Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reissue kube certs when assuming access request #50553

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gzdunek
Copy link
Contributor

@gzdunek gzdunek commented Dec 23, 2024

Closes https://github.com/gravitational/customer-sensitive-requests/issues/301

Currently, assuming or dropping an access request does not affect open kube sessions. As a result, if an assumed request includes elevated permissions, the user must close the existing connection and reopen it for the changes to take effect. To address this issue, we can clear the certificates in the local proxy, allowing them to be reissued when a new request is made.

There's one downside to this approach: we can't determine which local proxies will be affected by the access request, so we must invalidate all of them. As a result, the user must then perform per-session MFA for all open kube sessions after assuming or dropping a request. Additionally, if the user has an open kube session and then assumes a request that doesn't allow access to that cluster, the connection will become unusable. But I'm not sure if this is really an issue as it seems reasonable to expect that previous access might not be retained after assuming a request.

changelog: Assuming an access request in Teleport Connect now refreshes open Kubernetes sessions

Demo:

kube.assume.request.mov

For now I'm keeping it in draft (I need to add some tests) but any feedback is welcome!

Comment on lines +252 to +261
teleportCluster := common.TeleportClusterFromKubeLocalProxySNI(serverName)
if teleportCluster == "" {
return trace.BadParameter("can't reissue proxy certificate - teleport cluster is empty")
}
kubeCluster, err := common.KubeClusterFromKubeLocalProxySNI(serverName)
if err != nil {
return trace.Wrap(err)
return trace.Wrap(err, "can't reissue proxy certificate - kube cluster name is invalid")
}
if kubeCluster == "" {
return trace.BadParameter("can't reissue proxy certificate - kube cluster is empty")
Copy link
Contributor Author

@gzdunek gzdunek Dec 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this in my local setup for a leaf kube cluster and it seemed to work fine. I don't know if there are cases where I'd need to check identity.RouteToCluster.

@gzdunek gzdunek requested review from tigrato and ravicious December 23, 2024 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant