{"id":16927553,"url":"https://github.com/dirien/teleport-poc","last_synced_at":"2026-05-06T21:42:54.517Z","repository":{"id":46617754,"uuid":"413029931","full_name":"dirien/teleport-poc","owner":"dirien","description":"Teleport PoC","archived":false,"fork":false,"pushed_at":"2021-10-03T18:45:50.000Z","size":12,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-18T06:44:06.621Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dirien.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-03T09:18:03.000Z","updated_at":"2022-04-26T04:51:45.000Z","dependencies_parsed_at":"2022-09-16T14:50:15.359Z","dependency_job_id":null,"html_url":"https://github.com/dirien/teleport-poc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fteleport-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fteleport-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fteleport-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dirien%2Fteleport-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dirien","download_url":"https://codeload.github.com/dirien/teleport-poc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244722747,"owners_count":20499154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T20:34:32.948Z","updated_at":"2026-05-06T21:42:54.476Z","avatar_url":"https://github.com/dirien.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Teleport PoC\n\nIn this blog article, I would like to build a little PoC environment to try out\n`teleport`. [Teleport](https://goteleport.com/) is an open source solution from `Gravitational` that can be configured\nas a proxy for administering a Kubernetes cluster, SSH servers, Databases, and Web Apps. The open source version\nincludes support for GitHub authentication, i.e. you can use GitHub as an identity provider for authenticating users. On\ntop of it you can share and record interactive sessions across all environments.\n\nThe features are fascinating, especially if you are working in an enterprise environment. Here you find the situation of\nchanging team members, different teams with different responsibilities or even external contractors. So `teleport`\nallows unifying the access on these resources.\n\nThe PoC we will cover only the access to Kubernetes cluster. But you can easily extend it to the other resources\n`teleport` too, like SSH servers, Databases, and Web Apps.\n\n## Setup\n\n### Teleport\n\nThe PoC is very simple. We have two folders with different Terraform scripts inside. The `teleport` folder contains the\nTF scripts needed to build the `teleport` main server.\n\nThe `teleport` server is hosted on AWS EC2 as a `t2.micro`, you can of course use your preferred cloud or on-prem\nprovider.\n\nI use `DigitalOcean` to handle my domain registration. You can of course use any other service. In this case you need to\nremove the do.tf file. Just take care that you have the following domains pointing to your `teleport` server IP:\n\n```bash\n- teleport.\u003cdomin\u003e\n- *.teleport.\u003cdomain\u003e\n```\n\n### Cluster\n\nThe folder cluster contains the test kubernetes cluster we want to be managed by `teleport`. In this PoC I\nuse [Scaleway](https://www.scaleway.com/) Kapsule.\n\n### Deploy\n\nTo start, the different deployments I use [Task](https://taskfile.dev/#/). Task is a task runner / build tool that aims\nto be simpler and easier to use than, for example, GNU Make.\n\nWith the `task` the default task will be deployed.\n\nWhen everything is up and running, you need to log into your `teleport` main server `ssh -i \u003cssh\u003e ubuntu@\u003cip\u003e` and\nexecute following commands:\n\n```bash\nsudo tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu\n\nTOKEN=$(sudo tctl nodes add --roles=kube --ttl=10000h --format=json | jq -r '.[0]')\necho $TOKEN\n```\n\nThe first command will create a user.\n\n```bash\nubuntu@ip-172-16-10-56:~$ sudo tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu\nUser \"teleport-admin\" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:\nhttps://teleport.ediri.online:443/web/invite/a90789faa0e64813695e51817ffb72d6\n\nNOTE: Make sure teleport.ediri.online:443 points at a Teleport proxy which users can access.\n```\n\nFollow the link, to finish the registration of the user. You will need also an app like `Google Authenticator`\n\nThe second command will register you kubernetes cluster as node to `teleport`, and the display the token we're going to\nuse in the deployment of the `teleport` agent.\n\nTweak the Taskfile for your domain and the cluster\nname: `--set kubeClusterName=\"civo-cluster\" --set proxyAddr=\"teleport.ediri.online:443\"`\n\nThen to deploy the teleport-agent helm chart just call `task cluster-teleport-agent -- \u003cTOKEN\u003e`. If everything runs\nsmooth, you should see in the UI the kubernetes cluster.\n\nBefore we start to log into our kubernetes cluster via `teleport` I just created `teleport` role via the UI, where I map\nthe role basic-user to the kubernetes group `system:masters`. Of course, you can create your own kubernetes group and\nmap to this.\n\n```yaml\nkind: role\nmetadata:\n  id: 1633277652350568711\n  name: basic-user\nspec:\n  allow:\n    app_labels:\n      '*': '*'\n    db_labels:\n      '*': '*'\n    kubernetes_groups:\n      - system:authenticated\n    kubernetes_labels:\n      '*': '*'\n    logins:\n      - root\n    node_labels:\n      '*': '*'\n    rules:\n      - resources:\n          - '*'\n        verbs:\n          - '*'\n  deny:\n    logins:\n      - guest\n  options:\n    cert_format: standard\n    enhanced_recording:\n      - command\n      - network\n    forward_agent: false\n    max_session_ttl: 8h0m0s\n    port_forwarding: true\nversion: v3\n```\n\nAdd this new `teleport` role to the user, we created via the cli on the `teleport` server.\n\nNow we are ready to test the access to the cluster via `teleport`. Before you need to install the `teleport` client\nlocally.\n\nI use a mac, so I use `brew` to do this. But there\nare [binaries](https://goteleport.com/docs/getting-started/linux-server/#install-a-teleport-client-locally), for all\nother systems to\n\n```bash\nbrew install teleport\n```\n\nAnd then use the `tsh login` command.\n\n```\ntsh login --proxy=teleport.ediri.online:443 --auth=local --user=teleport-admin\nEnter password for Teleport user teleport-admin:\nEnter your OTP token:\nxxx\n\u003e Profile URL:        https://teleport.ediri.online:443\n  Logged in as:       teleport-admin\n  Cluster:            teleport.ediri.online\n  Roles:              access, basic-user, editor\n  Logins:             root, ubuntu\n  Kubernetes:         enabled\n  Kubernetes cluster: \"civo-cluster\"\n  Kubernetes groups:  system:authenticated\n  Valid until:        2021-10-04 03:09:47 +0200 CEST [valid for 8h0m0s]\n  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty\n```\n\nWith `tsh kube ls` you should see all your available kubernetes cluster\n\n```bash\ntsh kube ls\nKube Cluster Name Selected\n----------------- --------\ncivo-cluster      \n```\n\nAnd to login into a cluster just type\n\n```bash\ntsh kube login civo-cluster\n```\n\nThis will issue now a kubeconfig.\n\n# Audit Log and Session recording\n\nIn the UI you have the possibility to see every interaction with the managed resources:\n\nSo when I perform following action via the kubectl cli:\n\n```bash\nkubectl get ns\nNAME              STATUS   AGE\ndefault           Active   99m\nkube-node-lease   Active   99m\nkube-public       Active   99m\nkube-system       Active   99m\nteleport-agent    Active   78m\n```\n\nThe Audit log item has now following entry.\n\n```json\n{\n  \"addr.local\": \"10.32.0.1:443\",\n  \"addr.remote\": \"18.159.225.59:3024\",\n  \"cluster_name\": \"teleport.ediri.online\",\n  \"code\": \"T3009I\",\n  \"ei\": 0,\n  \"event\": \"kube.request\",\n  \"kubernetes_cluster\": \"civo-cluster\",\n  \"kubernetes_groups\": [\n    \"system:authenticated\"\n  ],\n  \"kubernetes_users\": [\n    \"teleport-admin\"\n  ],\n  \"login\": \"teleport-admin\",\n  \"namespace\": \"default\",\n  \"proto\": \"kube\",\n  \"request_path\": \"/api/v1/namespaces\",\n  \"resource_api_group\": \"core/v1\",\n  \"resource_kind\": \"namespaces\",\n  \"response_code\": 200,\n  \"server_id\": \"ab450031-a6ba-4aab-aa95-5078be0d4648\",\n  \"time\": \"2021-10-03T17:13:51.336Z\",\n  \"uid\": \"d5d86959-e258-4f73-8c56-b1247aa2a3af\",\n  \"user\": \"teleport-admin\",\n  \"verb\": \"GET\"\n}\n```\n\nIf I use the `kubectl exec` command the interactive commands are recorded as regular sessions that can be stored and\nreplayed in the future. This, together with [Falco](https://falco.org/) is really help to boost your security.\n\n# Purge\n\nJust type `task purge` to purge the whole PoC again.\n\n# TL;DR\n\nIn my opinion, based of course from these little limited PoC, `teleport` is definitely worth to consider. It is\ndefinitely better in terms of additional functionality to classic Bastion Hosts. The session recording and audit logs\nare definitely the sweet spot of `teleport`.\n\nMy next actions will be an internal pitch of `teleport` at my employee.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdirien%2Fteleport-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdirien%2Fteleport-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdirien%2Fteleport-poc/lists"}