RFD 122: Robust Access to Kubernetes clusters#26014
Merged
Conversation
tigrato
changed the title
4 tasks
Contributor
Author
rosstimothy
approved these changes
May 12, 2023
Comment on lines
153
to
152
Contributor
There was a problem hiding this comment.
Is this to be completed with the other work needed to implement this RFD? Or is this a future consideration?
Contributor
Author
There was a problem hiding this comment.
This is not yet implemented and it's just a future consideration,
When I spoke with @ravicious about it, he mentioned that it would take some effort.
tigrato
force-pushed
the
rfd/0122-robust-access-to-kubernetes-clusters
branch
from
d0ba7a6 to
026cc79
Compare
r0mant
approved these changes
May 12, 2023
Collaborator
r0mant
left a comment
r0mant
left a comment
There was a problem hiding this comment.
Can you also update the RFD with how we plan to make sure this functionality doesn't regress once we implement it? Once that's added, lgtm.
public-teleport-github-review-bot
Bot
removed the request for review
from greedy52
This RFD states the case where users can access Kubernetes cluster when there is intermittent or no connectivity to Auth server. User's with cached client-side certificates for the target Kubernetes cluster can access the cluster under certain scenarios.
tigrato
force-pushed
the
rfd/0122-robust-access-to-kubernetes-clusters
branch
from
026cc79 to
4c38915
Compare
tigrato
added a commit
that referenced
this pull request
May 15, 2023
This PR builds the last bit required to allow users to create remote kubernetes sessions when Auth connection is not available or is intermitent. This PR allows a user to continue with the interactive session when the session does not require any moderation. PR #25202 deferred the proxy cert creation for cases where the it's mandatory (kube agent or proxy running version <=12.x.x) which allowed any user to perform simple requests against a Kubernetes cluster even when the cluster Auth server is not operational. On top of that, this PR allows a user to request an interactive session against a pod when auth conectivity is not required as long as the session isn't moderated. Part of #25541 Related to #25202 Implements #26014
tigrato
added a commit
that referenced
this pull request
May 15, 2023
* Allow non moderated sessions when no-auth connection exists This PR builds the last bit required to allow users to create remote kubernetes sessions when Auth connection is not available or is intermitent. This PR allows a user to continue with the interactive session when the session does not require any moderation. PR #25202 deferred the proxy cert creation for cases where the it's mandatory (kube agent or proxy running version <=12.x.x) which allowed any user to perform simple requests against a Kubernetes cluster even when the cluster Auth server is not operational. On top of that, this PR allows a user to request an interactive session against a pod when auth conectivity is not required as long as the session isn't moderated. Part of #25541 Related to #25202 Implements #26014 * fix formatting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This RFD states the case where users can access the Kubernetes cluster when there is intermittent or no connectivity to Auth server.
Users with cached client-side certificates for the target Kubernetes cluster can access the cluster under certain scenarios.
Rendered version
Part of #25541