Reissue kube certs when assuming access request #50553
Draft
+80
−18
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes https://github.com/gravitational/customer-sensitive-requests/issues/301
Currently, assuming or dropping an access request does not affect open kube sessions. As a result, if an assumed request includes elevated permissions, the user must close the existing connection and reopen it for the changes to take effect. To address this issue, we can clear the certificates in the local proxy, allowing them to be reissued when a new request is made.
There's one downside to this approach: we can't determine which local proxies will be affected by the access request, so we must invalidate all of them. As a result, the user must then perform per-session MFA for all open kube sessions after assuming or dropping a request. Additionally, if the user has an open kube session and then assumes a request that doesn't allow access to that cluster, the connection will become unusable. But I'm not sure if this is really an issue as it seems reasonable to expect that previous access might not be retained after assuming a request.
changelog: Assuming an access request in Teleport Connect now refreshes open Kubernetes sessions
Demo:
kube.assume.request.mov
For now I'm keeping it in draft (I need to add some tests) but any feedback is welcome!