Teleport Access Plane and Teleport Application Access - Overview
Many engineering systems are difficult to access because they are buried behind firewalls and VPCs, and users must be connected via LANs or by VPN to be able to use them. Even with all these measures, however, they do not meet security requirements of standards such as SOC2, PCI, or FedRAMP, because they may lack authentication, authorization, logging and auditability. The complexity of setup and administration further intensifies the problem, leading to technical users taking shortcuts such as exposing an application through a direct endpoint, relying on secrecy or simple credentials, and bypassing enterprise security standards.
Teleport 5.0 solves this problem by providing:
- Simple access to web applications for engineers
- Better security for applications
- Easy setup and administration of application security
Learn More About Teleport 5.0
Slides for Teleport Access Plane | Application Access
The slides for the webinar are on slide share.
Introduction - Teleport 5.0: Unified Access for Web Applications
Key Topics on Teleport 5.0: Unified Access for Web Applications
- Gravitational has changed its name to Teleport.
- Teleport 5.0 has been released with several long-awaited features.
- Unified Access Plane (UAP) unifies secure access to servers, Kubernetes clusters, applications, and databases.
- New features also include application access and enhanced Kubernetes access.
- Teleport 5.0 provides engineers with an improved user experience.
- Teleport Cloud is in Preview.
(The transcript of the session)
Greg: All right, let’s go ahead and get this going. Hi, everybody. My name is Greg Chase. I am the director of product marketing here at Teleport. Would like to thank you all for coming to join today’s webinar. I’ll be talking to you today about high points of our product release announcements today. We will be taking questions mostly towards the end, but I would like to invite you to enter your questions into the Q&A tool. And we will get to them as we are able. With me is my colleague, Ben Arent, director of product for Teleport. Would you like to say hi, Ben?
Ben: Yeah. Thanks, Greg. Hi, everyone. Thanks for coming today. You know that Teleport 5 is a really big release for us. We only really do one major version a year. And so for existing customers, I know there’s lots of features in here that you’ve been keenly waiting. And for people who are new to the Teleport ecosystem, now is a great time to get on board and use Teleport.
Gravitational Now Called Teleport
Greg: All right. So lots of announcements today for us. So if you didn’t catch this news, we changed our name. The gist is, as our open-source product, Teleport, has become more and more popular with engineers, its fame has actually increased beyond that of our company’s old brand, Gravitational. Because it has such a — because it’s such a great product with a great name, we basically became known as, “Oh, you’re the people who make Teleport.” So we chose to go with the flow and communicate our company’s focus on continuing to make Teleport even better, growing the community, and evangelizing its adoption. So we are now Teleport. And you can find us at goteleport.com. So now, on to product.
Greg: Let’s take a quick review about Teleport for those of you who might be new to Teleport. We created Teleport to help engineers deal with gaining access to disparate systems in the cloud. In today’s cloud-native environments, engineers have many different endpoints they need to be able to log into, often spread across many networks, both in data centers and in various VPCs on cloud providers. Despite all these security obstacles, these systems don’t comply with security standards such as SOC2, PCI, or FedRAMP. This is because there’s usually no way to ensure consistent identity of users between all of them. And that’s assuming if the system has security at all. Often, we end up issuing long-lasting security keys and username and password credentials for different systems that can be leaked or compromised. And there’s no consistent way to ensure visibility about what users are doing between these different systems as they log in. So this is why we created Teleport, to provide easier access to systems, to delight our engineers. At the same time, providing security that’s compliant with standards for our security operators, and to automate as much as possible the management of access control and security for our IT operators.
How Teleport Works for Your End Users
Greg: So here’s what makes Teleport simple for engineers to access their systems. In this case, we have a developer who has a variety of systems they want to be able to log into. So for example, maybe they have a Linux server or a Grafana dashboard on their company network as well as their developer infrastructure, like their Git repository, Jira, and their CI/CD system. And then at the same time, they have an AWS VPC where maybe they need to be able to access Linux instances and Kubernetes clusters where they’re deploying or administering their applications. And then they want to get into the applications themselves. So we bring in Teleport to provide a Unified Access Plane to proxy authorized secure connections to these systems.
Greg: Teleport provides a number of ways to log into the systems. Teleport has its own command-line tool, tsh, that acts like the familiar SSH CLI, but with some additional features. It also supports SSH and supports kubectl for when you need to log into Kubernetes clusters. And we provide a web client if you don’t want to log in with — if you want to be able to log in without installing software on your system. Incidentally, this web client does provide a terminal interface. And it turns out to be really popular with users that are working in web-based applications, such as Jupyter. This way they can just stay in the same browser. So the developer logs into the Teleport proxy service. If it’s their first time, they will be authenticated by their SSO’s identity provider, such as GitHub or Okta. After which Teleport returns a short-lived certificate so that the end user will be able to continue to log into systems for which they have access privileges, according to the role and for as long as this certificate is valid. The lifespan of the certificate is set by your policy. So maybe, for example, it would be sufficient for a day. Now, suppose your engineer needs additional privileges, such as they want root access as admin or maybe they are joining a customer team and need to be able to reach a managed system for the customer. The engineer can request temporary elevation to additional roles. And operators will be notified in an automated workflow of this request, allowing them to approve or deny. These workflows plug into popular platforms such as Slack, PagerDuty, or Jira. And there is an API to make your own integrations as well. Once this authentication and authorization is complete, Teleport then proxies an encrypted connection to the end systems. It’s easy peasy. That’s why engineers love Teleport.
Announcing Teleport 5 Unified Access Plane
Greg: So now let’s move on to today’s product announcement. We’d like to announce the forthcoming availability of Teleport 5. If this were a movie, I suppose we’d call it The Rise of the Unified Access Plane. Specifically, we have released candidate two, available on the GitHub for download and for testing. And we expect GA to be available day to day as we complete our testing. So up till now, Teleport has made it easier for engineers to securely connect to servers in Kubernetes. What is it that our engineers are doing when they connect to these systems? Well, they are deploying, running, testing, and administering their applications, of course. So a next obvious evolution for Teleport is to help our customers connect to their applications. When we talked to the Teleport community about what kinds of problems they would like to solve with this application access, they shared the following. For many, accessing their developer infrastructure is a frustrating experience because they can only get to it via VPN. At the same time, there is security compliance issues with tracking who’s doing what in these systems. Many of our users need to secure access to their operational control panels. Every company has their home-built ones. And there’s a lot of open-source infrastructure like Kubernetes dashboards and phpMyAdmin, which are famous for not having very strong security. And then there’s compliance issues for applications that hold customer data. This might be your own internal operational applications or this could be the customer’s infrastructure such as a managed service or a dedicated tenant. In such a case, your customer will be imposing any compliance requirements they have onto your company by contract. So better be ready for that. So yeah. Otherwise, pretty much the same kind of pain points we talked about before, just extended to our applications.
What’s New in Teleport 5?
Greg: So why might you want to check out these new capabilities of Teleport 5? Well, first of all, you’ll make your engineers happy with an improved user experience in accessing their applications. You can further automate your platform operations around access control. You can meet your customer requirements for compliance. This means you’re handling more use cases. And your salespeople can drive more revenue. You’ll be able to avoid potential liability from data breaches. And you’ll be able to better protect the reputation of your company’s brand. We all remember that recent Twitter hack that had Barack Obama and Elon Musk hawking Bitcoin. Let me just be clear. So far as I know, Barack Obama does not give out bitcoin. So as you can see, Teleport 5 is a huge release for us as we begin to deliver on our vision of Teleport becoming a Unified Access Plane. With Teleport, now you can centralize access control for remote Linux servers, Kubernetes clusters, and web applications. And we’re even going to reveal some cool stuff we’re doing for databases very soon. So top-line capabilities for Teleport 5 include the new access management for web applications. We’ve also significantly revamped our Kubernetes access capabilities. And there’s a whole truckload of additional feature improvements which Ben will be touring us through in a moment.
New Teleport Application Access
Greg: So let’s deep-dive into the new application access capability. Now your users can quickly find and connect to their applications. This involves a number of features, including providing a single log-in for all the applications that’s authenticated by SSO, and knowing what your user’s access authorizations are, while at the same time we dynamically maintain a catalog of applications the end user can access. We allow you to control user access by role across your applications. So this is where RBAC truly shows its power when the role description transcends multiple applications. What role your engineer has should dictate whether and what kind of access they should have to these applications. This also allows your company to practice least privilege access policies for your internal applications. Having a Unified Access Plane that provides role-based access privileges allows you to actually control across different types. So maybe your engineer, who’s working on a customer problem, not only gets application access to the customer’s control panel, but they also get access privileges to the servers or Kubernetes clusters that serve that customer.
Greg: We make it possible to add security to your legacy apps without modification. Every one of our companies has applications with no security controls whatsoever. And even more with very simplistic, unintegrated password credentials. Teleport’s ability to proxy authorize access into these applications means you can essentially wrap compliance security around each of these user sessions without having to modify the third-party application. You can restrict access to just the users who need these privileges and capture what it is they’re doing for a future auditability. This also means you can eliminate the management of a lot of shared secrets. Finally, we allow you to easily support role-based features in your custom applications. So this is a case where your engineers are developing an internal application and they use Teleport to easily integrate with SSO and then implement the role-based authorization. Teleport will send a JWT token and new HDTVS session header, which then the application can read and use this to determine what the inside app access capabilities and customization should be.
Greg: So what can you do with this amazing new capability? Use cases include being able to provide easier access for your self-hosted developer infrastructure. So make it easier for your developers to reach their Git repositories, issue trackers, portals, bug databases, and CI/CD infrastructure. At the same time, you’re getting unified access control and visibility about what your users are doing with their logins. We make it possible to improve your security operations infrastructure. So you can get these control panels integrated with your SSO. It allows you to authorize access by role. And you get auditable history of what these users are doing. And as we mentioned before, you can wrap the security via user access sessions, but you won’t have to necessarily modify these applications themselves.
Greg: You get compliance security for your sensitive data in test and sandbox environments. Let me unpack this a little bit. But it’s actually something we heard from a number of customers. Many engineers actually use live customer data when they’re building their next version of their software. And this could be data that includes PII data or, say, sensitive health data. And you might be wondering, “Well, why don’t they create dummy data?” Or, “Why don’t they do anonymization and obfuscation?” The simple answer is it takes a lot of work to do that. And it has limited value in testing because you don’t necessarily get all the proper data. And it definitely increases the friction of the R&D and testing process. It turns out for many of these customers it’s sufficient to meet standards of SOC2, HIPAA, PCI, and FedRAMP if there’s authentication, authorization, and login of user’s actions. And then finally, you can provide access control for your customer-managed systems. So this is similar to the operational infrastructure use case. Basically, we’re talking about managing the customer’s control panels and the customer’s infrastructure. So of course, your customer wants to ensure that only authorized folks from your company can access their systems and data. And they want what’s being done logged. And as I said before, if your customer has to comply with security standards themselves, such as maybe they provide services to the federal governments, they will pass on requirements for you to be compliant with FedRAMP, for example.
Enhanced Kubernetes Access
Greg: So next up, we have also made substantial improvements to our Kubernetes access. It’s now much easier to handle a higher scale of Kubernetes deployments. And first of those is — we’ve made it much more efficient to manage access control for multiple Kubernetes clusters using a single Teleport Unified Access Plane. We’ve also improved our native integration with Kubernetes with better event logging, bringing sort of their credentials to the kubeconfig, and providing advanced RBAC mapping to Kubernetes groups and users for when you are working with kubectl. But wait, there’s still more. I think this is a good point, Ben, for you to take on and continue the tour of what we’re providing here.
New Release Tour
Ben: Yeah. Thanks, Greg for the great intro so far. Hi, everyone. So I’m going to be just going through what else is new and giving you a product tour. And so to digest everything that Greg has gone — it’s a lot. I’m going to pile in more things, but I’ll dive into the product right afterwards. So two new features we’ve added is cluster labels for Trusted Clusters and a Waiting Room. These can be combined with our access workflows. It can be a little hard to tell you as a bullet point, but I will do a demo afterwards to show you how you can use Teleport to really lock down access in your organization and provide it using our administrative tctl. We have created two new Auto-Installers for service and applications. This helps you get up and running really quickly in order to detect the OS. And it’s a great way to get started before you sort of TerraForm out all of your infrastructure. Other improvements are a UI user management. So we have some basic user crowd. And this is going to be also helpful in combination with our audit log to figure out who’s logging into the system. And with all our releases — we’re an open-core company. You can probably follow along on our GitHub. But we have many customers who have over 10,000 nodes connecting to Teleport. And we’re always making cache improvements and helping our customers run at scale. And this also includes such things as making continuous backups with DynamoDB much easier.
Teleport 5.0 Demo
Ben: So the release tour. So for existing customers, this will be sort of familiar. This is kind of our Teleport login for our proxy. But since we have about half developers and some people are new, I’m going to go through our command line interface. This is the proxy that I have here. And I’m going to just log in using a GitHub auth. So it just goes to Teleport itself. I have now logged in. And you can see my terminal here. I’m logged in is myself. I have an admin role. I have these logins. And these logins are what you’d think of as Unix principles. When you use Amazon Web Services, for example, often you log in as — EC2 user is the default user. And this is one of the real powerful things of Teleport — that it lets multiple people log in as this sort of shared Unix user. But you also know who logged in when. We have Kubernetes enabled. I’ll go through this afterwards. And you can also see here — so this is valid until 11:00 at night. So 12 hours. And what this means is once I’ve logged in, in the background I have received a SSH certificate. And after that 12-hour period, I will need to authenticate again. And so this is one of sort of the foundational building blocks of Teleport — the concept of short-lived certificates. And this also extends to applications and our Kubernetes support. So I’m just going do a list, list out my servers. And so you can see this is our sort of foundational server product. Looking at tsh. Oh, I need to log in. And so I’m going to just log in as root. And sort of now I’m in the server. And so that shows you the quick sort of experience that we have, this very developer-focused, this sort of get out of your way, compared to setting up very complicated SSH config bastion option, so. Get out. Okay. So I’m going to exit this.
Ben: And so now I’m going to come in and log in in the UI. And so one of our hallmark things for this release is applications. And so because these are web applications, having a web launcher is a great way to get started. So as Greg mentioned, we have a range of applications, and so the Kubernetes dashboard is very tricky to put on the public internet. And many people have kind of got hacked once that has been exposed. Because when you’re in here, you’re sort of as an escalated user. And so within this one click, a lot happened in the background. I’m going to just kind of go to this diagram to help explain things a bit better. So my instance is running in AWS cloud. And actually, this Kubernetes cluster is Micro Kubernetes and is actually running in an Intel box in my cupboard. And so I have a small Teleport app process here that is dialing back to my root cluster. And then this is proxying these other dashboards. And so a range of these are on my home network, which you can think as sort of a privileged network. And so when we were talking to customers, one thing that we kind of know from 2020 is during a pandemic, everyone’s working from home. There’s certain parts of applications that would be on a VPN. And so you can think of Teleport Application Access as a possible alternative for providing secure access to these applications that you might have put — that might have only been available over a VPN. And it makes access easier.
Ben: And so some examples of some sort of more legacy applications. This is my home router, which is super unsophisticated. It’s advanced password, CGI-bin. But what we’ve done here is — so we’re just proxying all of this traffic through a reverse tunnel and really upgrade those applications that you may not be able to change. But if you can have the capability to upgrade sort of internal apps — many of our customers have their own internal dashboards. Here’s just a demo one that I’ve created. And you can see this is Chrome. I’m logged in. But I’m also logged into this demo app. And this is because this application takes advantage of JSON Web Tokens. And so provided with application access, we provide you JWT assertions. So if I come in here. And so this is a great service from our friends, Auth0. And it does let you decode these headers. And so in these headers, you can see we send along the cluster name, any rows, and the user. And so when you’re building and extending your applications, you can use this to provide more logic within your application itself.
Ben: Okay. Next up we sort of have some developer tools. Grafana is relatively a standard tool. This version — you still need to log into Grafana again. But we’re actively working on a range of native integrations. So we’ll take these JWT assertions and automatically log you in. And so you will have the identity of users in those applications as well. Another favorite old kind of more legacy dashboard. This is phpMyAdmin. Nothing else is too exciting here. But because all of this is sort of built in the foundation of Teleport, you also get the advantage of audit log. And if I come in here, you can see that we’ve had a new session start event on Grafana. And this audit log, we launched this in 4.3. And this is sort of a great way to get to learn about these JSON events. Many of our customers then pipe this into Splunk or whatever SIM solution that they have to perform alerting. And so then you could create logically, okay, well, why am I accessing Grafana at 3:00 in the morning? Is something kind of fishy happening? Okay, I think that comes to the end of applications.
Ben: This is the new [inaudible] icon that I mentioned which makes it very easy to add new apps. We have instructions here on how you log in. You can create an app token. And when you start Teleport itself, once it’s installed, all you need to do is run this one command with the app-name and app-uri. And this will proxy the application to the Teleport root server. And actually I can show you the file config here. So Wellington is the name of my host in my cupboard. And so you could think of all of these apps — so along with having one app, we can support multiple applications within one Teleport config. And this IP address, 10.0.1, is sort of my internal IP range. And so this could be like the VPC IP range or whatever, because of the network structure that you have. And these are all the various ports that we have in place. Oh, another thing I’ve not mentioned yet is the concept of labels. And so exit this. You can use labels in combination with Teleport’s RBAC to really limit who has access to which applications. So in my example — so I’ve been testing this out. I’ve had more of my colleagues coming in, and I’m like, “Okay, probably don’t want all of my colleagues to be accessing all of my applications.”
Ben: And so just to show you sort of a cool demo of our new waiting room feature, I’m going to show a user logging in to try and request access to some of my apps. And so we have this. Remember the username and password for Elliott. Okay. And so this is also an example of a local user. We support many SSA providers. And we have some of SAML and OIDC connectors. But we have sort of instructions if you want to integrate with Active Directory or OneLogin. Okay. Right. Okay. So now Elliott has this message. He was like, “Okay, I need to request access to the system.” So “view k8s dashboard”. And so this new request message are less freeform text messages. Or we also have customers who get their teammates to send in general ticket number, and then they use our API to match if that ticket matches in the [inaudible]. So this is sort of a very powerful feature for customers who are working within multiple service providers to provide access. So that’s going to just get running in the background in this incognito tab. And this server here is actually also my auth server. So request a list. A list there. As you can see, Elliot has requested access. I’m not going to actually help. Okay. So I’m going to actually deny. And so, this is sort of more of a manual workflow. We’re also going to be extending this into Teleport itself in the near future. Reason, “not today”. Okay. Yeah, you can see he’s been denied. And it’s sort of the same workflow. You can approve it, or you can provide a message, like, “Can I talk to your manager?” or sort of integrate this into your sort of application or API. Okay. And exit this window.
Ben: So sort of next up on our sort of product tour, I’m going to go over our Kubernetes enhancements. And so for a long time, you’d only connect one Kubernetes cluster to one proxy. With the addition of Teleport 5, we support the connection of multiple clusters with one root cluster. And so you can see here I have two clusters. I have Google Cloud and MicroK8s running. So I’m going to just log in just to get the certificate, make everything’s set up. And I have a pod running here just to show a demo. Me making a group. So before Teleport 5, we only captured execs. But in this version, we capture nearly all of the commands that you run against the Kubernetes API. And so you can see it here. This is another kind like JSON log. We get a lot of information about what’s the end user is doing when they sort of interact with Kubernetes. But I’m going to also just exec into this pod. So kubectl exec, for people that aren’t in this sort of Kubernetes world, is sort of very similar to sort of using SSH. And so sort of now I’m in this pod. Now I can see what’s running. I have NginX running on this host. And so there’s a general movement of humans shouldn’t touch machines. You make things immutable. But there’s always a chance that you might want to run some debug program. And then sort of what we enable is the very user friendliness of getting access to the system but also having the audit log of what happened during that session. So you can see a few other requests here I started. And here we have sort of recordings. This is sort of like a DVR for your terminal. So in combination with this sort of raw JSON, sometimes it’s helpful to see the output of what people were doing during that session. And you can see this is the same for SSH sessions as well.
Ben: Okay. I think this brings me to a good halting point for the product tour. So next up, I was going to give a quick overview of our roadmap. This is the 5 release, but just going back one release, 4.4, we were heavily focused on session streaming, which enabled us to also rework a lot of our audit log. And also, for some customers, we can stream session events directly to the Teleport auth server, in combination with concurrent session control. And this was a lot of feedback for people who are in more heavily regulated environments. And if your current session control is one less control. And so that helps people who are on the FedRAMP journey. Now as we’ve gone over, we have Teleport Application Access and our Kubernetes enhancements. Coming in 5.1, we are going to be rolling out Teleport Database Access. I have an exciting preview for you as well. And in 5.2, we’re going to be combining our sort of SSO in combination with hardware tokens. And so well, SSO and essential identity provider is good, in combinations with hardware tokens, we have really helped strengthen the security of Teleport itself. This is going to be initially using YubiKeys. And one of the benefits of this is the hardware token will also store your private key material. And so this sort of stops the vulnerability of your private key getting exfiltrated from your laptop. And so if your company’s in device management, about keeping it up to date, this sort of lets you feel more secure that it’s less likely that private key material, even from that short 12-hour period, is less likely to get exfiltrated. And as I’ve sort of gone through this access workflow improvements, we’re going to be writing a user interface and more examples for API about how you can integrate into your workflow.
Ben: And lastly, we have Teleport Cloud now. We are in early access. And we’ll sort of go more GA in January. I’ll go over this in a sec. And so Database Access. And so as Greg mentioned, we have this Teleport Access Plane. We have applications, servers, Kubernetes. The next thing, talking to our customers about like, “Oh, this would be great if we could have this same control and visibility but also user experience for providing database access.” And so we currently have a preview for PostgreSQL. And this works for sort of dedicated on on-metal instances. And we fully support IM roles and PostgreSQL on Aurora and RDS. And so we have a link here that you can preview some of the information about this service. Teleport Cloud — we have many customers who are just sort of cloud native that didn’t necessarily want to run another bit of infrastructure. And we’ve taken our best-in-class team of security and DevOps engineers in-house internally. And we can run Teleport in the best configuration that’s secure. And so you don’t have to. And another sort of pro, of just the Teleport ecosystem — also if you were an on-prem customer, you can use Trusted Cluster feature to fully integrate all of these resources and sort of plug everything into this one Teleport Cloud instance.
Ben: So to learn more, for Teleport Cloud, we recommend goteleport.com, get started. There’s three options there. For people who are sort of new to Teleport, I would recommend starting with our community edition. Everything here, apart from the access workflow, is included. So this is a great way to get started and to try it out. If you think this would be something that will be useful to your organization, you can talk to our sales team, and they can help roll it out. And the third option is you can sign up for our early access. We’re looking for customers to try out Teleport Cloud and give us early access. If you’re interested in a more technical overview of what’s happening, you can check out our changelog here. And it goes more in-depth with file configs and what you need to do to update your infrastructure. And it’s the same with our documentation. For this version today, we’ve released candidate two. It’s not our production release. So for existing customers, we would recommend this is a good time to try it in staging environments. But I would highly recommend waiting for the GA release. Just keep a watch on our Downloads page for when that should drop. Should be early next week. All right, Greg. It’s time to sprinkle me with some questions.
Greg: Just a reminder, we are taking questions in the Q&A tool. I’ve got a few good ones here already. Let’s try to take this from easy to hard. So Lewis is asking, “Which of these features are available on the open-source edition versus the commercial enterprise edition?”
Ben: Yeah, that’s a great question. So application access and database access will all be in the open-source edition. The one feature that I sort of demo today is more around these access workflows and other organizations. The GitHub integration is in our community edition. And so that’s the one SSO provided you can use in community without having to upgrade.
Greg: All right. And are version for 4.x clients compatible with Teleport 5?
Ben: We have a good Docs page around upgrade procedures. As a rule, we recommend starting with upgrading your auth server, then your proxy, then your nodes. There shouldn’t be anything that stops it, but I’d highly recommend people who are going through the upgrade tree to not skip a step, especially because in 4.4 we made lots of changes to our auditing subsystem. And so for clients and nodes, I’d recommend just going one upgrade each time.
Greg: All right. And Tony is asking, “Can we reveal any plans for raw port access or a service like RDP?”
Ben: We are always, you know, interested in talking to customers for RDP interest. You could just send me an email. I’m [email protected]. And we can collect your requirements and see what sort of problems you’re currently having around RDP access.
Greg: All right. Okay. Which Kubernetes distros and services does Teleport support?
Ben: We go back a long way in the Kubernetes ecosystem. I believe our current changes — you need a 1.10 cluster. This GKE cluster that I demoed here I think is 1.17. But it’s pretty backwards compatible. We’ve tested it with not only bare-metal Kubernetes but also AWS EKS, Google’s container service, and IBM’s container service as well. And so one of the kind of good benefits, Greg, is you can use Teleport as this sort of one central management. So if I do Kubeless [a Kubernetes-native serverless framework] — I only have two here. So if you have multiple clusters, instead of having to do with sort of complicated IEM each time, you can just use Teleport to quickly switch if you happen to be in a multicloud ecosystem.
Greg: And this is a perfect segue to yet another question, which is, “For multiple case clusters, would one be required to provide for each cluster the kubeconfig, or can you still run as sort of a KH proxy maybe without full proxy auth server?”
Ben: Yeah. We have a range of different matrices that you can run. Whoever asked that question, also if you send me an email, we can probably get back to you about the best way to run it. Or say, for customers who are going through the upgrade migration procedure, that’s sort of a few steps. And these aren’t currently documented, but I’m actually working on the documentation today with our developer.
Greg: Okay. Let’s see. Question about Teleport YAML files. “If you’re putting a lot of stuff into Teleport, the YAML file can get pretty unwieldy. Do we have any plans to add includes or set Teleport that deep?”
Ben: We don’t right now. But probably, my best recommendation would be to create a ticket on our open-source issue. You can see here this is our sort of changelog. Because we’re sort of an open core company. I would think it’s sort of open source, you can see us putting the last few pull requests in. You can come in here, create an issue. I would search first, but would definitely be open for sort of improvements. When we launched our plugins, we tried TOML as a different alternative. But I mean, yeah, we definitely feel the YAML pain. So if there’s a large push in the community, we’ll consider another option as well.
Greg: Next question is, “What can we do in terms of session recordings with application access? Or is it just the audits of access control and log in?”
Ben: If I come in here, we currently have this session data chunk. And this is a more raw output of the HTML that is passed. It’s not like a DVR kind of playback. Similar thing, we kind of just try to capture as much information as possible. And then we’ll look at visualization and putting it into how we would allow or what would be helpful for people. So if that customer wants to get back to me, we’re also in the early stages to try and improve and sort of give useful information of all of this kind like raw data. If you record every event, it’s a lot. So would be very interested to learn what would be the key things. Maybe it’s paths or maybe it’s certain actions.
Greg: All right. And then we have a question: “Can applications be exposed via an external URL that points to the proxy, or must they be accessed via the proxy user UI?”
Ben: Yeah, it’s a great question. So we have built it — let me see here. You see, all of these ones have kind of more of a public out of that set. This doesn’t have to be this domain name. If I actually come in here, I can show you an example of — so this one, BizLand, isn’t set. And so BizLand goes on a subdomain. But the one thing you need to do is, when setting this up, you need basically to also get the one certificate for asteroid.earth. And then this is also a wildcard certificate. But Teleport proxy uses SNI to sort of cleverly route things. And so this can be helpful — if I go to one of these URLs, it will kind of route me in. Hopefully, that answers the question.
Greg: Excellent. All right. And last question is changes to our pricing model. It’s fair to say that really, the changes to our pricing model for — if you want supported is really related to the new features. So now that we have application access, that is a new kind of metric you can also add to your commercial license. And then we also now provide pricing for cloud. So those would be really the additions to what you might already be familiar with.
Greg: For more information, I’d encourage you to talk with our sales team. All right. And that concludes all the questions we have. Ben, thank you so much. Everybody, thank you for joining us. This video and the slides will be available, posted for the beginning of next week. You will get an email when they are available. Once again, thank you for your time.
Ben: Thanks, everyone.