Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Telemetry

Version 15.x

This document explains what telemetry is collected by the Machine ID tbot agent, why we want to collect this telemetry and, how to opt in or out.

Why?

Machine ID is an emerging part of the Teleport product and it's helpful for us to be able to identify the kinds of use-cases people have. This allows us to prioritise more common usages. Whilst we try to collect this sort of information by talking to users directly, having a more general overview of the product in the wild helps us make even more informed decisions and avoid our decisions being solely influenced by a select few users.

Anonymous telemetry

Anonymous telemetry is currently the only mode supported by tbot. This means that the collected data does not include anything which identifies:

  • the specific machine tbot is running on
  • the cluster tbot is connecting to
  • the hosts, applications, databases and Kubernetes clusters tbot connects to
  • the user that has configured tbot

If we introduce further events to Machine ID's anonymous telemetry in future, we will abide by the above guidelines and ensure that changes are explicitly included in changelogs where new information is gathered.

Whilst we do not collect data which uniquely identifies the specific machine tbot is running on, we may collect general information about the architecture and operating system installed on the machine.

We do not assign a unique ID that identifies your tbot installation across multiple starts. This means it is not possible for us to determine how long tbot has been installed on a machine or track changes made to a tbot configuration on a specific host over time.

We do assign a unique ID that identifies events that originate from a single tbot start (you may hear this be referred to as a "session"). This allows us to tie together multiple events and determine how long they occur after tbot has started.

Opt-out/opt-in

Anonymous telemetry in tbot is strictly opt-in.

To opt in to this telemetry, set the opt-in environment variable to 1:

export TELEPORT_ANONYMOUS_TELEMETRY=1
tbot start ...

You can use the same environment variable to explicitly opt-out of this telemetry by setting the value to 0:

export TELEPORT_ANONYMOUS_TELEMETRY=0
tbot start ...

If this environment variable is not configured, tbot defaults to not collecting anonymous telemetry.

Events

Anonymous telemetry currently submits a single event on the start of tbot.

This event is called tbot.start and contains the following attributes:

  • tbot.run_mode: one of [one-shot, daemon] depending on if tbot has been invoked with --oneshot
  • tbot.version: the running version of tbot
  • tbot.join_type: the join method type that has been configured (such as token or github)
  • tbot.helper: the name of the helper that has started tbot if one has been used. For example: gha:teleport-actions/auth
  • tbot.helper_version: the version of the helper that has started tbot if one has been used
  • tbot.destinations_other: a count of destinations configured that are not associated with the Database Service, Kubernetes Service or Application Service
  • tbot.destinations_database: a count of Database Service destinations configured
  • tbot.destinations_kubernetes: a count of Kubernetes Service destinations configured
  • tbot.destinations_application: a count of Application Service destinations configured