Getting Started with Teleport for Kubernetes Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi i'm ben with teleport and today i'm going to be walking you through our getting started with kubernetes access okay let's dive straight in so throughout this tutorial we're going to set up teleport it's going to be deployed within the kubernetes cluster and it will provide sso access using github and i'll show you how teleport can be used to record all cube cutting machines of your developers so to get started we're going to install teleport on the kubernetes cluster set up single sign on using github and i'll give a quick demo of how you can sort of capture and playback kubernetes commands a few prerequisites before i get started you'll need a kubernetes cluster you can set this up on minicube locally i'm going to be using eks which is amazon's hosted kubernetes service there's a few options for setting this up i found eks cuddle to be the most reliable for creating and destroying instances quickly so since this takes about 20 minutes to run i'm gonna um kick this off now so i'm choosing eks cuddle create you might need to install eks kindle on your local machine um create the cluster it's just a simple name it's one node and it's in the us west region okay so as that fires off i'll go through a few other prerequisites something else you'll also need helm installed on the local machine on my machine i already have helm installed version 353 people who aren't familiar helm is a package manager for kubernetes we provide pre-built helm charts that lets you get up and running very quickly these are available on charts.releases.teleportdev they are also available in our github repo so if you want to modify them and integrate them to your application or if you have your own flow you can check out our get reaper which is okay and it's under examples charts and these are all of the charts that um are also publicly available on charts releases so yeah we have at least three five one and you need cube cuddle installed uh cube cuddle is a command line tool which most people should be familiar with if you've used kubernetes before so version is trying to get my version of my cluster which i'll be setting up next okay so the first step is we're going to install teleport to install teleport we're going to add the helm chart and then we're going to install it but we need to wait for our cluster to finish provisioning it looks like we're still waiting for this stack to complete so i'm going to come back in about 20 minutes and pick this up then okay we're back everything has been set up one of the benefits of eks cuddle is it does a few things you can see it saved a cube config this cube config is going to give me access to the eks cluster it just created it's added all of the im roles and permissions and you know you can see here uh it should work if i do cubeco again nodes it's getting this uh us west2 these two hosts just been up 68 seconds and it's deployed on version 1 18.9 okay so let's dive into this of the tutorial so first up we're going to add this home repo this is going to add it locally and then i'm going to run these commands with cube cuddle it's already installed as i've already run this so it's going to skip this the next thing we need to do is we're going to install a single node teleport cluster vision acme certificate with this flag but there's a few things we need to change here um all of this is fine we're going to install teleport cluster chart namespace teleport cluster plus the name this is important because this is going to be the public endpoint an ip address and we're going to later set this up for dns so in my case i'm going to set this up as okay 8 eks demo dot which is the custom domain name i have for most of my demos and acme email is needed because we're using less encrypt okay so just give this a second and it has been deployed all right next steps so next thing we're going to do is we're going to use an external load balancer and create a public ip that we're going to access so first i'm going to set the context to teleport plus the namespace and then get the service and if i just extend this a bit you can see that we have um teleport cluster this load balancer cluster ip has this really long external ip address and then we have these ports that have been opened okay let me resize this so the next thing we need to do is um you know we have instructions here on getting the ip address this might be if you're using uh like mini cube or something um but it can be helpful if i actually run this command um i won't get anything but if i change it to host name [Music] one then maybe it's external ip host name and then i echo my key it's going to be my ip address is the hostname so i'm going to go to my dns provider which is google domains and update my create a dns record for this url we have instructions here which says how you can create this with so let's say gcp cloudiness or route 53 um this is very helpful you know quickly do this in the command line in my case i'm going to have the simple demo i'm just going to be uh sort of click ops in it so if i go back if you remember i created the helm chart with k8 type in eks demo and it's a c name [Music] copy this okay so i've updated this record that i previously had this is going to take 48 hours to propagate but i found it takes less time so we have this option here so the first request will take a bit longer also because it gets less encrypt so we have this webping api endpoint i come here okay aids demo let me just check and make sure i'm using the right url and you'll see that nothing is connecting so let me just check yes something so this is kind of where it comes in helpful to use this curl web api endpoint oh and then it is a web api thing and so i can't resolve it so no need to worry most of this is either waiting for dns to propagate or it's waiting to get the certificates so i have found um the easiest way to just double check things is coming here it's going to hit this url and you see now it's kind of thinking a bit more color again this may take a little bit okay it's great so now you can see that it has returned that everything has been set up so now if i go here i have sign in with teleport okay great so now we can move on to the next step so we're going to create a local admin just close this window so local admin is going to be a local user which is a sort of a fullback in case the sso provider is down in my case i have this example of alice he's going to be a system masters so the first thing we need to do is create a member dot yao um okay let me just create a new so here we just have created a new yaml file which is a member you also need to keep this uh ssh value for login sort of a non-empty random value and we're going to add the groups kubernetes masters okay so we created the roll the next thing we do is we need to run our tool to cuddle against the port of the finding catabol so first off we need to find out which pod is running teleport so we use um cube cutter pod cluster and let's see if we do echo pod you can see this is the part that we have and now we can create the role so what we're doing here is we're keep called like zacking we used to call create and we're using the local file member to create the member and then the next stage is we're going to create the user in our example we have addis i'm going to just change this to just my name and now we have this url that we can visit and register this user so next up we're going to register and i'm going to use google authenticator there's a range of um otp providers that you can use um okay so now i'm in teleport i'm in this default servers page because we have servers applications there's nothing here no activity nothing is sort of happening um so the next step is we one of the reasons for this is teleport doesn't provide a kubernetes interface yet everything is done through the command line so next up we need to install teleport locally i think i already have it lately on my machine the flow's the same you can go to install documentation here's the instructions if you're setting up on linux so i'm on my local machine on pop rs let's check so i actually have a 6.1.0 um this is fine for our environment and so we're going to try to log in using tsh login with the local user we're going to use a custom cube config to prevent overrides on the default one in case that was a problem so and here we need to update this to the url of the cluster um we still need port 443 and alice has changed the name to ben and i'm picking the password that i previously selected and the otp token and you can see here i have a range of clusters but i'm going to scroll straight to the top and see here we have the url of the teleport cluster logged in as ben i have the role member this login keep this value here is um which is sort of for legacy reasons kubernetes is enabled we have one cluster and i have the kubernetes system masters so you can see next up we can use tsh to list which clusters i'm connected we have this one cluster here i'm going to log in so now i've logged in and you can see it's selected so once working we remove the key config so i'm gonna get cluster pods and now i'm this is now using the q config that have been downloaded from tsh so actually if i come in yeah um i'm going to set up the audit log next okay but let's keep going with sso okay so next up we're going to set up the sso for kubernetes users and we're going to be using this a few options for open source users you can use github enterprise we have a range of either oidc or saml providers that you can do a deeper dive into but for community users you want to be using are github sso so i have a another github org which is called presta io you know this is just an example.org that i use for testing and if i come down here i'm going to create a new oars app says under settings applications okay wednesday okay so here you can see we have this redirect url this is going to be the url of the teleport cluster to start but we're using v1 web api callback so there's a few things here so let's put this into a sort of scratch pad so we can work through it together so this is going to be another yaml file client id this is the one that we should be able to obtain from here and we need to create the secret fill my organization so i'm going to be using my yubikey here okay ubq to the rescue so next up we have this secret add the secret in and this is the display it's going to select github we have this redirect url this is the url that we already put into github itself and this is this url it's important to add 443 and then lastly we're going to map github teams to teleport roles my organization is called practice hyphen io and i have a team admin and i'm gonna add anyone who's in the admin role to have access to the pre-built in access role and i'm going to also add them the auditorium so they can see the logs so i am going to uh create this file yaml okay everything looks pretty good it's going to be the same thing again i'm going to just set my current context so the current context is the see this is a very long url but it's the url of the context itself and you get the pod for where teleport is running same code as before and i'm going to use keep cuddle exact to create girl so teleport 6 uses teams to logins to reference role mapping organization is not found let me just double check the mappings here like you pick the wrong team name okay i actually have it my team is actually called admins okay so here there's a issue with the ammo formatting um like all things you wouldn't check your yama formatting but so i'm going to add logins access and auditor and i'm just going to apply this so now when i go to my cluster you can see i have this signing with a button so i click this if you go back to the gap you can also add custom icon make it sort of fancy but i'm going to authorize this application and now i have access to the cluster and since i added the auditor role you can see that all of these kubernetes requests have also been captured and then in here you can see the request path what was happening um and it's very helpful way to sort of take your whole team and see which members of the team are running which cube color commands okay so that brings me to the end um there's a few information about here about debugging sso you can keep cuddle exec uh tell the logs and you can see what's happening it's quite verbose though um any sort of log you can see i've been running these commands and you see these requests but you also want to sometimes if you do using interactive cube cuddle execs i'm going to create a pod to keep putting exec into and show you how teleport records that activity so this is a great place to get started for running a shell into container we're going to be using this shell demo to just show this off view so check it's running okay now it's running and now i have created a shell inside the container and you know we sometimes hear some of our customers saying like cucumber leg zach is the new sort of ssh and so here we can see a few things inside this container we have a few sort of entry points and let's just you know run an update just so we can create some activity on this host thinking tools tools like tcd down to do some debugging okay and as this is running um and then for any interactive queue for execs you can come in here and you can see that we have the node which is uh the name of the cluster um the pod and then the shell demo and if i play this you can see the same commands around on the terminal i've also played here which would be very helpful for debugging to see what happened during a session okay so that brings me to the end of getting started with teleport running inside the kubernetes cluster if you're interested in learning more we have a few next steps you can connect multiple clusters we've set up ci cd access federate access using our trusted clusters feature and also adding ssn so if you have any questions feel free to leave a comment below or you can email me ben go to level.com thank you

Info

Channel: Teleport

Views: 557

Rating: 5 out of 5

Keywords: Kubernetes, kubectl

Id: VPGYLEMTdJ8

Channel Id: undefined

Length: 23min 14sec (1394 seconds)

Published: Wed Mar 24 2021