Teleport 15 Unveiled: Elevating Access and Security Across Infrastructure
Teleport 15 Unveiled: Elevating Access and Security Across Infrastructure
Join us for an exclusive first look at Teleport 15, the latest version of the Teleport Platform. In this webinar, we’ll review the latest editions to Teleport and will cover tips for upgrading.
Highlights of Teleport 15 include:
- Enhanced Desktop Access: Experience the new, more performant RDP engine, offering a smoother desktop access experience. With significant performance improvements, accessing remote desktops has never been more efficient.
- Advanced Database Access: Discover the ease of RDS auto-discovery in our Access Management UI. We've streamlined the process of enrolling RDS databases, making setup and management simpler and more intuitive.
- Expanded Windows Access: Teleport 15 leverages its improved RDP engine to provide an unmatched Windows access experience, ensuring seamless integration and enhanced performance.
- Device Trust Extensions: Now supporting Linux devices with TPM 2.0, Teleport Device Trust extends its reach. Additionally, access applications securely with device enforcement via tsh proxy app.
- Kubernetes Integration: Introducing EKS integration, Teleport 15 allows users to easily enroll EKS clusters through the Access Management UI, enhancing Kubernetes access and management.
- Simplified SAML IdP Configuration: The improved SAML application configuration flow in the Access Management UI now includes automatic entity descriptor fetching and attribute mapping, streamlining the identity provider setup.
- MFA for Administrative Actions: With the introduction of MFA for sensitive administrative cluster actions, Teleport 15 ensures an even higher level of security for your systems.
This webinar is targeted at people that are already familiar with Teleport, new users should watch one of our new Introduction to Teleport webinars.
Transcript - Teleport 15 Unveiled: Elevating Access and Security Across Infrastructure
Ben: Welcome to today's webinar. We're just getting things set up here. All right. We have Dave here. Hi everyone. Welcome. Let me just set everything up here. See if this kind of has been shared. All right. We have my screen set up. Just as everyone comes in, just let us know where you're from. Please leave a message in the chat. Myself, Ben, I'm in Oakland, California, but from England. And we have Dave. Dave, you want to give a little quick hello to everybody?
Dave: Yeah. Hi, I'm Dave Sudia. I'm a Senior Product Engineer here at Teleport. I'm in Denver, Colorado.
Ben: All right. And then I think we have like 10 people coming in now. Dave, can you see my screen okay?
Dave: Yes, I can.
Ben: All right. Okay, everybody. We'll give people a couple of minutes to begin. We'll probably start in two minutes or so just past the hour or just for everyone to set up their configuration. And we'll start in two minutes. But yeah, like I said, feel free to familiarize yourself with the platform. Let us know where you're from. Also, Kat was joining us today. She's the silent guest. She's posted the Code of Conduct. So please follow that. Just be nice to everybody today. And so let's give people one more minute. Hi, Nick from Longmont, Colorado. I don't know if you know where that is, Dave.
Dave: Yeah, that's about 45 minutes north of me.
Ben: Oh, there we are. Any other Californians here today or any English people? I know it's kind of late for the European crowd. Oh, we have Katarina, Santa Clara. Sunny, although I think it's been slightly rainy yesterday. This week has been a very wet one. So let me just give it one more minute and we will kick things off. Clinton, Ann Arbor, Michigan, beautiful part of the world. All right. Okay, let me get this started. Oh, Cologne, Germany. Okay. So we have a few Europeans here too. And two minutes past the hour, I'm going to kick things off.
Welcome Words & Poll
Ben: So hi, everybody, and welcome to today's webinar, Teleport 15: Elevating Access and Security Across Infrastructure. Today's webinar is going to be an overview of Teleport. This webinar is probably going to be primarily a quick introduction. We have many other videos which are good overviews and introductions to Teleport. I'd recommend checking them out on our YouTube channel, which is youtube.com/goteleport. But I will give a little deep dive into some of the changes that we've made on the Teleport platform and then deep dive into Teleport 15. So I'm going to give an overview of the platform updates, Teleport Access, and Teleport Identity. And Dave is going to deep-dive into the Teleport 15 Kubernetes Operator demo and cover our breaking changes, and we'll have time for Q&A. I'll also keep an eye on the Q&A chat as we go throughout this. So feel free to ask any questions as they come up. And Dave, if I missed one, feel free to interrupt me and let me know. So I've already introduced myself, but I'm Ben Arent. I'm the Director of Product here at Teleport. And I've been at Teleport just coming up for my fifth year, so I've seen Teleport from 4 to 15. So I've seen lots of the different variants over time. And so I'm really excited to have one of our newest members, Dave Sudia, join us, and this is his first release. So Dave, do you want to give a little quick intro?
Dave: Yeah. So yeah, I'm Dave Sudia. As I said, I'm a Senior Product Engineer here. I have been here since the beginning of January, and this is my first release. And so for anybody who's joining the webinar who is a beginner, I'm in your shoes and having as much fun learning this as you.
Ben: Yeah, it's great to have some fresh eyes on the product and how things get started. So it's always great to have you here today. And so talking of where people are on their journey, let's do a quick poll. I'm going to open the poll now, and you have to go to the polls tab. I think I should be sharing it now. Are you currently a Teleport user? I have a few options here from using it at production at scale, you doing a proof of concept, or if you don't know your home lab — a range of things. So this will help me give a little indicator of sort of how to tailor the content for people, especially people within proof of concepts. I'll get a little bit more into the introduction of Teleport or if you're using Teleport at scale. I think that's great for Dave to learn more about how the Kubernetes Operator can assist people. So it's looking like we have kind of an interesting spread of people, no big winners, two at production at scale, one in staging, two doing a proof of concept right now. One person, no, but thinks the organization needs something, and one home lab user. It's always great to see a home lab user as well. So I'm going to stop sharing the poll. And so it's kind of a nice blend of users. So let me just come back to my sharing window.
Teleport Overview – Quick Introduction
Ben: So what do we do? Teleport provides on-demand, least privileged access to infrastructure on a foundation of identity security and Zero Trust with built-in identity and policy governance. To sort of explain many of these concepts, I like to go into what we see as how we approach access. And our solution is based upon these four tenants, starting at the bottom with cryptographic identity, provisioning identity to all users, devices, and machines that resources are connected to, eliminating the need for credentials and making phishing and credential theft resilient, and also being able to identify not only the network, the devices, machines, everything that's talking to each other. And this goes into our concept of Zero Trust Networking Plus, the ability to take Zero Trust concepts beyond just the network, but also extend them to applications and workloads to provide identity and protocol-aware access. So enabling you to access any part of your infrastructure securely from anywhere and no longer relying upon IP whitelists or VPN or any other tools which are sort of pre-Zero Trust.
Ben: Next up, we go into our secretless authentication and ephemeral privileges. This lets us provide authorization engine enforcing the principle of least privilege, eliminating standing privileges with each authentication. And authorization is tracked to the identity and the protocol level, making it very easy to provide audits and make them tamperproof. A specific example of this I like to give is if you're using a EC2 where you have multiple team members logging in as EC2 user and you're sharing that one login. It can be difficult to audit, say, which user logged in to which VM. Everything with Teleport is tied back to the identity of the user. And so even if you're using a shared login, you know which user is assuming which role. And then lastly, it's all around governance and security intelligence and the ability to provide built-in identity and security governance and policy governance, delivering unified capabilities across your traditional PAM, IGA and CIM categories. I'm going to give a little overview of Access Graph later on and then also some of our more advanced privileged access monitoring, which is in an earlier release, but since we have new people today, I'll give a little demo of that as well.
Three Key Teleport Products: Teleport Access, Teleport Identity, Teleport Policy
Ben: So our platform has three main products. We have Teleport Access, which is the foundation, which provides on-demand, least privileged access on a foundation of cryptographic identity and Zero Trust. Next up, we have Teleport Identity. This lets you harden your infrastructure with identity, governance, and security. And lastly, as I mentioned before, we have Teleport Policy, which also helps the governments, providing visibility such as Access Graph and policy enforcement. And that brings the core platform. And what this sort of looks like as far as architecture, there's a lot happening in this diagram. But if you go in the bottom left-hand side, you can see that we have a range of engineers and machines which are connecting using multiple tools to the Teleport Access platform. This is providing everything such as the authorization and policy engine to issue ephemeral access and policy to give access to all your resources. And all these resources can live anywhere. So they can be EC2 hosts. They can be databases. They can be Azure EKS clusters. They can be AKS clusters.
Ben: And one of the great things about Teleport is by using one central access plane — you get to consolidate all of your access. So if you have multiple clouds or multiple vendors, you can standardize and unify access to all of those using one policy engine. And we believe by consolidating everything and having one central area, it makes it much easier to also provide such things as just-in-time access, enforce device trust, issue enhanced policy about who has access to which resources when. And since everything comes through Teleport, everything is audited with both session recordings and audit logs to make people obtaining compliance also a breeze. So that sort of ends my introduction to Teleport. I see we have some messages in the chat here. Oh, no, just some home lab banter. So if anyone has any questions about sort of the introduction to Teleport, I'm happy to ask any questions, but I'm going to go on to the platform updates.
Teleport 15 – Platform Updates
Ben: So the platform is sort of the core foundation. We have the updated user interface in Teleport 15. We've improved our session playback. We have made some improvements to Teleport Connect. MFA for administrative actions — this is an important core platform feature to enforce using hardware tokens for key administrative actions, which is just improving our security. We've added support for AWS KMS. This lets you store any secret material in Key Management Store. So even if your auth server was compromised, it is also stored within the Key Management System. We have a standard Kubernetes Operator now, which Dave's going to give a demo of. And then lastly, for people running Graviton and ARM servers, we provide ARM 64 bits for FIPS, and we also have ARM APIs for all of our services. So I'm going to do some quick overview of our platform and Teleport Access. Let me change my window. Okay. So I was inviting someone in my cluster before this. Okay.
Ben: So most people are greeted with this window when they start Teleport. Let me just make it — I'm sorry. I just have some Windows issues here. Let me come back and share again. All right, here we are. Okay. So you see I have “Sign in to Teleport” here, and if I log in, I'm using GitHub as my identity provider. GitHub is available in our open source community edition, but most enterprises are using Okta, AD Workspaces or Google Workspaces to log in. And you see I'm greeted with all of my resources in a centralized view. I have a mixture of my servers, my applications, my databases, my Kubernetes clusters, and my Windows desktops all in one centralized place. And so this makes it very easy for me to both view an inventory of hosts, but also immediately jump it into a specific server. And so I opened a new tab. I switched back to this one. And so if I exit and come back to this tab, this is sort of the flow for accessing servers. Same for databases. We provide CLI tools, which makes it easy to connect to those instances. We have a range of applications that makes it very easy. You'll see it will boot in. This can provide access to Grafana. And so this is what we mean by extending the concept of Zero Trust networking to all of your applications. In my case, I've logged in, I've passed the JWT token, so it's also my same user that I had but within my main cluster.
Ben: So for people who were on Teleport 14 and below, you notice a few changes here. We've moved our left navigation to make our UI a little bit more condensed. We've split out our resources and access management tabs to make it — oh, sorry. I was sharing the wrong tab again. We have our Resources view and our Access Management tab, which has consolidated the difference between giving access to resources and then also access management. We've elevated access requests to make it very easy for when people are requesting access requests and creating them. And then lastly, you can see active sessions. So these are the two sessions which I currently have active. Lastly, this little sparkle tab, this is Teleport Assist, which is our AI assistant, which can help do various things in your clusters. We have new notifications tab, and there's sort of an overview of our core platform.
Ben: Another addition, which I think Dave might touch on in a bit, is we've added the requirement for hardware key or token. You actually can't see this, but this is requesting me to tap my YubiKey before I get this token. This requires people to set up an additional multi-factor authentication token that you can add here. And we've also done a lot of work refining both adding multi-factor authentication hardware keys and also passkeys as well for passwordless login. So I think that's kind of a good overview of the core platform updates, and I don't know if — Dave, did I miss any core platform updates that I should demo here?
Dave: I think you got it all.
Teleport Access
Ben: All right. Okay. So I'm going to come back to this tab and just rearrange my Windows. So Teleport Access. What's been some improvements? For SSO, we've improved provisioning for Okta. This is actually coming in 15.1, but this will make it much easier for teams to sync users and groups in a real-time fashion to make it easier when you're onboarding and offboarding people. For our resources, we have made significant improvements to our Windows Desktop Access by rewriting our engine. For SSH, we've improved connection resumption. So if you're updating the proxy or you have multiple users, we make it very easy to reconnect on those clusters. For Kubernetes, we have gone — along with adding our Kubernetes Operator, we've also added EKS integration, which makes it much easier to both discover and add EKS clusters. And then same for databases, we've made it very easy to auto-discover RDS databases into your cluster. And lastly, for applications, we have an improved SAML IDP configuration flow if you want to use Teleport as an IDP.
Ben: So if I come back to my cluster here, you can — I'm going to start off with my Windows hosts, so pick my desktops. And so you can see here I have two Windows hosts which are connected. I'm going to log in. It can be hard to sort of show off performance improves necessarily, but we can say like hello, world. So I can type. For people who use the previous ones, this flow, you're unlikely to be playing some games, but you can actually see some animation and the flow is much easier. You can likely even play some CAD services as well. Everything is sort of much snappier than it was previously. And then for people who are new to Teleport Desktop Access, there's a few other features we have, so you can enable desktop sharing or clipboard and then we have notifications here as well. So this is a huge improvement to both AD and non-AD access for Windows hosts.
Dave: Yeah, I'll say the main thing people might notice is that there's a desktop background in the new one where it used to just be solid black because it was a performance hit to show you the background, and now it's just completely smooth.
Ben: Yeah, you're right. And so I'm going to actually show — we talked about the session improvements as well. If I come into my audit log, we can see the session that I just played. Along with having the ability to sort of speed up what happened during the session, you can now scrub as well, which makes it much easier to figure out what happened at which parts of the session. So that was the session that I just — oh, I just realized that I wasn't sharing my session. Okay, let me come back and replay the session. So we have the ability to sort of change the speed, and you can see the session that I just completed. And so this is the overview of Teleport session recording. Everything also has an audit log. I think another feature that I was going to demo at this point was our additions to our various resources, which we've added. So we have the ability to connect and add EKS clusters, and so with our AWS integration. And this is the same for RDS. It has the same discovery. And so this makes it much easier to also have a guided experience that requires less setup on end user's ends to enroll databases and deploy the services and set up all of the IAM policy required.
Ben: And if I come back, I think the last one I want to talk about was for Application Access. We've added the ability to improve SAML IDP connections. So if I come to my SAML app — this was previously only available through YAML, but we now have a common standard of flow for getting the identity ID, the SSA flow for all the metadata to configure an IDP service. And along with this, we also make it very easy to have attribute mapping to map user values from your IDP into which apps you want to provide. So this definitely makes it much easier if you want to protect any other apps using our SAML IDP as well. Lastly, connection resumption. I probably won't demo this since this is a little bit harder to demo, but I think I kind of did an overview of accessing the cluster. So let me come back to my tab. So updated Windows Performance. I think I did a little overview of that. I'm going to pause to actually see if there's any chats. Cameron, the resource onboarding changes are nice. Yes, thank you. Yeah. But we've had some good feedback about that as well. So anything else, if anyone has any feedback or improvements, we are an open source company. You can either create a GitHub issue or join our community Slack.
Teleport Identity
Ben: Next up, I'm going to talk about Teleport Identity. For Teleport Identity, in Teleport 15, we didn't have a huge amount of additions. We have added the ability to add Device Trust for Linux and access monitoring and response. If I come into my access management, you can also enroll your — so you have your users in yours and under your IDP. You can add an extra layer of security by registering trusted devices. In Teleport 15, we support both Mac and Linux, and so you can enroll your Linux workstations. We have an overview here of using `tctl` to get started with this. If you want to do this at scale, we'd recommend using MDM services such as Jamf. Makes it much easier. And then for access monitoring, this was in Teleport 14, but we now have the ability to have Athena-based logs, which you can have an overview, so such as create a query, which is for the protocol `ssh`, which people aren't using MFA, and they don't have Device Trust. And so this makes it very easy to figure out what's happening with their infrastructure, up to people who use long-lived tokens. I used this the other day with a customer, and they were trying to remove people Kube Exec’ing into pods. And so this is a prebuilt report, but the query editor is open. It's Athena-based. And if you come into our query editor, you can just run your own queries on all of the information. And this is a great tool if you want to figure out what's happening in your cluster without having to sort of deep-dive into your SAML or Splunk or other tool.
Teleport Policy
Ben: And then lastly for Teleport Policy, which I covered, we now have the ability to provide visibility using Access Graph. Access Graph, there's a great talk here from our CTO, Sasha, which we can probably put in the chat. I'm going to give a quick overview of what Teleport Policy and visibility looks like on my host. And so we now have the addition of an Access Graph. And this is going to take all of my resources that I have in my cluster and figure out what's the key access flows for which user. So I just added `roman` to my cluster. I'm going to show his access path, and you can see that I have added `roman` to the group access, which has access to all of these resources. And so this makes it very easy if you're trying to follow the Principle of Least Privilege, or you can work with an auditor — which groups have access to which resources. Access Graph is a very useful tool for this. This only sort of scratches the surface of what's possible with Teleport Access Graph. And if you're interested, I'd recommend going to our policy page, and we're giving demos and working with people right now to expand this feature. So let me come back here. And I believe that's the end of my presentation. So I think I'm going to hand it off to Dave now for the standalone Kubernetes Operator. All right. Off to you, Dave.
Dave: Yeah, sorry. Thank you. I was just typing a response in the chat.
Ben: Yeah, did I miss anything? Oh, you got some good notes there. Yeah, do we just look through the chat right now?
Dave: Yeah, we can do that right before I get started. You can correct anything that I may have gotten wrong.
Ben: So I think we had a question around Teleport Cloud users before February 29th. I think this one we'll probably touch at the end. With our breaking changes, it's probably best to address. And we'll come back to that. And then we have one for Teleport Policy. It was noted that it will be limited in the future. Is there going to be a separate license fee, or is it limited to Enterprise? I believe it will be in addition to your current Enterprise plan as sort of an add-on. But I'd recommend talking to your sort of account rep to give a full overview of what your options are. So probably working with your AE. And since we're in the early stages, I believe that they're giving heavy discounts for Teleport Identity Access Launch. So Dave, you want to kick it off for the standalone Kubernetes Operator?
Teleport 15 – Kubernetes Operator Demo
Dave: Yeah, I'm really excited about this feature. Before kind of stepping into this role, I was a platform engineer, a DevOps engineer for a long time. And so just a natural instinct for me to keep everything in code and use GitOps for pretty much everything that I can. So the K8s operator — that's right up my alley. And I had not really used it prior to this. I was coming in pretty new to the product and the open source, because this is as well in the open source version of the Teleport. And so I'm very excited about this. So to provide a contrast, in version 14 and previous, it was not — the kind of question I think here is: Why is the name the Standalone Kubernetes Operator? And it's really because prior to this, the operator was built in to Teleport. And there were issues with that that we had customers report and users report, which is that performance issues in one could affect the other. If you were trying to sync a ton of resources, that could actually chew up the CPU that was being used by the Authorization Service, and then the Authorization Service would slow down, and then all of Teleport would slow down. And vice versa, you might have extra heavy traffic on the Authorization Service and run into an issue syncing your resources. It had to go through the co-located Authentication Service. And the main problem with that is now it only works if your Teleport cluster is in the Kubernetes cluster with the operator. So you're basically limited if you weren't deploying Teleport into a Kubernetes cluster, and that's where your Teleport cluster was running. The word “cluster” is starting to get as overloaded as the word “service” in the Kubernetes space now. You couldn't use the operator. Basically, it was only for people who were running Teleport in the Kubernetes cluster.
Dave: So here's the big difference. It's now independent, and it just speaks through the proxy service like any other kind of client. So rather than having to speak through an internal load balancer or directly to those Authentication Service pods, you can now have it running in the cluster. It just speaks through the public load balancer, through the proxy service and talks directly to your cluster that way. So there's a couple of major benefits to that. One is you can manage your Teleport resources declaratively using GitOps now from whatever Kubernetes cluster you want to any kind of Teleport cluster. So whether you're running it — my personal Teleport cluster just runs on a DigitalOcean droplet, but I can manage this in a cluster outside of that now. If you're using Teleport Cloud, you can now use the Operator with that, which again, that just speaks directly to me as a platform and DevOps person — is I don't want to have to run things sometimes. I'd prefer to just use the SaaS, but I still want to use a GitOps workflow and keep everything in code. So that is very exciting to me. That's a typo. That should say “earth”, not “earch”. I will fix that in a second here, and I'll post this in the chat later for people to access. But I've got a repo that you're going to see the code of in a second, that you can go. It's a template repository. So if you want to get started using this new standalone operator and installing it via Terraform, you can go fork this repository. It won't be a fork because it's a template, so it'll just go right into being your repository, and you can start playing around with it.
Breaking Changes
Dave: Before I get into the demo, I do want to talk about some breaking changes because you're going to see some of them in my in my demo. I'll kind of call them out as we go. One of them is in 15, if you have WebAuthn as the required MFA mode — and I'll show what that looks like in the Teleport config in a moment so you can go check and see if you do — that might break some automation workflows and mainly because now for any kind of admin action like creating or deleting resources like this, if it's not coming in from a machine ID, then you're going to be required to use that MFA. So I'll show what that looks like because I'm going to do some actions outside of machine ID here. Another thing in 15 here — and this is actually true whether or not you're using WebAuthn — is that there's a recommended — the guide we have for using Terraform has you create a user. It has you create a Terraform user and a role called Terraform Impersonator. And if you try to run that now, it's going to say impersonation is not allowed. And so we're really recommending that people move to machine ID for running things like Terraform, and I'll show what that also looks like here in a moment to do it both just locally and to do it in a more kind of recommended production scale way when we look at the code. And pretty soon here, we're going to have an updated guide in the docs because right now the docs still walk you through the Terraform Impersonator flow, and we're going to need to update that to show how you should do it with machine ID. So that's coming soon.
Dave: The other big breaking change I want to call out for folks — and this is unrelated to the demo — is that fantastic new performance Windows RDP engine that Ben was showing off earlier requires remote effects to be enabled on the Windows machine. And I'm calling this out because it's a hard requirement. If you don't have remote effects enabled, it just doesn't. You just can't do Windows RDP. It just won't start. So we have really good clear instructions for how to do that in the changelog. There's a couple other things in the changelog that are worth looking through in terms of breaking changes. We've hardened our AMIs. So if you have an automation flow that requires using curl or something, that won't be there. We do have debug versions of those AMIs that have everything installed that you can use, but we just don't recommend those for production, and the production ones now have been shrunk down to bare essentials. So always worth looking through the changelog to see what's there. But those are the big things I wanted to call out. I'm just going to look and see. Okay, cool. Nothing else in the chat yet.
Dave: So with that, I'm going to stop sharing this screen and start sharing another. So as I was just calling out a moment ago, if you have that MFA breaking change, it's going to look like this in your Teleport config. If you have authentication, second factor WebAuthn, some other things you might see for this are like optional, but if it is `webauthn`, then that is what's going to cause you to have these mandatory MFA actions that I'm about to show off in a moment. So this repository, again, is up in GitHub. You can check it out. You can fork it, clone it down, whatever you would like to do to try it out if you want. I'm going to walk through the — and what I'm going to do here is install the operator using Terraform so we can also show what it looks like to use Machine ID for Terraform. There's always another layer of [inaudible], right? And the [inaudible] here that I want to call out in terms of things I've already done, right, is — I have a Teleport cluster, and in that cluster, I have a user that is me that is the admin user. And me as the admin user, I have created this role for Terraform, and this role is the same that's in our online documentation, so nothing new or different about this. You can go look through it. But I have added this role into my Terraform cluster so that I can create a bot that uses it.
Dave: So here's a script that I'm about to run. And basically, what we're doing is we're adding a bot using the CLI, and it's going to take on that role Terraform. And then the output of that is a token that the bot can use. And so then I'm going to pipe that into — or not pipe it, but pull it into `tbot start`. And I'm setting a destination of where it's going to set its identity in `/opt/machine-id`. I'm using that token. I'm joining my home lab Teleport using `--join method=token`. The thing I want to call out at this workflow is that it's a little wonky because you have to create this bot, then you have to start it, and then it's just going to run in your terminal in the background. And really, doing this is not the way that we recommend using machine ID. This is mainly just because I'm running it on my local laptop, right? The ideal way you'd do this would be on a CI server, right? And in this repository pushed up, I have an example of what it looks like to run this from GitHub. You would create a token that allows a specific repository from GitHub to run an action, and then you'd create the bot using that token and the Terraform role. And then code pushed up from your Terraform repository would be able to run in actions and make changes. And I have an example GitHub Actions workflow here that has both the jobs you need for Teleport, for authenticating, and the ones you would need for Terraform to run. So just want to call that out. What I'm showing is not necessarily a production workflow here, but it's one that'll work. And we've got some examples of more of a production workflow as well.
Dave: All right. So in this terminal, I'm going to run this script that creates and starts my bot. Here, you see this is an admin action, and so it's waiting for me to tap my security key. So I'm going to do that. And I've got my bot created. The token is passed to it, and this is now running. So if I now just open up a new — for those of you who are unfamiliar with Machine ID or haven't worked with it before, basically this is going to drop all of the identity files that you need to do Teleport work into the directory that you point it to. And that's going to be important in a moment as I talk about the Terraform code. So a really quick overview of the Terraform code for this is I've got my Teleport provider pointing at my path or my cluster. And then here I've got an `identity_file_ path` as a variable that I can pass in. When I run this, it's going to be pointing to that `/opt/machine-id`. I've got a `Kubernetes` provider that is pointing just — I've got a local K3 cluster running for the purposes of this demo, and I've got a Helm provider that's going to also speak right into that cluster to install it.
Dave: Let's look at what it takes to install the operator. We're going to create a role. That role — basically anything you want the operator to be able to do. So in this case, I'm basically giving it permission to do all the things on all the resources, but you can obviously shrink that down if there are certain things you don't want the operator to be able to do. Oh, and thank you, Ben, for calling out. Yeah, the support that we have since the GitHub is just one example. Yeah. We're going to create a token. Now, this is one thing that I really love as an implementer — is that for the authentication with this cluster, we actually just pull the JSON web keyset out of the API server in Kubernetes and pass that as the authentication with the Teleport cluster so that we know that it's a trusted location. And we're going to allow a specific service account within that cluster as the thing that can use that JSON web keyset to speak to the cluster. We're going to create a bot using that token that we created just above there, and then we're going to create a namespace and a helm release. And if you are currently, just to call us out, installing the — if you're using the operator at all and you're installing Teleport via a Helm chart, there is a change here in that the operator has been moved to a sub-chart. So you'd now do like operator dot for any variables you were passing that to before. But you can also just now install the Teleport operator as its own chart, and you're not installing all of Teleport just to get the operator. So I'm just telling you what cluster to talk to and what token to use for talking.
Dave: So with that, just give it a second to see if there's any questions that come up with the things I just went over. And there's not. So I've just got a little script here that's going to apply. I'm going to pass in that context in my kubeconfig. I'm going to talk to my Teleport thing, and then this is basically just going to grab that JSON web keyset dynamically at the time I run this from the cluster and pass that in as the JWKS into the Terraform so that I don't have to run that. But obviously, again, in a more production-level setting, this might be in a Secrets Manager somewhere that you could grab to run that. So run, apply. And I'm just going to double check that what it's creating is what I want it to create. And we're looking good. Okay. Okay. Everything's there. So now what I'm going to do is just get my pods in the `teleport-iac` namespace. And I'm just going to wait for this to be up and running. But you can see super lightweight now. Again, prior to this, you had to install Teleport in total, right, just to get this. And now I'm just running one single pod. Obviously, this can be running. You can make this HA, but for here, we're just running as lightweight as possible.
Dave: So the next thing I want to do is just show off this thing working, if you haven't seen it before. So here is my “Users” in my Teleport cluster, and you can see it's just me, but I want to add someone new. So I have this `user.yaml`. Again, this is going to be really familiar from anyone who's gone through any of our demos or labs or anything. I'm going to create a user, `alice`, and `alice` is an auditor. And so all I have to do for that is apply dash `-f user.yaml`. And let's come back to my cluster UI. And there's Alice and as well as my bots that we created a few moments ago. And so it's a very fast sync. It picks up resources very quickly. Again, I'm a relative newbie here, and I'm really impressed with the things that our engineering team is building. So I've seen Git workflows that are much lower than this in terms of operators that sync things up. So yeah. So that's the overview, and I'm going to stop sharing.
Ben: And then Dave, what kind of resources can you control with the operator? You showed the user. What else can you manage?
Dave: Pretty much everything, so users, roles, tokens. I don't think resources.
Ben: That's the majority of things that you need to manage here.
Dave: Yeah. I mean, again, if we come and look at the — here, where we should really look at, here is the role I made for it. So users, auth connectors, login rules, tokens, octave rules, access lists. The majority of resources that you'd want to create and manage, you can do with the operator.
Ben: Yeah, I think it's basically everything that `tctl` could, but you just need to make sure that you add the same rules for the RBAC so the Kubernetes Operator does it on your behalf.
Dave: Yeah. Yeah, for sure.
Poll - Teleport 15 Features
Ben: Okay, awesome. Well, thank you, Dave. I think there were some questions that I answered. If there are any ones that weren't answered, let me know. And then I think we kind of covered all of these. I covered the changes. I think we did this. Let me just keep going. Okay. So we have another quick poll before we go to Q&A. Let me open the poll. And so you should see it in the Polls tab. Let me share this poll. Which Teleport 15 features are you excited to try? We have the Windows Performance Improvements, AWS KMS Support, Device Trust for Linux, the SSO - Improved Provisioning for Okta, Kubernetes Operator or other, since we have a lot more features in this release. Each release we do — we're always like, "This is the biggest release yet," but there's always more things. So looks like the Windows performance. Oh, there you are, Dave. You convinced two people for the Kubernetes Operator, so it's winning out.
Dave: Nice.
Ben: My webcam's having some issues here, so let me just come back. Okay, there we are. Device Trust for Linux. All right, it looks like we have a good overview. Interesting. I'm surprised Device Trust for Linux is so popular. Maybe this is the year of the Linux desktop.
Dave: Ben, we do have one question, which is: what is the deadline? When are we upgrading folks on Cloud to this?
Upcoming Releases
Ben: Yeah, that's a good segue into my next couple of slides. So I'll come back. So Teleport Team, Teleport Cloud will be updated 15.1 on — March 4th is the current date that we have on our docs. This also does depend upon the scale that you're deploying it. Often, we have a maintenance period. The upgrade also normally relies upon you using automatic agent upgrades. So if you have a large cluster on Teleport Cloud which has older agents and you're not using automatic agent upgrades, which I'd highly recommend, that would also be a thing that would sort of slow down the release. So I'd likely say if there's a specific window or there's concern, probably best to reach out to Support or your rep to sort of choreograph that. Often, the most holding change is which version are your agents talking to Teleport Cloud? Hopefully, that answers the sort of question. And 15.1 is also the same time. Feb 29th is the release of 15.1, and so I think March 4th. But keep an eye on this upcoming releases page. It's a good place.
Next Steps and Q&A
Ben: So recommended next steps. So if you want to try Teleport, our Cloud Cluster — like I said — it's not going to be up until March, but you can just try Teleport if you're new. Try Teleport 14. If you're using Open Source or Home Lab, you can just go ahead and upgrade your cluster now, like the ones I've been demoing. And then lastly, we've added a new edition this time around, which is engineers have done a deeper dive into all of the other features. So let's say you want to see the SSH session resumption. There's a video now available on YouTube that will deep-dive into this as well. I will post this in the chat since that link is exceptionally small. And so now I think it's time for the Q&A. I think most people have found it. So you can either add in Q&A. Okay, I think we talked about the changes. So I might as well just address this one since this is a very fair feedback. What's the communication sent out to clients on these infrastructure breaking changes? This seems to be a good chunk of change. For Teleport Cloud users, you generally will be better set up. I think the majority of people will already have WebAuthn, but the change of MFA. I would definitely sync with the Teleport Cloud team and the CS to make sure that any deployment of the updated software — there'll be as minimal breaking changes as possible. But I will make sure that they're aware of those changes. But we have more than sort of eight days to address those.
Ben: And then we have a question about, can you provide an estimate of the Enterprise license for on-prem Teleport? If anyone has any questions about how Teleport fits in their organization or the cost, I would recommend going to our Contact Us page. We have a few options, so you can sort of try Teleport for free, or you can contact our Sales team. Oh, I'm in this very small tab here. But there's probably a good place to get started, so you can contact our Sales team. I think my tab has gone a bit crazy. So let's come back into the chat, see which questions we have open. Okay. Any other questions? I think we have like 10 minutes left. Dave, anything that you found interesting or surprising in this release?
Dave: Well, I mean, yeah. So everything's still interesting to me. But no, I mean, like I said, the operator is a huge thing for me, just because of my background. I was very excited just to see the difference. As someone who has to interact with Windows stuff sometimes, I think any kind of improvements to that ecosystem and how people interact with that because there's not many good RDP clients out there — so just seeing how much we're able to get out of that was really cool.
Ben: Yeah. Okay. It doesn't look like we have any more questions or Q&A. Oh, there's one in the chat. So this one's question is: Would it be wise to have an on-prem edition in addition to cloud as a backup option so we don't control — so we don't have control on Cloud M4 upgrades? We are likely moving to a more rolling SaaS release for both our cloud and our on-prem software. The changes will be — there'll be more changes, but they'll be less dramatic. I would recommend if you are new to Teleport, really checking out Teleport Cloud edition. There's many things the Teleport Cloud does under the hood, such as we have multiple proxy peerings and nodes. So performance and scalability is something you don't have to worry about. You also get to pick when your maintenance window is. And if you are using our automatic agent upgrades, the maintenance and upgrades are much smoother. And so I would recommend working with our SE team. They can make it a very smooth experience for people who have sort of deployed Teleport Cloud at scale. And we can also have some reference customers talked about their experiences as well. So happy to answer any of those questions. All right. Any other last closing thoughts? We have nine minutes left, so I'd like to thank everybody from all around the world come and join us today. Thanks, Dave, on completing your first webinar.
Dave: Thanks.
Ben: Dave, you have any last closing words?
Dave: No, just thanks. Thanks for everyone for showing up. Always great to be here.
Ben: All right. Everybody have a great week.
Dave: Bye.
Join The Teleport Community