Support credentials forwarding in Kubernetes Access#23978
Merged
Conversation
tigrato
force-pushed
the
tigrato/forward-user-identity-impl
branch
4 times, most recently
from
4cb73b8 to
2d0bb77
Compare
tigrato
force-pushed
the
tigrato/forward-user-identity-impl
branch
from
2d0bb77 to
5f1aaca
Compare
ibeckermayer
reviewed
Apr 3, 2023
tigrato
force-pushed
the
tigrato/forward-user-identity-impl
branch
6 times, most recently
from
69101ec to
6851b2c
Compare
ibeckermayer
approved these changes
Apr 4, 2023
espadolini
reviewed
Apr 5, 2023
Contributor
There was a problem hiding this comment.
I think it might be legal for a v14 cluster to have a v13 leaf with v12 proxies, so maybe we should delete this in v15?
Contributor
Author
There was a problem hiding this comment.
It won't be a problem.
the root proxy will dial to the leaf proxy using the new impersonated method. Leaf proxy will dial to the kubernetes service using the old method since kubernetes service does not support it.
Contributor
There was a problem hiding this comment.
The issue is that I don't think that we specify how old the components of the leaf cluster can be; if we interpret "leaf cluster version" to mean both auth and proxy (which is the sensible interpretation, I think) then you're right, we can delete it in v14.
The alternative would be that the leaf auth is one version behind and then the leaf proxy is one version behind its auth, but that would mean that the remote cluster reverse tunnel needs to stay compatible for two major versions of the proxy, which is kind of a tall order.
tigrato
force-pushed
the
tigrato/forward-user-identity-impl
branch
from
fe96b4f to
7f7da72
Compare
espadolini
approved these changes
Apr 6, 2023
public-teleport-github-review-bot
Bot
removed the request for review
from timothyb89
This PR introduces a new process for forwarding the user's identity for Kubernetes Access. The identity forwarding is only enabled if all the `kube_servers` support the new impersonation mechanism and if the request isn't forwarded into a remote cluster. Remote clusters still use mTLS where the user identity is embedded in a proxy-cached certificate. Only proxies are allowed to impersonate users. In Teleport 14 we will remove all the mTLS code and we will support impersonation only. The following benchmarks show the improvement between old and new versions. ``` Histogram Percentile Response Duration ---------- ----------------- 25 31 ms 50 32 ms 75 33 ms 90 33 ms 95 37 ms 99 44 ms 100 88 ms ``` ``` Histogram Percentile Response Duration ---------- ----------------- 25 10 ms 50 11 ms 75 12 ms 90 15 ms 95 15 ms 99 20 ms 100 23 ms ``` Part of #22533 Closes #21609
tigrato
force-pushed
the
tigrato/forward-user-identity-impl
branch
from
7f7da72 to
a0b8fa2
Compare
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces a new process for forwarding the user's identity for Kubernetes Access.
The identity forwarding is only enabled if all the
kube_serverssupport the new impersonation mechanism and if the request isn't forwarded into a remote cluster. Remote clusters still use mTLS where the user identity is embedded in a proxy-cached certificate.Only proxies are allowed to impersonate users.
In Teleport 14 we will remove all the mTLS code and we will support impersonation only.
The following benchmarks show the improvement between old and new versions.
Old: mTLS benchmark
New: Impersonation benchmark
Part of #22533
Closes #21609