okay. So let's come back over here and I can enter like so. Yeah. Sure. But a b c of one two three work. Does this maybe overkill? Yeah. Alright. Let's save that. Do I need to restart Teleport? In order to tell it can be found. Yeah. It'll probably it might kick you out of the web, but let's it'll probably that's fine. Yeah. Okay. But but then then right back up. And we ran TCTL tokens LS. Okay. Now we have a cube token. Yep.

49:44 Okay. So that has to go into our Helm chart here. The proxy address, is that the same IP address that we're browsing to? Yes. With with the 3080. With the 3080. And you you don't need the HTTPS part, just the Yep. DNS. A cube cluster name, could that be any name? Any name. Yep. Alright. So let's do Rawkode. And that's it. Easy. He says. So that means we don't actually need these. We can just do that. Where'd my terminal go? You seem pretty good with that Mac, David. Well, when I'm within Versus code in my

50:37 terminal, yeah, not much has to change. So that's that's alright. Alright. Right. But yeah. As a matter I have to actually do anything with a moving window, then yeah. Things get a little painful. So let's try. Yeah. That should work. My q config which is now there. Alright. So that created a namespace. We can run get pods, and we'll run a watch on that. Already almost there. Okay. Yeah. If we if we look at the logs, we should see that it it was able to connect successfully. So the logs From here, what if you go back to

51:30 the command line, the t cuddle. Oh, yeah. That's There you go. I got it. I understand. You can always do a get of cube underscore service. So that I don't think it's registered yet. Let's let's go back and see. Alright. Let's get the logs of this, see what's going on. Timed out trying to reach that IP address and port. Oh, and I think we do need to set I don't I don't think we set Unsecure? Yeah. Yeah. I think we need to change that. In the in the back in the values, yeah, but you can it's there it is.

52:22 Insecure. Yep. There we go. Just quickly remove that. It might be easier. Maybe that. Upgrade. Correct. Do you think I might have trouble getting that DNS? No. It should be okay. And I don't see anything from the logs that suggests an error anymore. So let's just try it like that. Is it thinking about it? Yeah. It's saying it TCP timeout. Oh. This is the right one, isn't it? We want dash k h t t p s. I mean, that's publicly accessible. Yeah. So Do we wanna try the IP as well? See if we can get to that.

53:58 Because you insecure, it really doesn't matter. Yeah. Sure. Start with the port number? Yep. Oh, yeah. Address to the Teleport proxy web to port. Okay. Yeah. A lot some people change it to 443. I'm just gonna remove it. It should start again. Alright. Helm install. Good. From pods. I'll grab the logs again. User's unsecure. It's alright. Is is that good or bad? Failed to register to the off server invalid. I can probably get a new value. Oh, you know what it is? Where's that helmets document? Dash f. Although it shouldn't matter because No. Shouldn't matter.

55:20 Troubleshooting Kubernetes Connection

55:41 The chart. Now. Yeah. Shouldn't matter. I thought I was onto something there. Yeah. Yeah. So it seems to be I mean, that invalid character seems to be like I'm not expecting I think that's because well, it first it first checks to see if that's the auth server. If it's not, it should fall back, but it should be able to connect to that. So it's still getting the time out. Is there a way we can test that it is able to find that IP? Yeah. I mean, I'll jump on that machine. So let's do that. So

56:33 one. And then we want the IP address of this one. And 3080. And then allow the and secure. Yeah. I mean, that does work. Yeah. For and our for micro Kubernetes, I know I just I didn't had to install the DNS, but I don't know if that's I assume that's enabled. Make sure I enabled networking on this thing. It does. Yeah. It's got Calico running. Okay. Let's try it from one of these pods then. Yeah. So which one of these will actually have something I can get inside? Well, let's try that one. Sure. O dash I t

57:41 curl h t p s. Oh, always. Yeah. I was gonna have like, if that works. Yeah. Let's see if we can get this command in before the probes kick me out and restart the container. Oh, there's no networking. Yeah. That now I think that's the issue. Well, it's not good when I give you a broken Kubernetes cluster, is it? Oh, no. No. I well, getting that in yeah. With micro, it's nice, but you always have to add like, at the app bar back, you have to add DNS. So I it doesn't happen. Alright. Then we get to play a game

58:30 of can I fix my Kubernetes cluster? So let's see. Why would that not work? Yeah. They're running. That is peculiar. I wonder if it is I'm gonna just quickly do engine x. I have had issues before where one namespace has lost networking and I don't know why. Oh, I see what you mean. So I'm gonna apply that to the cluster and the default namespace. Assume that'll be up by now. See if we can get a shell inside of it. That's got curls, so that's a good start. No. Alright. Fun. Let's try delete pod l k sap.

59:40 Calico. Nope. Oh, namespace. Kube system delete pod l. I'm just assuming they use this. No. System get pods. Describe pod. Cali cool. Yep. Anyone will do. Hopefully, I got something in common. I'm just gonna boot them and see if that fixes it. Mhmm. K sap calip. Oh, yeah. So that one's different. And call it called node. Okay. Let's try that. Okay. System delete part and that was close. Alright. That one gone. And let's do calico node, which should delete more. Alright. Fingers crossed. Let's just restart engine x just in case. No curl. What's the backup plan?

1:01:40 I mean, I I can show my environment, you know, show show how that's how that's working. Yeah. Why is my cluster got no networking? I mean, there isn't do you think there's some kind of default securities policy? Or No. This is a vanilla Kubernetes cluster I spun up this morning. Mhmm. I just threw a calico on it. There's nothing on it that would be restricting network access. Yeah. I mean, this is all very vanilla. I guess I could maybe Yeah. The other way is, yeah, my a micro Kubernetes quickly or Well, do you have a working Kubernetes setup

1:02:00 Teleport on Kubernetes demo

1:02:26 and you're happy to share your screen? I've got all that setup. Yeah. If I if I can share it. I don't think it's very interesting for people to watch me try and fix my my very broken cluster. And I really wanna see some more Teleport goodness. So let's let's let's do that. Yeah. It's a last stream with a few problems. Yeah. So I've I've I've gone ahead and this this is a Teleport instance installed in on eight FBOS with the EC two. I've got some this is the difference you would have with, you know, the community

1:02:51 Demo: SSO and Node Access

1:03:03 version you have is that one of the things is you can have multiple SSOs configured, and it can support multiple at the same time, and you're just mapping it to individual roles. What when yours was running, you you all have essentially a single role, of admin, but you do have individual, users. So when I was saying about going back, you can set into it like, remember, you added your usernames. You can set usernames. You can set Kubernetes groups, Kubernetes users. So there are traits that you can populate, and I'll show those traits as part of the, login.

1:03:42 Now I I usually choose this one because it's easy to be connected to my Google account, and I don't have enter enter passwords. And then we we have the set of nodes available as we were talking before about those labeling. So there's different different ways you can do it, but there this way, you have, you know, an ID. You can also do dynamic. Now in this case, I also have one where I've configured this to require Duo. So this requires me to, do a second factor. Where's my duo? So I have to approve it. And the first time you come in, like,

1:04:37 you came at the Rawkode ID, it would push you to go sign that up, to make it a second factor. So every different every user would have a different second factor to confirm. Now in terms of the applications, because I have I have two configured, I have a just a Hacker News, which forwards directly to Hacker News, but it's using our, you know, our certificate. As you mentioned, having something in front of it, know, if it was an HTTP or an insecure setting, you could do that. And then you're you are using a secure connection.

1:04:49 Demo: Web Application Access

1:05:07 Otherwise, you know, in this case, I'm running an Elastic, service behind that my my machines that's not publicly available, and then you then you can connect to it directly. So this is running just like with the Kubernetes, there's another app service running that uses an app token and registers itself. You can also put labeling on these to say, well, not everyone can access this. I'm gonna label this service, and only in your role, could you have access to that particular service. Pretty cool. Yep. Now in terms of the Kubernetes, and I'll I'll because we were just in that,

1:05:46 Demo: Kubernetes Access and RBAC

1:05:47 I want to get to it. So this is the type of configuration you usually have where, you know, you have a particular group come in. In this case, I'm using external, so I can use the meta tags from my SSO to populate it, and then labeling. Now in terms of your individual user, you can put the same you can put their groups in there as well. So here, I went ahead and and logged in locally. Let me clear that because it's gonna be a little confusing. So this user maps to that dev role. And when I see the status, I can

1:06:31 see my Kubernetes. I can see what cluster I'm in, what groups do I have, and then my you know, I I can look at, you know, namespace, because that that particular group has that permission, but I I do not have exact permission. I think it just denied it. But, essentially, that's a way of, you know, giving people default access, like logging and watching as opposed to, you know, just giving them system masters or, you know you know, a lot more privilege than they probably need. So that's typically how we recommend setting it up. And then this user

1:07:22 can they can request other roles that have that kind of other namespace or other exact access. Okay. So this YAML is just configuring all of the RBAC for me on the Kubernetes side. Yeah. And it and this is what I mentioned before about the max connections, and you can say whether or not someone can port forward. So in this case, if I look at you know, my these are the nodes that are available. And because it has that tiered equal dev labeling, that's restricting what nodes I've accessed just like if I wanted to restrict well, they can't

1:07:54 see that elastic link, I I can do it through that. And then in this case, I do have NGX server running here, so someone can So I'm essentially saying I wanna open up an SSH connection. I don't want it to be interactive, but I wanna forward I want my local port eighty eighty to forward to their local host 80 on that machine. And then I'm seeing the web server on that on that machine running locally. But that is something you can turn off. You don't have to give them access because it's great to be able to do that,

1:08:43 but you don't always wanna give someone that open access to beyond that node. Alright. Now another thing we mentioned was about, you know, I said about PAM. So each of these environments, and this is also I'll I'll show you example of that BPF we were talking about. This environment has that this machine has that enabled. So every command I'm doing is being logged here, the session command, which includes the arguments, you know, the path. And this is available in the OSS version. It's not Pacific Enterprise. So any anyone can install that and the PAM as well as it's auto creating my user.

1:08:51 Demo: Advanced Auditing (eBPF) and PAM

1:09:29 So if you look at if you look at the Teleport configuration, I have PAM enabled, and I say go to this service name. And I'm saying where to where to get what what to execute when this PAM loaded. And so this enters into this environment. It will check to see if the user exists or not. If they don't exist, it it automatically creates it, including some headers like you wanna create a home, things like that. And then I have some additional checking here where this is actually adding them. It's looking in their Teleport role that come in and

1:10:10 says, okay. Based on their role, add them or or don't add them to the SIS admin group to give them that pseudo rights. So that's something something you could do as well as have those kind of scripting built in. Nice. But, yeah, this this is so and then all all of these things you're seeing here, that is being fed, you know, in real time into my Elastic service. So That's part of part of why I usually have that running. It's gonna it's gonna look ugly because I haven't made it pretty yet, but, you know, all that data is coming in. So every

1:10:41 log entry is going in. Is that something you have to build custom or does Teleport support various syncs for for that stuff like that? Well, it there's it writes to you can have it two ways. One is it can write to the directory files on your on your auth service as well as writing to, like, DynamoDB. You can have it do both too. So if you have a log aggregator that you all you don't like, yeah, DynamoDB is great, but I don't wanna write a Lambda. You could just have a file a log aggregator running locally. I'm using Filebeat.

1:11:15 Alright. Okay. Pretty, yeah, pretty simple configuration. And, essentially, you know, you just you just look for the log files. They're JSON formatted as you saw here, and you just pass that through, you know, to Elastic and Kibana. The only part I didn't do a lot of security again, so that's why why I wanna hide it behind this and not necessarily, you know, have all all all that good stuff. Can you just show the add application dialogue? I mean, how easy is it to add new applications? Okay. Let's see. I'll just do it. Okay. Two. We'll just point back to itself.

1:11:42 Adding Applications via Web UI

1:12:12 So this, I would, you know, just run run on a particular machine. And one second. I'll I have a machine here I can use. Sorry. I was doing nerd stuff by myself. So I've seen when you were doing that that add application dialogue, there was the automatic which has some sort of curl scripted version of doing this and there was manual. So What's that? When you run that application, this was the automatic way. This this curl command, there was also manual steps. What's actually happening to proxy one of these applications? Is it doing something on a host? Like Yeah. I mean, it's

1:13:46 it's acting as a a proxy for it. Essentially, this is running as a separate just like the SSH service, it's running as a separate agent. And then it's it's able to then from this particular node, it's this is where you would get the access. You know, it's doing the DNS connection to that to that service. And does that work differently for Kubernetes services? Is it It's just it's just actually the same concept. I mean, the I'd say the biggest difference is when we're running inside of, you know, Kubernetes, we're you know, when Teleport is impersonating

1:14:30 a user or group within Kubernetes, it's just the difference in for the app access, it's actually connecting out to another application. So we're not running inside that application, but we're we're a lot we're essentially providing the forwarding to it. We do also send in a j JWS token, a JSON web token, so that can be used for automatic authentication. Alright. Let's see. I think sorry. I didn't I didn't clear this environment previously. Sorry. I thought that was a different environment. Sorry about that. So now I've added that, and we can see that has shown up.

1:15:51 I'm just pointing back at myself, but it's not really loud. But yeah. And if we look at what it did let's let's see what that added that app service here. It added the auth token, the CA pin. We talked about that before. It's opened up a connection to the auth server, and let's make that a little more friendly. So another way I could do this is just by modifying my Teleport.YAML and filling that apps array at the bottom with whatever I wanted to proxy. Right? Yeah. Yeah. Okay. I'd say the big the biggest difference why you'd wanna run that in different

1:16:37 locations is, again, you know, who has access to what? Where is it accessing? Because not every node has access to the same set of services. You know, as you said before, there may be something you wanna expose from a specific machine. So you would you would you would, add add that in. Alright. Thanks. Very cool. Yeah. Sorry sorry I didn't have that up and running already. I brought a broken Kubernetes cluster to the party. So Yep. Is there anything else you you'd like to show us before we wrap up? Oh, I keep going back to this. This is a

1:17:13 bad I mean, essentially, you know, the the other part was in terms of our our cloud interaction, and, essentially, it's the same very similar environment. In this case, I've got I've already got a cloud deployed here. I configure with off zero. So with the cloud product, like, because it's using Auth0, that can connect to, like, my GitHub and Google authentication and all these other things. Yeah. It And it's the same version. It's five five o o. You know, we're it's we it is a, you know, software service, but we're maintaining the same version. I'd say

1:17:20 Teleport Cloud (SaaS)

1:17:56 the the one of the minor differences is that we we use reverse tunneling by default for your SSH. So instead of exposing a port as you saw, like the thirty twenty two, it would always be a reverse tunnel. That way, we don't have to worry about you opening to your network or v p you know, VPC, any of those kind of complications. And just like before, I'm I'm in this environment, and I I can open up Open up connections. Again, I use I use the PAM configuration, so it automatically created my user if it wasn't there.

1:18:40 So a lot a lot of people find that very useful. Yep. So they don't have to worry about creating users or or changing their permissions. But, yeah, we're we're just we're just, starting to bring clients on the cloud. And part of it is, you know, as, you know, we've seen, we we think this is a lot faster way to get things up and going, and it makes, you know again, you can use those add server buttons, the add application buttons, and it makes it makes it a lot faster, you know, from your environment to do those as opposed to having to install

1:19:08 the proxy and the auth. We're we're just gonna maintain that for you. Alright. Very cool. K. So I I mean, I think I've just been impressed so many times now. Like, there's a lot of really cool features. I'm I'm struggling in my head to think why I wouldn't want to be running a Teleport in my cluster now or even any of my infrastructure with the security benefits and the all the authentication and rules and groups and stuff. Like, it's a pretty solid setup. Great. Yeah. No. I appreciate that view and, Tom, I I think there then there's, you know, you have

1:19:19 Conclusion and Summary of Benefits

1:19:43 the developers that wanna use it because they're gonna be moving through environments, deploying things. You might have service users that you want to migrate migrate various resources or access them, and then, you know, tracking activity. Like, I mean, auditors usually love us because what did you do in that machine? What did you do in that Kubernetes? You know, when when were you logging in? Why did you have 10 sessions open? So all of those things really, really help. But as you see, it's, you know, you can do one or two commands and get a get a SSH node available,

1:20:15 and that's that can be really helpful, especially if you're in a, you know, production outage Yeah. You know, being able to get that access but securely. Alright. Awesome. Well, thank you for joining me today and walking me through that and the demo at the end was definitely appreciated as well. Was good to see that running in the Kubernetes context and how that works with restricting the access to namespaces and exact permissions. Like, there's just lots lots to love about this product. So thank you for joining me and taking the time to show us it today. Thank you, David. Really appreciate it. Alright.

1:20:43 Well, you have a great rest of your day. Thank you again and I'll speak to you again soon. Thank you. Okay. Bye.