1:43 Introduction to Rawkode Live and Teleport 10

1:43 Hello, and welcome back to the Rawkode Academy. Today is an episode of Rawkode Live, a show where we take a look at open source projects that are joined by contributors and maintainers, and people that work for the companies that power the open source to show you lots of cool and interesting things. And today, we are doing a follow-up to the Teleport course where we're taking a look to see what is new in Teleport 10. How they manage to ship so many releases so frequently, I'm not entirely sure, but we're gonna cover all of the goodness that has

2:12 came out just this week. And I'm going to be joined by a friendly face we've seen before, Ben Abbott. Hey, man. How's it going? Good. Thanks for having me, David. Always a pleasure. Happy to have you here. For anyone who hasn't seen our previous streams together, can you give us a little bit of an introduction into who is Ben? Yeah. Hi. I'm Ben Arendt. I'm a developer relations manager at Teleport. And, actually, I've been at Teleport three years. So I think I've seen it just from three to ten. And so in a similar trajectory. We've actually got more mature in our

2:31 Teleport's Release Cycle and Maturity

2:49 deployment cycle. And so we only we now launch new versions every three months. So it keeps David up to date. And I'm really excited to sort of go over Teleport 10 and some of changes that we have in this release, which we always say each release is our biggest release ever and just keeps on getting bigger and bigger. Yeah. When I started my Teleport course, I'm pretty sure we're Teleport five or six, and now we're already on to 10. Like, there's so many cool new features coming out all the time. So it's really nice that we

3:21 get to sit down together and just kinda share these with people as well. Yeah. Yeah. And I think, you know, just like a meta side point, like, as we've become more mature, we have, a good upgrading page, but always important to keep your software updated with latest patches. And we do do security patches on older ones, and we have sort of specific documentation around how to upgrade between nine and ten and, like, end of life cycle. So I think you are still fine running Teleport seven in production because more mature organizations, you know, it takes time to roll out

3:57 the latest ones. But I'm excited to a deep dive into Teleport 10 and all of the interesting new additions that we have. Yeah. I'm I'm sitting here going through my head trying to work out whether I call it the fact that you said do do or not, but I I'm gonna leave it at just that. So you're not even laughing. That that was funny. I actually didn't get it. Think it's accent. Scottish. Scottish jokes already. Five minutes in. Alright. It's all good. Okay. So Teleport is continually shipping. I think it's important to call it. Yeah. Like, they're

4:31 moving at c month velocity of releases, but, you know, for most organ or for certain enterprise sized organizations, you may not be moving at the exact same pace as Teleport, but, you know, there's a lot of I'm assuming all of your releases are covered for a certain amount of time. Like, people on Teleport seven, as you said, are still supported. They're still getting security patches and so forth. So that's really cool. Maybe we should start with a bit of a summary then of what Teleport 10 brings to the table. You said it's the your biggest release yet. What

5:00 Teleport 10 Headline: Passwordless Access

5:05 what what have we got on Teleport 10 then? Yeah. So I think our sort of landmark feature for Teleport 10 is passwordless access as a sort of new like, it is an authentication method for Teleport, you know, get into the UI and the CLI. But it also, I think, goes beyond just a new fancy authentication method, and it's really our push to try to remove passwords from infrastructure. And when we talk about passwords at Teleport, we're mainly talking about things that like, one, like, they may be passwords, but they're also, like, long lived secrets. And so

5:49 let's say when you set up SSH as an example, the first thing you do is you, like, turn off password based authentication, and you add public private key authentication. But the private key is also a secret, which is almost kinda like a password. And so it's also open to attacks of, like, exfiltration. It's also relatively long lived. It could be, like, hard to cycle. And so, you know, Teleport solved that problem initially by just creating a certificate CA. Yes. Not certificate authority for your, like, SSH certs, which you can do with open SSH. But open if you manage your own certificate

6:31 authority, it can be difficult to do the data operations such as the rotation, the management, if you want to back it by a HSM or other device. All of that is sort of on you to manage and maintain. Mhmm. And as we've sort of strengthened the certificate authority, we've also looked to strengthen, you know, and remove the password from the end user. And so the passwordless access, well, obviously, has no password. It also has no username as well. And both the user it's username less and password less. So the experience for an end developer is

7:14 during the registration process, you register your device, whether it's a touch ID with Mac, it could be a like a YubiKey, which I have here, or it could be Windows Hello. And all of these passwordless devices combine some form of, like, biometrics. So you have, like, Touch ID on Mac, but also the secure Encave on Mac or TPM on Windows. And it's that combination of that passwordless access, which is sort of also kinda, like, hidden from you, supports this sort of new flow of Yeah. Access infrastructure. Yeah. You're you're right. We're in a very gray age of personal computing where we do

8:04 have the secure enclave on our Mac, and we have TPMs, we've got YubiKeys, and all these other things that try to improve our security. And it's nice that we're kind of seeing Teleport go on a on a journey. Was it Teleport nine? You brought out machine ID and the ability to kinda improve that machine to machine communication, and now you're removing the passwords from the human element of it as well, which is cool. Is it I I have I might be very naive here. Is this using web auth end? Is that what powers the passwordless approach

8:26 Passwordless Tech: WebAuthn, FIDO & Hardware Keys

8:33 for Teleport? Yeah. It's you know, we added web auth end in, I think, Teleport nine, and we moved off U2F. And actually, we joined the FIDO Alliance, which is sort of a industry body for generally, we were moving, like, moving to passwordless. And I forget we have, like, a blog post coming on all the technical stages that differ between, like, web app then. And, actually, I'm thinking of working one too because a lot of the work has been done focused on clients and browsers, but not necessarily that much on developer tooling. And, you know, we let's to support Touch ID

9:20 in the Mac in the terminal requires us to use certain changes in our build. And so, actually, if you use touch ID on Mac, you see if you're using if you have, like, the touch bar, you actually, like, see the Teleport icon because it's also to make it work on Mac, it has to be, like, specially notarized for it to work. So we've done a whole bunch of work behind the scenes. But for the end user experience, you just, like, tap the thing, and it just sort works out of the box. Very cool. Now I'm sure you're not prepared for

9:48 this question, but I feel the urge to ask it anyway. So will it work with my Apple Watch? Because I can, like, fiddle my privileges with my Apple Watch, and I'm wondering if that prompt is gonna come to it, and I could log in to my machines with my watch. That would make me very happy then. We were chatting about this actually, like, the day after the release, and I think it should work. I Alan, who did the development on it, has, a dev build. Yeah. He doesn't have an Apple Watch. So I'm excited to try it. I mean, I've

10:16 tried actually have like a Logitech webcam here. Well, you had one. No. I had one. This one. And what's kind of interesting with the webcam is like the password, the, like, the biometrics in it isn't on the camera. It's actually in the infrared sensor, which is why you need an extra camera. Ah, okay. So it's not just like your face. I think it has like a IR array that measures sort of depth and other details to make the biometrics more secure. I don't know if you like, Windows Hello is actually pretty awesome if you own the

10:51 Windows ecosystem. I'm afraid Lennox and Mac is is is all I use, really. I do think what they've done with Windows 11 is quite cool, and I keep trying I I keep meaning to install it on an old machine and and play with WSL two more, but it's just time. I just haven't had the time. Yeah. I've not tried it, but with the announcement, someone said Windows Hello did work with Windows subsystem of Linux as well. And so support is pretty broad. Yeah. And I think before we dive too deep, you know, one of the things that sort of fixes

11:22 is there's a sort of whole range of attacks that sort of go away. There's no longer any cookie to take. You're not open to phishing. You you know, it just removes, like, password reuse and all these other sort of problems. Yeah. I think we're both fan and Surrounding Technologies and the work of the FIDO Alliance is is is awesome because, you know, I I can you know, my in laws, my parents, my wife, my friends, none of them use password managers. They just use the same password everywhere. It's very common. At least, maybe I I don't know. It it feels like in

11:38 Security Advantages of Passwordless

11:56 my life and the people I know, it's very common where they just have these crappy passwords. And but they can all use the fingerprint scanner or the biometric face scanner for Apple Wallet and Google Pay and stuff. So, like, the more that we push these secure biometric devices to be the way that we identify with web services and other services. I think this is really, really important for securing all of this stuff. So Yeah. And the Fighter Alliance or Google, Microsoft, and Apple came with pass keys, which is sort of another variant on passwordless, which you'll probably be seeing more of. But

12:32 passkeys are sort of interesting because a lot of the key it's good for your, let's say, your parents, but a lot of the key material also goes into, like, a central Apple server. And so you can use passkeys across operating systems and across browsers, which has kind of been a slow transition. But for sort of infrastructure companies, you may not necessarily want your, like, IDP to be one of the big three, let's say. And I think that's kind of where having, like, YubiKeys, for example, are a great solution for it. Yeah. Alright. We do have a question in the

13:08 Q&A: Upgrading Teleport

13:08 chat from Kartik. And I think I'll probably be able to get the answer to this, but they're asking how do I upgrade to Teleport 10? Now I'm hoping that they've just added the app repository, and they can just run an app upgrade. Right? Is that the the easiest way? Yes. We have a full upgrade procedure, so we do recommend backing up, you know, backing up your auth server, any other logs just as a standard practice. You know, if you have a fresh cluster, if you just do a standard app, you'll just get Teleport 10 out of the box.

13:14 How Do I Upgrade To Teleport 10

13:44 And actually, we have versioned it now. So you can go online on nine or 10, and you can pick your streams to automatically upgrade those versions because it was Sure. It used to previously pick the previous one. So it's another nice sort of developer experience. But, yeah, to check out documentation, we have docs on sort of how to upgrade it. But, generally, it's pretty much drop and go. You should be fine. Alright. There is, like, if you change like, if you look at our release notes, we have probably some depreciated things. Like, if you're using

14:16 a u two f, that's depreciated intent. But these are mainly, like, edge cases that you will unlikely to encounter. Alright. So we still got more stuff to talk about this new Intelliport 10. Before we do that, we'll just handle a couple of the hellos. Thanks for joining us. Rawkode is here too, and Eddie is interested in Apple Watches everywhere. So awesome. Hey. Eddie's trying to do my job for me now. He's like, hey. Everyone should follow-up this video. Yeah. You totally should. Please I know. I mean, I think I'm going to get Eddie in the future, so I think we'll get

14:29 Exploring Other Features (Host reads blog while guest reconnects)

14:47 the Apple Watch build for Eddie. And, actually, I was trying on my iPad too, but I wasn't able to register my face ID, but that should technically work as well. Sweet. Well, lots of things to experiment with there. Now there's more things in this release, and I do have the watch new IntelliPortem blog here. So maybe we could scroll through this, and you can give us a bit of a an introduction to the other stuff that's listed here. So we've covered password list. I don't know if there is anything else you wanna add or we'll skip right past this, but

15:14 there's also a nice little video there where people could check that out too. The next thing on the list, and I'll make this a little bit bigger for people, is enhanced access control. You wanna give us a little bit of information on this? Oh, you still there? I'm on my own. Ben, don't leave me, Ben. We'll get Ben just a moment. I hope he comes back. Alright. Well, while we wait for Ben, we have an active Discord server. If you want to come and chat technology with over 1,200 people, you can join a Academy Discord. It's

16:03 available at Rawkode.chat. We have channels on Kubernetes, Cloud Native, Teleport, Pulumi, GetOp, Continuous Delivery, Rust, Contrail, one of my open source projects. We're just a group of people that just love to sit and talk about technology. So feel free to pop into the Rawkode Academy Discord at Rawkode.chat. And as Eddie said in the comments, remember to sum up the video. We're hoping that Ben will be back in just a minute because he was gonna drive the demo. However, if we need to, I will make up my own demo. I do have a single load Teleport cluster ready and waiting

16:42 for me to try and work out how to enable password authentication with my Apple Watch. So can't you leave? I can't believe he left me, Ben. He's not coming back, is he? Alright. So let's see what is enhanced access control. Well, apparently, this is resource access request and preview. This is just in time access request to allow any developer to request access to a resource or role depending on the need. Oh, nice. So this is something that I think was maybe available previously in Teleport. I'm not sure if it's just been modified in some way, but when you give a

17:00 Enhanced Access Control (Just-in-Time Requests)

17:21 user a certain amount of scope or access to your cluster, there may be occasions where maybe you don't get them production access and they have to be able to elevate their privileges. And there was a really cool system in Teleport where you can request access to the elevated privileges and someone else has to approve it or two people have to approve it, and then you get this window. I think it's configurable thirty minutes to one hour where you have the production access. So not sure what the change is here. And it is enterprise only, which is a

17:52 shame. It's a very cool feature. Oh, wait. Another enterprise only feature. IP based restrictions and certificates. I guess I can understand the urge there. You wanna make sure that only certain IP addresses have access to Teleport cluster because it protects all the stuff. Exactly. Well, that's a feature. I was very excited when I read about this in the blog post and it's on Teleport community, which is awesome. But this is automatic Linux user provisioning. So this creates a local Linux user for your Teleport user, which wasn't a thing. This was actually a really common cause of frustration for me personally as that

18:18 Automatic Linux User Provisioning

18:33 I was always like, when I was creating users or setting up users, I would always do, like, the t t control, Teleport control, users add roles, and I'd give myself admin when that was a thing, but now other or editor and access. But I'd always forget the dash dash logins to actually get some access to the users within the machine and that removes that problem, which is very, very cool. So I'm looking forward to being able to play with that. We've got extended scope for features of machine ID. Alright. Okay. So machine ID for Kubernetes. This

19:02 Machine ID for Kubernetes

19:07 is awesome. We covered machine ID on our Teleport nine video. So machine ID allows us to give shortlist certificates to machine to machine communication based systems. The the example here is is Ansible. For me, Kubernetes was always the ideal target. So it's nice to see that we've got application access preview there too. We got machine ID rotation, and I hope that Ben comes back and he can describe some of this stuff because I am absolutely winging it. So the list that there's lots in this blog, and if Ben isn't here in the next one minute

19:42 Guest Returns & Highlights Key Features

19:42 oh, he just showed up. I was just about to call you out, Ben. I'm back. Yeah. I'm not sure what happened. I was just running through the release blog, then reading the titles and pretending I knew what half the features were, but I wasn't entirely sure. So I'm very glad you're Power outage. Power outage. Well, that could be forgiven. I'm glad you're Yeah. And I I'm over provisioned with Internet, and so I had to turn on my second I had to, like, manually fail over to my second ISP. So I'm back in action. Well, I'm very glad that you're back.

20:19 So I was just basically saying that we kinda covered passwordless, I think we've given everyone a good idea of that. I figured maybe you'd be happy and excited to just give us a short description on the other major features on this release blog, and then maybe we can get hands on and take a look at some of these features on your cluster. That sound good? Can you still hear me? Yeah. So I think yep. Can hear Can you hear me? I can. There's just a small amount of latency, I guess, on your your new ISP, but

20:51 I'll I'll deal with it. It's all good, man. Okay. Yes. Comcast. This is why it's one. Alright. So, you wanna just text them or do you want me to run through them and you can say a few words. What would you prefer? I think I would just talk about three main ones. Go for it. And I think the three other ones beyond passwordless is our resource access requests. And this really lets teams implement the privilege of the principle of least privilege by creating an inventory of hosts that they need to get access to. And that sends a request to their team

21:21 Resource Access Requests

21:38 in sort of chat ops. We have a Slack integration, and they can sort of approve it. And that's sort a really powerful feature for sort of larger teams, especially if you have a very large inventory of hosts and you wanna give access to a few. This sort of upgrades it from our previous release, which has just role based access requests. But sometimes within a let's say, role of, like, DevOps, you might only need to access, two hosts, and so this lets you do that. The second one is automatic user provisioning. This is sort of a small addition,

22:11 but it's super powerful. It lets you sort of, you know, create the user, create sudoers. So instead of having one, like, easy to user, you can just, you know, use your login from your sort of IDP automatically, and so it just makes setup and configuration much easier and gives you more control on who can have sudo privileges without having to set up the PAM stack yourself. And the third one is sort of our machine ID for Kubernetes. I think this would probably interest you. This lets you get short lived KubeConfigs using machine ID. And so if you would want to

22:40 Machine Id for Kubernetes

22:53 have an automated tool run like a security scanner in your Kubernetes cluster and you would give it a KubeConfig, this would be an example in which you could issue those KubeConfigs without having to worry about, you know, rotation, connection, and auditing also built into it. Awesome. Yeah. Though, actually, two of those features were the ones I was kinda saying I was most excited about when you were offline. The automatic Linux user provision, I think, just I used to make the mistake of setting up my users all the time and forgetting to provide the logins, and that would just,

23:25 like, break my experience. So I have to go and edit that. And, of course, machine ID for Kubernetes is definitely right up my street. I'm looking forward to be able to kick the tires on that a little bit more. But, yeah, very cool features here. Alright. Should we shall I show you some? I would love that. Let's do it. Let's do it. So I share my screen. Alright. You're good. Okay. So let me go to this login. You can actually change this login. So people this is the new addition to Teleport 10. So this is like the password less login.

23:56 Demo: Passwordless Web Login (YubiKey)

24:07 And so let me log in. And it's sort of a similar prompt. Actually, I don't think you can see their prompt because of the way in which the screen sharing works, but I have a pop up that says, like, pick your identity. So I'm pick up USB key. Hold on. Actually, you know what? I have the other I d wrench this one. Let me get my I don't really need show you, but my other USB keys. You basically tapped your key. I should get my other one because this is like the hallmark feature. One sec.

24:47 That's funny. Now this is an interesting side problem with passwordless. That generally is advised to have two YubiKeys or you can register multiple devices. You can register Touch ID and the YubiKey. And so let's say if I go to work and I forget my YubiKey, I can still log in with Touch ID with passwordless. And then you can also add multiple YubiKeys. So you can always have one as a backup as well, which I probably recommend. If you move fully to this one. And so we I don't think you can see it, but it's asking me for which account to log

25:32 in as. Nice. And then I'm logged in. And so no there's actually a window that you if you have you can log register multiple users to one YubiKey. And so I have a Teleport admin and my other user. This is Mike, which is one of my demo users. And so you sort of change between them. And that's sort of by which I said it's user lameness. When you register them, they get registered to, let's say, the the resident key in YubiKey, and that's how it is both passwordless and usernameless. And so that's question I've logged yeah. Yeah.

26:09 Oh, our latency just got much better. You actually responded, like, immediately. That's awesome. Cool. Go Comcast. So if I've got like, I I like to set up GitHub authentication with my Teleport cluster so that I can log in with that. Can I still add those extra web off end keys, touch ID, etcetera to that account, or is it just completely separate account? For the first version in preview, it's a separate account, but we're working on solutions to work with, like, your IDP for passwordless to sort of combine the user. Alright. Nice. Cool. And then this is sort of just an

26:18 Github Authentication

26:45 example of when which I have, you know, like, Touch ID, YubiKey, and Windows Hello, like, all registered as different devices as sort of as my backup. Nice. I like that. And, you know, the registration flow is kind of the same for adding new users. And then the user get like, depending upon how you configure it, the user gets to pick how they want to enroll their password list option. So that's kind of the flow for onboarding people. You send people links and they register, and they're onboarding on password list. So let's go to the next thing we're

27:21 talking about was actually gonna log out of Mike and log back in as with GitHub. Because when you might have seen this too. So when you log in as GitHub, it sort of brings in your, like, GitHub username, which is, the internal user. Mhmm. You can configure this. It could be, like, an email address or something from your central, like, IDP if you have Okta. Without or so with automatic user creation, if I just log in as Ben Arant, it creates this user for me. Because normally that Right? Yeah. Yeah. Normally, it would fail, and then

27:26 Demo: Automatic User Provisioning with External IDP

27:59 you'd like, oh, it's like you don't have access to this host. And so sort of now it just works sort of seamlessly out of the box. Yeah. That's a great feature. It's like one of those really strong quality of life improvements that I think everyone's gonna be celebrating. Yeah. Yeah. Definitely because it kinda trips people up to start off with. So that was the second one on my hot list. I think the third one is access request feature. And okay. Let me log out of me my user. Let me log in as Alice. And Alice, when she logs in,

28:26 Demo: Resource Access Requests

28:39 there's nothing here. So there's no servers, no applications, no clusters. But she has the ability to view the inventory of hosts that are available to her to find within a role. So let's say she needs to debug a few of these sort of worker nodes and the Kubernetes cluster. The sort of just in time access requests let her build a inventory of just the devices and nodes that she needs access to. And so on debug, you can also request reviewers, but I'm just gonna request this. This goes out to a request. My other user would sort of accept it.

29:20 You assume this role, and then you can sort of just go about your day of just using Teleport normally. But, you know, we've really scoped down all of we've given people the ability to see inventory of resources, but also greatly scoped down the sort of access. And so this is a sort of a nice sort of check. You know, it can help with compliance, but also help with just not giving access to all of your infrastructure at one time. So it can be, like, a nice compliance and also a good security feature. Yeah. I love that feature. That's very cool.

29:52 I I I didn't really understand when I was when you were offline, I was kinda trying to understand the enhanced role resource thing. And I didn't really pick up on it, although Russell did in the chat. But being able to individually pack those resources instead of applying an entire role with, like, the node selector and the Kubernetes selector and stuff is a very, very cool feature. There's another cool addition to the if you if you know the host you wanna access, so let's say, I would like SSH into one of these nodes and you don't have access to it, in the command

30:28 line, it can also create the request for you. And so you can have this whole experience and flow without using the terminal, which is sort of a very powerful, like, addition. Yep. You know, you don't have to come into Teleport. You can just do it on the CLI. And all these features, you know, must be available on the CLI. Yeah. We have a question from Russell on the chat if you're happy to pick that one up while we log in. I'm assuming you're gonna log in and approve Alice, so I'll read the questions just now. But Russell is

30:46 Q&A: Database Audit Logging vs. Session Recording

30:55 asking if there's a way to drop a session with machine ID. So assuming we give access to give a KubeConfig to somebody, but we then want to revoke that sooner than the expiration. Is that possible? So you can so the answer to this question, I believe, I might have to double check on this. The best practice is to really limit your time. So you can have machine ID, I think, go down to, like, the minute or maybe, like, five minutes. And then you can lock it. And so the idea is you'll always issue these certificates every five minutes,

31:37 but then we have, like, t guddle box lock. And then that will lock it from issuing any new certs. And so if you're worried about that sort of window of attack, I would just reduce the time in which you issue it from, like, Teleport. Yeah. That makes sense. That makes sense. Think we have looked into revocation of certificates, but I think it is a sort of a complicated problem. So we advise people just give certificates a really short life and then use the ability to lock it if you think a certificate has been compromised. I'm talking of sort of that realm of

31:57 Revocation of Certificates

32:14 certificates being compromised. We've added in IP based I forgot the official name of the feature. Let me look on the roles. Pin source IP into roles. And this means when someone uses TSH to get their certificates, it bakes in the source IP that requested it. So this is actually an interesting use case. I just changed, like, ISPs. So I probably have a different IP address now. And so my first if I was to use the command line and issue the certificates, it wouldn't work because my IP had changed. I'd have to log in again to get

32:55 a certificate to match. Right. Right. Gotcha. Yeah. That that makes a lot of sense. Like, that I think that removes a whole bunch of attack vectors. Right? Because this one was the source IP that made the initial request. So if that changes, it's not something bad is happening or potentially something bad is happening. Yeah. Oh, yeah. ISP's gone down. So it's like a nice little, you know, security feature. Cool. Are you going to approve Alice? Is that what we are? I can approve Alice. I mean, the approval flow is sort of nice and we, you know,

33:32 you can have the reason for approving. You can have messages regarding and then Alice will be able to sort of go about her her standard flow like you assumed. I don't need to necessarily share that since it's already, you know, kinda like standard standard Teleport flow. Russell likes the IP pending. Nice feature. Yeah. I think we're all agreed on that one. It's pretty good. Yeah. That's another one within our sort of what's new. I think that we we have more information here about the time bound. And I think this is actually an enterprise only feature

34:12 since, you know, if you have your home lab, it's not you're unlikely to have a nation stake trying to get your certificates. Cool. Let me see what else we have in here. And then I think, you know, we've added a range of new databases as well. Snowflake being a pretty interesting one. I think Snowflake's interesting because, you know, it's our other protocols have gone deep. So we have to go, like, deep MySQL, deep Postgres. But, like, modern database is just over, like, TCP, like, HTTP. And it's a sort of the same flow. You can access your Snowflake cluster,

34:25 New Databases

34:57 And all of this is done on the command line, so you use just Snow SQL as well as you stand as you would normally. And we also have additions to use, like, graphical tools for sort of Postgres and MySQL as well. So you can issue it to teams who don't wanna who aren't that familiar with sort of the command line tools. Very cool. There was quite a few new databases listed on that log there. Right? I've seen Elasticsearch and Elasticsearch is coming. These are gonna be in 10/02. This mem these ones, I mean, I kinda think they're

35:33 the same. Like, they're both Amazon's Redis compatibility additions, like MemoryDB and ElasticCache for Redis. So just providing more AWS cover. And then, like, I guess, Cassandra is coming in 10/03. And so, you know, we're just always adding more databases. So if you, you know, have one that you're sort of interested in, definitely search our GitHub issues if there's a ticket for it. Or if not, you know, create an issue. Nice. Most of these ones are also quite easy. Like, once we had our Redis integration, it's easy to add MemoryDB because it's just speaks Redis, but there's just a few nuances of

36:10 how they have set up their authentication. Yeah. So how many databases does Teleport support now? I imagine that's quite a large number. I don't know the official number, but the documentation page for databases is growing. And it also, you know, we've kind of, like, deep on the different cloud vendors. So, like, AWS, RDS, GCP, like SQL, MySQL. Active Directory SQL, we added in audit logging as an addition, which wasn't previously available for Microsoft SQL. And, actually, we're writing, a blog post. I guess it could be difficult for some people to access Microsoft SQL on Linux as well.

36:14 How Many Databases Does Teleport Support

36:59 So, also, if you do have to use it and you're Linux native, you know, it's sort of a nice tool for accessing Microsoft SQL. And then Cockroach, she has another one that we added. So you're just always adding and expanding. And we also try to so we have, like, self hosted MongoDB, but also MongoDB Atlas. And so we support sort of DBAs as a service as well as self self hosted databases. Yeah. MongoDB Atlas released serverless databases earlier this year. And, like, the free tier is actually really interesting. I started using it for a few things. And gotta say it's it's just

37:38 a pleasant experience. And I I actually didn't know I could throw Teleport in front of that. So I'm even happier now that I can. Yeah. The setup and configuration is also pretty simple because, you know, they run your database. Often, the process is exporting a sort of x five zero nine certificates, adding it into your, like, MongoDB Atlas cluster and registering the user. And that's pretty much it. So it's pretty if you already have a cluster set up, the configuration and setup is relatively simple. You know, you have the self managed x five zero nine, and you create the user that

37:46 Setup and Configuration

38:15 has the certificates, and that's pretty much it. So it's if you have a class three already, it's a pretty nice and smooth experience. Alright. That's tomorrow's mission then. Yeah. They'll keep going down. So in the desktop access, this one is gonna be really exciting. This one's in ten two, but I've seen a preview of it. It you know, we added we've added Windows desktops, but this lets you share local files over the browser. And so you could have directories and we added clipboard support. Hopefully, this works. So it's already, like, natively sort of passwordless. But if you wanted to sort drag

38:32 Desktop Access

39:04 files into here from my Mac operating system, it's a pain. And this directory sharing is sort of a cool addition. It uses a sharing API over, like, TDP, which is sort of our RDP protocol. It's super interesting sort of solution to the problem, but it's also all in the browser. And I've not seen much else that's sort of similar in the browser without, like, having a native client. So the guys have done a great job on this. I can just drag a file from my Mac onto a Windows machine via the browser. That's pretty cool.

39:42 Yeah. Yeah. Pretty cool. And then when it's trying to simplify setup, you know, desktop support is may you know, people managing their own, like, self managed ID currently. So mainly large organizations who are worried about security, so we make configuration a little easier. Alright. And then I think also this is sort of in ten one, like, just generic application support for sort of WebSocket connections and different protocols. So just sort of expanding application access as well. So this brings support for m p p p. Yeah. Yep. Thanks. I like that. And so this was first read through, like, a open issue. And

40:03 Expanded Application Access

40:26 so this is sort of, I guess, showing, like, Teleport sort of open core, open source sort of nature. So, you know, if there's a certain feature that you wanna get, you know, like, this is from February, so we've worked on this, like, relatively quicker, which sort of shows the philosophy of the team is always ramping up. Yeah. I like that. And there's other so the proxy peering is just makes your cluster come, like, faster. And then I think this is we've sort of interesting for you is our Kubernetes operator and moving away from persistent volumes.

40:50 Kubernetes Operator & Secrets Management

41:02 There's some other So what's the operator thing? Sorry. What what what's it bringing here? Let me get you the docs for the operator. Me. Oh, I don't have the docs for the operator. The operator does let you configure Teleport in a more streamlined way Nice. With for creating users and using TCuddle and sort of extending it without having to sort of customize YAML as much or modify our home charts. Yeah. Trying to pass properties and configuration into the home chart has proven cumbersome time and time again. So relying more on custom resources and being able to apply them to the

41:50 cluster. Yeah. Again, something else I'm gonna have to start kicking the tires on. I think that's gonna simplify my own infrastructure a good fair bit. So that's nice to see. Yeah. I think it would definitely help you a lot with clustered. And I think this would be ten one. So soon you'll be able to try this out. Nice. And removal of the persistent volume. So where's all the state live? That is a good question. And let me find the issue because I I knew you'd ask me that question. And like everything that we do and along with

42:31 kind of being open call for GitHub, we have sort of RFDs. Ah. We sort of discuss like how we're implementing our features. And so, you know, it sort of describes the problem and sort of, like, tokens and the problems that we've run into and sort of how we've gone about building it. So we're just using Kubernetes native secrets. Very cool. Yeah. So if anyone's sort of really interested in it, this sort of goes through, like, our thought process, like, what it changes, how it works. We sort of flowcharts, and as you can see, it's always

43:05 other edge cases, like dealing with, like, CA rotations, you have to take into account and sort of other limitations of it. Sort of upgrade procedures, change to a helm charts. So this is also a great resource if you wanna get a head start on the on the feature. Yeah. I'll share that link in the description below once we finish for today. And I think that's it. You know, we're working on making upgrades easier. You know, lots of people talked about upgrades. I think we're gonna first start with nodes and less sort of a notification procedure to

43:28 Improving Upgrade Experience

43:38 know which nodes is sort of out of date and then probably move to a more automatic upgrading of clusters for people. Mhmm. Alright. But I think that is, you know, that is it. Just a small release. Just those 1,200 features. That's that's all that is. That's fine. And other bug fixes. So in our, like, Teleport 10, we've sort of given people more preview to ones that are coming in different minor releases. But I think we're gonna be releasing ten one in a couple of weeks. And so that would also mean that we'll upgrade Teleport Cloud instances as well.

44:17 Cool. Alright. Well, those are some pretty cool features. I hope people are excited by that. If you have any questions for Ben, now is a good time to drop them into the chat as we'll be finishing shortly. I see we have one from Russell. And before we tackle that, I'm gonna pop us back over the big facey mode. There we go. So Russell is asking if any of the databases support session recording. Yeah. Or sorry. It says do all databases support session recording, or is it dependent on the database thing? All of them support audit logging,

44:18 Wrap-up and Community Info

44:56 not necessarily session recording due to the nature of them. And, actually, if you look at our audit logs, what's sort of interesting is because it's sort of such a low level of the protocol, when you run, like, a get tables, it sort of shows you what's the raw input interpreted to the database. And because you can make, like, multiple requests to the database at one time, that's sort of in our order log, but it doesn't sort of play back in the session recording mode. If you did want to get session recording for what people are to your

45:27 databases, probably what I recommend would be create a Teleport server and then use that Teleport server with sort of MySQL or SQL tools. Then you can see both what are people doing with the their sort of, like, SQL commands. You can play that back, but you also get the full audit log of what's happening on the host itself. I think that's sort of similar to what you do at cluster, isn't it? You have one VM that people share their Kubernetes session. We have three bare metal machines and we use Teleport SSH amongst them all and people join the active sessions so we

46:08 can all type. Yes. Kind of And then you get a cube config and then, like, share that kind of cube config in that in that way regard. Yeah. The cube config is available on the control plane node and we just export an environment variable so we can all share that. Yeah. Not very sophisticated. We we should leverage more Teleport features there and hook it in to the cluster. But by the challenge with cluster is that people break the clusters, so we can't Teleport has to stay away from it, really. Right? Otherwise, we lose access. Yeah. So we keep

46:37 Teleport in a nice little box. The golden rule is do not break Teleport. Break everything else, so I I I probably can't push more of the tell the Kubernetes features because of that reason. Would be nice, though. Okay. So Russell said, sorry. I used the wrong terminology. I meant audit events. So, yes, that is supported. Oh, yeah. Everything has audit events. And the only one that didn't have it recently was the Microsoft SQL Server, but we added that in 10. There we go. Another feature in 10 that we didn't cover. Lots of them. So alright. It looks like there's any more questions.

46:54 Audit Events

47:18 Russell says thank you. I'll say thank you to Ben. It's always a pleasure to have you join us. Lots of things to say here with Teleport ten. I'm gonna have to upgrade my infrastructure now as well. And as the new features drop, we'll be sure to get more content on Teleport on the channel, and I'm sure we'll be back in three months for Teleport 11. So any last words, Ben, before I let you get back to your to your day? Nope. That's it. Thanks for joining everyone. If you have any questions, you know, you can

47:45 join our community Slack channel. It's avail it's a scoteleport.com forward slash slack. But I'm pretty sure most of you guys are already there, and I'm happy to answer any questions that come up. Alright. Thanks a lot. Have a good day, everyone. Thank you, Ben. I'll see you soon. Bye.