NOTE: This guide is geared towards a Kubernetes cluster running in AWS. You might have to tweak things to fit your needs.
Looks like an alternative to the bitly oauth2 proxy which is unmaintained
But this one seems pretty tightly coupled to google
Hi, As everyone here can see, the project is almost abandoned. I believe someone or preferable a group of people fluent in Go lang should create an 'official' fork of the project so the com…
@Igor Rodionov the bitly oauth2 proxy Is officially abandoned by bitly and will be archived by the end of the month
Upstream for this project (which has not worked in ages against anything close to a current implementation of ingress controllers) has been abandoned. See bitly/oauth2_proxy#628 (comment) My compan…
@Igor Rodionov has joined the channel
@Max Moon should probably consider replacing oauth2 proxy with CloudFlare access
@Max Moon has joined the channel
@justin.dynamicd have you used this? https://www.vaultproject.io/docs/secrets/ssh/
When using this type, the administrator registers a secret key with appropriate sudo privileges on the remote machines. For every authorized credential request, Vault creates a new SSH key pair and appends the newly-generated public key to the authorized_keys file for the configured username on the remote host. Vault uses a configurable install script to achieve this.
It’s been deprecated, so I ended up using SSHCA instead.
Yea sorry linked to wrong page
It’s cleaner too, because you’re not constantly shedding keys to the target servers; they just trust the vault CA sand vault gives out short lived certs
Yea like with teleport and Netflix bless
How long have you been using it?
Was it easy to get up and running?
At that time we had Puppet pushing changes so adding the cert wasnt too bad… Ansible would have been just as easy
That’s the hardest part: pushing the trusted public to all your machines
Are you redeploying? Do you have some kind of cfg management? Etc.
Security had a big requirement if no self-signed so I had to follow extra steps to make vault an issuing CA and not a root. But that’s a one time thing
No, our case is a bit different. Would be containers.
Ssh into containers?
But I think we will stick with teleport approach
Bastions are deployed as containers
In your case rebuild lol. But yeah, didn’t try it on containers (should work just fine)
Does teleport track logins? That was the thing or security team liked. It logged every access request
“jking requested a cert for the next 1hour for target y”
this was just released, but may not help with containers, https://aws.amazon.com/blogs/aws/new-session-manager
but it does track and audit the logins and commands
Just tried using that today… But our ssmagent is too old.
Looks nice though
That’s cool. Didn’t see the announcement.
In the containers I had (company actually moved off them) we tried to just parse logs and redeploy. Bastions were traditional hosts
Yeah, I think a ssmagent update is in the backlog. If it works like Azure then it will be nice to be able to disable ssh
New release enabling the ssm session manager, https://github.com/aws/amazon-ssm-agent/releases/tag/188.8.131.52
Late to this… Looks interesting, I can’t think of use cases though. I gravitate more towards immutable infra these days so I can’t think of a reason I’d want to run a command on an ec2 instance , I’m prob not thinking hard enough!
i gravitate there also… but sometimes it takes a while to get the immutable bits all just right, and maybe the instrumentation isn’t perfected yet. can be pretty valuable to poke around to see what failed and maybe try a couple options at fixing, before patching upstream
yea, for triaging/RCA, it’s difficult to escape
that said, teleport is still a better product IMO b/c it supports session logs
my understanding was that this also captured the session, stored in cloudwatch logs?
from the blog post:
Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started. https://aws.amazon.com/blogs/aws/new-session-manager
is a session log something different in teleport?
No, that’s the same hung. i missed that. I thought it was slated as a later feature.
I wonder how it works if it is a raw log
E.g. replaying a vim transcript.
With teleport, you get a YouTube style playback
looks like a textual log, not a video, according to screenshots later in that blog… not sure how it would work with vim
Anyone using alpine as a base image should consider enabling TLS on repos to avoid MITM attacks
Surprised it’s not enabled by default
what Switch to the HTTPS alpine apk repositories why #249
lol an appropriate response?
Yea, it is. Surprised me too.
@endofcake has joined the channel
@mbarrien has joined the channel