►
From YouTube: Why Machines Deserve Rights: Rethinking Automated Infrastructure Access with OSS Te... Kenneth DuMez
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Why Machines Deserve Rights: Rethinking Automated Infrastructure Access with OSS Teleport Machine ID - Kenneth DuMez, Teleport
This talk will focus on the problems of credentials for machines in modern
infrastructure and why it’s imperative you treat your bots the same way you treat
your humans. Typically when using automation for CI/CD or Microservices, teams
will have vaulted credentials shared between worker nodes. This introduces
challenges as these credentials are often long-lived, requiring frequent rotation,
introducing both toil and security threats. Open-source Teleport Machine ID mitigates
these problems by assigning a unique identity with attached RBAC roles baked into
unique, short-lived certificates enabling bot users to connect to remote hosts while
centrally audit-logging all of the machine’s activity. This identity-based access control
plane works seamlessly with all your cloud infrastructure including K8s clusters,
databases, and any other remote compute resource. The talk will include an
assessment of current legacy automated access solutions, an overview of Teleport,
a Machine ID demo, and an in-depth discussion of the technology behind it. With
open-source Teleport, managing and rotating shared credentials is a thing of the
past. Give the machines rights! Secure your infrastructure.
A
A
A
That
would
frequently
break
these
lived
in
AWS
and
we
had
them
stored
in
a
password
Vault,
but
because
of
the
frequency
we
needed
to
access
them,
A
bunch
of
people
on
the
team,
just
added
them
to
local
files
on
their
machine,
and
this
was
a
terrible,
terrible
but
common
practice,
and
this
is
still
a
problem
today.
One
in
four
employees
still
have
access
to
Old
passwords
and
41.7
percent
of
employees
admitted
to
having
shared
workplace
passwords
along
with
credentials,
AWS
Keys
SSH,
Keys
Etc,
and
this
brings
it
to
a
security
breach.
A
A
This
is
according
to
a
git
Guardian
study
that
they
did
these
types
of
secrets
that
were
committed
were
you
know:
Google
Cloud,
Keys,
awsiam,
Azure,
API,
Keys,
join
tokens,
that's
a
two
times
increase
since
2020,
and
this
is
because
more
and
more
companies
are
scaling
with
their
Cloud
infrastructure,
thus
leading
to
more
and
more
of
these
secrets
and
more
of
these
leaks-
and
you
might
say,
but
we're
not
open
source.
So
we'll
never
do
that.
Well,
85
percent
of
these
corporate
leaks
came
from
developers,
personal
repos.
A
The
next
step
is
to
maximize
the
blast.
Radius.
You
get
into
a
slack
workplace.
You
get
access
to
a
server,
get
into
a
server
you're
going
to
escalate
those
privileges
from
there.
You
do
what
you
want
and
then
profit
50
50
your
results,
May
Vary
you'll
either
be
on
the
beach
or
someplace
a
little
bit
less
nice.
A
So
some
more
numbers:
real
quick
26.8
million
active
software
developers,
there's
supposedly
45
million
by
2030.
there's
around
8
000
data
centers
in
the
world
with
50
000
physical
servers
per
Center.
This
varies
widely
depending
on
the
size,
but
this
is
the
average
400
million
of
those
physical
servers,
which
means
billions
of
virtual
servers.
Trillions
of
containers.
You
know
the
numbers
are
incalculable:
how
many
virtual
environments
there
are
open
to
attack
the
attack
surface
is
immense
and
all
of
these
virtual
servers.
All
these
physical
servers
are
all
running
software
written
by
humans.
A
The
problems
with
machine
access,
people
make
mistakes,
writing
code
a
misconfigured
file.
Here
there
is
the
difference
between
a
secure
setup
and
an
embarrassing
hack
access
problems
are
not
limited
to
human
developers.
We
need
to
stop
thinking
like
this
machine
to
machine
communication,
operates
on
outdated
security
principles,
security
principles
such
as
static
credentials,
SSH
Keys,
API,
Keys,
shared
creds,
when
keys
are
used
by
different
services
and
perimeter
security.
A
A
So
what
can
we
do?
Treat
machines
the
same
way
that
you
treat
your
developers
give
them
rights,
provide
each
piece
of
automation
with
an
identity
from
a
microservice
to
a
VM
to
any
worker
node
in
your
environment.
They
should
have
an
identity
exactly
like
your
human
workers,
do
and
eliminate
shared
credentials
entirely.
A
This
way
that
there's
no
cred
to
lose
and
enforce
best
practices
by
default.
So
this
eliminates
the
need
for
these.
You
know
costly
and
expensive
configurations
where
it
takes.
You
know
hours
and
hours
to
make
sure
you
get
it
right
and
I
missed
comma
here
there
or
an
inconfigured
service
account
is
going
to
wind
up
in
trouble
and
tear
down
those
access
silos.
So
you
have
to
think
about
the
way
you
handle
access
for
your
machines,
with
the
same
care
that
you
do
for
your
developers
to
minimize
the
blast.
A
Radius
say
worst
case
scenario:
one
of
those
machines
is
compromised.
You
have
to
be
able
to
eliminate
from
your
network
immediately
without
letting
it
be
the
skipping
point
to
the
rest
of
your
infrastructure
and
keep
it
simple.
The
most
secure
solution
also
has
to
be
the
easiest.
This
is
what
we
saw
at
the
beginning
where
those
credentials
were
ended
up
saved
to
these
people's
workstations
is
because
it
cut
down
on
like
developer
time
accessing
these
creds
through
some
Vault
ended
up
costing
time
and
was
very
annoying.
So
people
circumvent
your
security
methods.
A
If
you
let
them
if
it's
more
complicated,
so
this
brings
us
to
open
source
teleport
machine
ID
machine
to
machine
access.
So
what
open
source
teleport
does?
Is
it
handles
four
key
pillars
of
access,
authentication,
connectivity
and
audit
Authentication
so
for
every
service
for
every
node,
you
generate
an
identity
in
the
form
of
a
short-lived
x509
certificate
for
the
microservice
and
tie
that
identity
to
a
role
managed
by
teleport.
A
You
need
to
be
automatically
able
to
approve
or
deny
access
requests
to
a
range
of
resources
like
servers,
databases,
kubernetes
clusters,
microservices
and
CI
CD
systems
and
connectivity.
We're
going
to
come
back
to
this
diagram
in
a
second,
but
it
also
needs
to
handle
the
connection.
It
needs
to
establish
a
connection
between
the
microservice
and
the
requested
resources,
using
reverse
proxy
tone
from
the
teleport
server
to
the
resource.
A
This
communication
is
all
encrypted
and
secure,
eliminating
the
need
for
vpns,
or
you
know,
traditional
Bastion
hosts
and
the
like
foreign,
extremely
important
for
any
compliance
and
any
standard
you're
trying
to
reach
any
security
standard.
You
need
accountability
and
you
need
to
be
able
to
review
all
the
actions
that
were
taken
by
both
your
human
workers
and
your
machines,
so
this
is
kind
of
the
high
level
architecture.
A
This
is
an
example
for
teleport
configured
with
ansible,
and
so
what
you
have
is
this
orange
teleport
cluster
over
well
I
guess
you
can't
see
my
cursor,
but
this
orange
teleport
cluster,
that
has
two
parts.
It
has
an
off
and
a
proxy
service.
The
proxy
service
handles
all
the
traffic
inside
and
out
of
the
cluster,
and
then
the
auth
is
a
separate
service
that
handles
your
logging.
It
handles
your
you
know,
authentication
and
handling
all
those
rbac
roles.
A
Then
you
have
this
ansible
control
node,
and
this
is
a
separate
node
on
in
your
cloud,
and
so
when
you
create
a
new
node
or
create
a
new
worker
you're
going
to
onboard
that
to
the
teleport
cluster
once
that
teleport,
you
can
do
this
in
two
ways.
You
can
do
this
with
either
an
ephemeral
token
or
a
dynamic
join
token
like
an
AWS
IM,
and
once
you
do
that,
then
the
machine
will
refresh
its
credentials
every
20
minutes
or
that's
configurable.
You
can
set
it
every
five
minutes,
every
30
every
hour.
A
A
A
A
A
A
A
A
A
little
bit
better,
okay,
so
we're
going
to
have
our
name
here.
This
machine
ID
Cube
demo.
This
is
going
to
be
the
name
of
our
rule
and
then
we're
going
to
give
it
examples,
we're
going
to
give
it
kubernetes
access
and
we're
going
to
assign
it
the
kubernetes
user
Alice,
and
so
let's
go
ahead
and
make
our
roll
here.
A
A
Got
that
and
then
we're
going
to
go
back
into
our
teleport
control
node
here
our
teleport
host
and
we
are
going
to
actually
onboard
this
bot
into
our
cluster.
So
we're
going
to
run
this
command
tea.
Cuddle
is
a
CLI
tool
that
allows
you
to
interact
with
the
teleport
cluster
and
we're
going
to
go
ahead
and
add
our
Cube
demo,
bot
with
the
roles
of
machine
ID,
Cube
demo,
which
is
the
role
we
just
created
and
another
access
rule
that
we'll
use
for
our
SSH.
A
Perfect,
so
we
have
this
role
and
we
have
now
this
token
this
bot
token
here
this
is
what
we're
going
to
use.
This
is
only
valid
for
59
minutes,
we're
going
to
use
it
to
onboard
our
bot
to
the
teleport
cluster
and,
like
I,
said,
there's
two
ways
of
doing
this.
You
could
also
use
an
I
like
an
AWS
Dynamic
token,
as
well
perfect,
so
on
the
ansible
Node.
Here
we're
going
to
open
up.
A
A
A
A
A
A
A
A
Okay,
so
we
can
see
that
ignore
this
error,
that's
fine!
We
would
successfully
renew
the
impersonated
certificates,
we
persisted
the
new
certificates
to
disk
and
we're
starting
to
watch
for
the
ca
rotations,
so
this
will
persist
every
20
minutes
and
let's
take
a
look
again
now
at
our
files
that
we
had.
So
if
we
go
back
in
to
our.
A
A
A
A
We
can
see
all
of
the
activities
that
we
were
just
doing,
so
we
can
see
that
the
kubernetes
request
we
can
see
all
of
the
metadata
from
here.
All
of
this
can
be
fully
fed
into
like
anomaly,
detection
tools
or
other.
You
know
log
aggregators
and
we
can
have.
We
can
see
our
active
sessions
here.
So
we
see
that
our
we're
logged
into
ansible.
We
see
that
we're
logged
into
the
control
node
and
we
can
see
our
session
recordings
as
well.
So
all
the
sessions,
all
the
SSH
sessions,
are
actually
going
to
be
recorded
here.
A
Perfect,
and
so
the
last
thing
we're
going
to
do-
is
we're
going
to
show
the
ansible
example
so
in
our
ansible
node
here
we're
going
to
look
at
our
ansible
config
and
see
that
our
sshrs
are
actually
just
set
to
our
machine
ID
directory
where
we
get
those
SSH
configs
that
are
refreshed
on
a
regular
rate.
So
this
way
in
the
past,
what
you
do
is
you'd
manage
SSH
Keys,
which
were
long-lived
and
become
a
pain
both
for
rotation
and
just
for
security
vulnerabilities.
A
A
So
we
have
this
so
now,
if
we
go
in
to
our
other
directory,
we
go
into
our
demo
folder
here
and
we
can
try
to
actually
run
our
Playbook
here
and
what
this
Playbook
is
going
to
do
is
that
it
is
going
to
actually
run
Cube
Cube
Kettle
commands
on
the
SSH
node
of
the
that's
being
hosted.
That's
hosting
the
kubernetes
service.
A
A
We
should
see
perfect
so
now
what
the
ansible
control
node
is
going
to
do.
Is
it's
going
to
access
our
kubernetes
host?
It
is
going
to
upload
the
Pod
yaml
and
deployment
yaml
configurations
that
we
have
written
here
and
it's
actually
going
to
create
a
pod
and
create
a
deployment
on
the
kubernetes
cluster,
and
we
see
that
the
Pod
engine
X
is
created
and
we
see
that
the
nginx
deployment
was
created.
So
if
we
actually
say
Cube
cuddle
get
pods,
Dash
name,
namespace
equals
demo
name
space.
A
A
A
A
And
we
also
have
our
slack
here:
we're
also
going
to
be
at
kubecon
at
Booth
p13.
So
if
you
want
to
come
chat
more
I'll
be
around
as
well
as
our
CEO
and
some
other
folks
so
come
hang
out,
and
then
we
also
are
hosting
a
happy
hour.
We
still
have
registration
spots
open
if
you
like
beer
and
chicken.
So
thank
you.
B
Hey
so
I
I
liked
your
talk.
Thank
you,
one
of
the
kind
of
core
kubernetes
things
is
cattle,
not
pets
and
I
know
also,
like
kind
of
if
you
Spire,
which
I'm
a
lot
more
familiar
with,
also
kind
of
with
the
way
it
does
keys
and
management
of
identities
and
other
things
like
that
also
has
somewhat
of
a
cattle
view.
Sure
and
I
may
have
just
picked
up
on
something
on
your
slide,
without
really
understanding
it.
So
I'm,
just
asking
when
you
talk
about
all
machines.
Have
identities?
B
A
A
A
So
it's
just
all
about
way
of
like
consolidating
that
access,
rather
than
making
them
like
more
special
than
they
need
to
be,
or
something
like
that
which
I
also
forgot
actually
is
in
the
future.
So
a
lot
of
like
a
core
of
this
product
in
the
use,
is
like
a
CI
CD
workflow
way,
so
that
you
can
handle
this
access
without
having
these
long
lived
credentials
that
then
get
leaked
in
a
GitHub
repo,
for
example.
A
So
in
teleport
11,
the
next
release
we'll
actually
have
GitHub
action
support
so
that
you
can
interact
with
teleport
protected
resources
directly
from
these
workflows
without
need
for
secrets
in
GitHub,
even
for
example,
and
we
also
have
Kate's
support
for
automatic
service
Discovery.
So
you
can
have
a
cluster
running
this
service
and
anytime
you
create
new,
pods
or
new.
You
know
microservices
or
new
nodes.
Those
will
automatically
be
added
and
onboarded
to
the
teleport
cluster
without
doing
that
whole
setup
that
we
just
did
so
right.
A
A
So
this
identity
will
be
generated
again
from
its
own
x509
certificate,
and
it
will
have
some
like
configurable
naming
convention
that
you
can
give
it
and
you
can
differentiate
them
while
still
grouping
them
under
the
label
of
whatever
you
know,
like
worker
node
or
whatever,
like
service
that
you're
employing
with
them.
Does
that
make
sense
perfect.
A
Use
your
identity
in
terms
of
like
I'm,
sorry,
a
developer,
laptop
yeah,
no,
absolutely
and
that's
like
so
that's
more
of
like
the
human
use
case,
but
that's
also
like
a
core
teleport
service.
Is
that
like
machine
ID
is
just
one
of
the
offerings,
but
what
people
typically
do
is
that
it'll
integrate
with
like
your
SSO
like
OCTA
or
GitHub
or
whatever?