1 00:00:04,379 --> 00:00:08,609 You're listening to DevOps and Docker Talk, and I'm your host, Bret Fisher. 2 00:00:08,969 --> 00:00:15,649 These are edited audio only versions of my YouTube Live show that you can join every Thursday bret.live. 3 00:00:16,229 --> 00:00:19,229 This podcast is sponsored by my Patreon members. 4 00:00:19,439 --> 00:00:22,829 I'd like to thank all the paid supporters that make this show possible. 5 00:00:23,189 --> 00:00:30,989 You can get more info and follow my updates on all the content and open source I'm creating at patreon.com/bretfisher. 6 00:00:31,829 --> 00:00:35,959 And as a reminder, all the links for this show, the topics we discuss. 7 00:00:36,092 --> 00:00:42,452 As well as the links I've already mentioned are available on the podcast website at podcast.bretfisher.com. 8 00:00:42,920 --> 00:00:51,140 In September of 2021, I had Ben Arent, a developer relations engineer of teleport on the show. 9 00:00:51,200 --> 00:01:07,820 Now, if you haven't heard of teleport, we're going to get into it, but it's essentially a fancy remote access technology, mostly open source that allows you to access endpoints as well as systems like Kubernetes remotely without a traditional VPN. 10 00:01:08,773 --> 00:01:17,773 I I think it's an interesting way to provide your teams granular access and really lock down what remote endpoints people can get access to. 11 00:01:17,803 --> 00:01:21,523 And it also uses some great security underneath that we get into as well. 12 00:01:21,763 --> 00:01:24,793 So please enjoy this episode with Ben from Teleport. 13 00:01:26,792 --> 00:01:27,192 Bret! 14 00:01:27,302 --> 00:01:27,992 Yeah, you can tell. 15 00:01:27,992 --> 00:01:28,682 I have the... 16 00:01:31,582 --> 00:01:32,422 Sorry, I distracted you. 17 00:01:33,292 --> 00:01:39,558 I know, I have the East Bay accent, I'm originally from the UK, but been here a decade 18 00:01:40,028 --> 00:01:40,328 Yeah. 19 00:01:40,458 --> 00:01:48,485 and I'm a DevOps engineer at Teleport, and I've worked in a range of developer tools probably for a decade now. 20 00:01:48,935 --> 00:02:00,908 I was just talking to Bret about some of my adventures in various companies that you may know about Redis To Go, Airbrake, Rackspace, OpenStack, all sorts of fun projects that have come and gone. 21 00:02:00,908 --> 00:02:04,508 So one thing that's always been standard is you always need to get some kind of access. 22 00:02:05,298 --> 00:02:07,038 Yeah, that is universal. 23 00:02:07,278 --> 00:02:10,068 So that's going to be our focus today, if you're all are just tuning in. 24 00:02:10,638 --> 00:02:14,898 We're gonna be focusing on specifically Cloud Native modern remote access. 25 00:02:14,898 --> 00:02:18,648 So, we're going to go through some of the problems of the past and the ways we did it before. 26 00:02:18,918 --> 00:02:26,158 And I have personally heard about previously the Gravity Project, and then Teleport, when you all announced, was it last year you announced the change? 27 00:02:27,188 --> 00:02:27,518 Yeah, 28 00:02:27,568 --> 00:02:28,048 was last year. 29 00:02:28,558 --> 00:02:28,918 Yeah. 30 00:02:28,948 --> 00:02:29,338 And 31 00:02:30,101 --> 00:02:32,061 19, last year was a blur. 32 00:02:32,351 --> 00:02:33,351 Yeah, that's true, that's true. 33 00:02:34,341 --> 00:02:39,561 I think last year was the year that I was actually becoming more aware of the projects and what you all were working on and stuff over there. 34 00:02:39,761 --> 00:02:44,681 So all of you out there, you may have heard of Gravity, which was a project by Teleport. 35 00:02:44,711 --> 00:02:47,501 I might be getting this wrong, but now we all know you as Teleport. 36 00:02:48,651 --> 00:02:48,851 Yeah. 37 00:02:49,299 --> 00:02:49,393 now 38 00:02:49,674 --> 00:02:49,862 can give 39 00:02:49,862 --> 00:02:50,212 Teleport 40 00:02:50,872 --> 00:02:58,562 Gravity instead of the founding of the company and actually worked with Sasha and Taylor at Rackspace when they were working at Mailgun. 41 00:02:59,012 --> 00:03:03,192 And I think they saw the similar problem of trying to run compute anywhere. 42 00:03:03,692 --> 00:03:15,962 And Gravity was this idea of packaging up your applications and being able to run them we would call them with Zero DevOps and Teleport was a method for accessing those clusters. 43 00:03:16,352 --> 00:03:25,282 And under the hood Gravity, which package, it was a would say like Kubernetes ones, your applications and Gravity runs Kubernetes. 44 00:03:25,882 --> 00:03:32,542 And so that let people run and package Kubernetes clusters into whole bunch of different places. 45 00:03:32,692 --> 00:03:45,112 So you could run Kubernetes on premise, but without having to get external resources, or we had other people who, sAS providers might want to sell that SAS product in someone else's data center. 46 00:03:45,322 --> 00:03:52,207 And by using Gravity, they could package everything up, they wouldn't need to have external resources, and run it in their DC. 47 00:03:52,837 --> 00:04:03,307 one of the benefits of Teleport, which we pulled from Gravity was, Teleport let you access and maintain and do a whole bunch of, other controls over those systems. 48 00:04:04,117 --> 00:04:06,097 It sounds like it was, you were solving it you're scratching your own itch. 49 00:04:06,127 --> 00:04:07,807 It sounds like you were solving your own problem there. 50 00:04:08,357 --> 00:04:12,407 Yeah, so it started off with Kubernetes and server access. 51 00:04:12,707 --> 00:04:16,307 And over the last couple of years, we've added application and database access as well. 52 00:04:16,807 --> 00:04:17,377 Very nice. 53 00:04:17,877 --> 00:04:32,604 Let's back up for a second because we were talking about what to talk about on the show and it was an interesting idea to talk about the origin of remote access, SSH and all the things and where that starts to struggle in our modern multi-platform multi-cloud world. 54 00:04:33,104 --> 00:04:35,743 Yeah, it depends how far back in the history of access. 55 00:04:35,863 --> 00:04:41,833 And I think that's often, you know, like 2021 people will say, oh, you don't need to access machines. 56 00:04:41,863 --> 00:04:42,505 It's cattle vs. 57 00:04:42,525 --> 00:04:45,755 Pets, immutable infrastructure, if you access a node. 58 00:04:45,825 --> 00:04:52,725 I actually had, I always worked for the DevOps lead, and if you accessed it, they will terminate the instance after five minutes, it was seen as like a toxic 59 00:04:52,745 --> 00:04:53,787 Who knows what you did? 60 00:04:54,578 --> 00:04:58,808 Who knows what you did, it's yeah, remove it and fire something else in there. 61 00:04:59,678 --> 00:05:08,018 But the reality of modern DevOps is that you always need, someone needs to get access to the infrastructure for a range of things. 62 00:05:08,018 --> 00:05:17,808 So even if you have a fully immutable infrastructure, you may need a team to pull logs off a system prior to rotating it, which could be like your security team. 63 00:05:18,618 --> 00:05:25,098 And then, what becomes interesting when you go into the world of Kubernetes, everything is talking to a rest API. 64 00:05:25,608 --> 00:05:32,851 And how do you get a full audit log of who's doing what and having a audit log of history about which commands are being run. 65 00:05:33,861 --> 00:05:44,081 And I think if you think about cloud providers in general, someone still has access to your machines, and so there could be like the serial, I think Amazon even added a serial bus recently. 66 00:05:44,531 --> 00:05:50,015 you have like serial bus, you have SSH, you have these methods in which you do need to get some sort of access to machines. 67 00:05:50,465 --> 00:05:56,825 And we see a plethora of people from all sorts of interesting use cases. 68 00:05:56,825 --> 00:06:15,548 So we have some people deploying Raspberry PIs into farmer's fields and they need to get some kind of remote access, but there's no sort of central command plane, and you can run Teleport in this mode, that's Teleport and dial back and do with NAT traversal, and you don't have to necessarily worry about your networking as well. 69 00:06:15,941 --> 00:06:27,445 And so you can think of Teleport as this unified access plane that you don't have to worry about protocols or even the network and everything is done specific to that protocol. 70 00:06:27,895 --> 00:06:39,625 So for our service support, we just use Open SSH certificates under the hood, and then we just have a whole bunch of stuff that makes that much easier for you to use. 71 00:06:40,371 --> 00:06:47,541 I go to the website, and there's a list of products and are they all related? 72 00:06:47,871 --> 00:06:49,881 Because they all just seem to be access focused. 73 00:06:50,881 --> 00:06:54,301 Yeah, I guess they're all related, but they're also very deep in the protocol. 74 00:06:55,021 --> 00:07:06,791 And so if we start with server access, I think this is probably what people are most familiar with so, when you have a cloud provider, you'll often provide your public private key. 75 00:07:07,061 --> 00:07:11,651 You generate a private key on your host, you upload your public key and that's sort of how you authenticate. 76 00:07:12,151 --> 00:07:14,761 That kind of works well for your smaller projects. 77 00:07:14,761 --> 00:07:24,511 But if you're working on a team, let's say you have five people, do you have to upload every five public keys to the server, and then you have a script that runs it when they leave? 78 00:07:25,111 --> 00:07:33,541 And it's there very quickly, doesn't become a sustainable way of adding new people to get access, and there's also the lack of visibility once people sort of leave. 79 00:07:34,041 --> 00:07:39,061 And Open SSH has had certificate support for a while. 80 00:07:39,631 --> 00:07:49,591 And this lets you, instead of providing a sort of long lived public private key, you can use a short lived like X509 certificates for access. 81 00:07:50,551 --> 00:07:57,181 And that's what all of these sort of different platforms use so short lived access for us. 82 00:07:57,181 --> 00:08:04,471 So you can also use the same thing for kubeconfigs, instead of having long-lived kubeconfigs you only get a kubeconfig for a 10 hour period. 83 00:08:05,151 --> 00:08:05,451 Right. 84 00:08:05,491 --> 00:08:11,221 access use kubectl again, you need to get a new kubeconfig based upon how you've set it up. 85 00:08:12,221 --> 00:08:12,461 Yeah. 86 00:08:12,461 --> 00:08:20,941 I think a couple of years ago I was reading at least one great article about SSH using certificates rather than keys and the benefits of all that. 87 00:08:21,441 --> 00:08:25,281 And to me, it always seemed like the challenge was implementation and maintenance of that. 88 00:08:25,671 --> 00:08:26,391 There's a lot of,... 89 00:08:26,441 --> 00:08:36,681 Yeah, because you have to manage a certificate authority and then you have to worry about rotating of certificates and that is all abstracted away, and Teleport makes that very easy for you. 90 00:08:37,151 --> 00:08:37,481 Right. 91 00:08:38,111 --> 00:08:49,864 Yeah, and there's never really been, like I think every project I work on, the way we get into things, because especially if you're DevOps or you're especially ops, when things go awry, you got to get on servers usually. 92 00:08:50,074 --> 00:09:04,844 At some point you got to get on those servers so that the methodology for how you get there and how you do it securely and I find that it's related to the maturity of the team, the way that you access it and making sure that keys are taken off and then people that have left had all the keys removed. 93 00:09:05,594 --> 00:09:07,934 That's not stuff that a young team has, right? 94 00:09:07,934 --> 00:09:12,874 Like a young team is you're saying, like throwing SSH keys of their own on servers randomly when they need them. 95 00:09:12,935 --> 00:09:18,035 They might have a cloud init script that automatically installs them at startup time, and there's a list. 96 00:09:18,905 --> 00:09:22,865 Or maybe there's one key, and then it's given to all the people that need it. 97 00:09:22,865 --> 00:09:27,215 And then the problem is how do you replace that key and how do you know who accessed it and all that stuff. 98 00:09:27,215 --> 00:09:30,225 And there's just, I feel like it's not a solved universal problem. 99 00:09:30,645 --> 00:09:37,995 And it's glad to see more ideas in this space because we do, it's funny, you don't see a lot of this discussed at conferences. 100 00:09:37,995 --> 00:09:50,685 You go to cloud native stuff, and like you said, the very beginning, we talk about this utopia world where we never need SSH, we never need remote access to a physical machine, and everything's wonderful, and you just, if there's a problem, you just turn it off and replace it and then that magically fixes it. 101 00:09:51,055 --> 00:10:02,304 And that's just really not true at any scale that I'm aware of, unless you're Netflix or Google, which you probably then have tooling to automatically pull off snapshots so that you can debug after the fact. 102 00:10:02,354 --> 00:10:07,593 That's a really advanced workflow that's beyond the scope of what we're trying to talk about today, but that's what I ended up seeing out there. 103 00:10:07,593 --> 00:10:15,103 So I'm glad that you're seeing the same thing, and it sounds like these solutions are trying to address those problems because, and some of this is open source, right? 104 00:10:15,793 --> 00:10:16,003 um, 105 00:10:16,253 --> 00:10:17,063 the majority. 106 00:10:17,063 --> 00:10:24,800 So we're sort of an open core company, which means you can, 80, probably like 90% of our code is in our open source repo. 107 00:10:24,867 --> 00:10:29,337 And you get everything that you'd really need for even like a small team. 108 00:10:29,384 --> 00:10:32,312 You get all of the access of different platforms. 109 00:10:32,402 --> 00:10:37,894 The only thing that sort of we gate on would be more enterprise, single sign on providers, but we provide Github. 110 00:10:38,474 --> 00:10:39,374 use local auth. 111 00:10:39,425 --> 00:10:45,030 We recently added, role-based access control into open-source edition, which was a highly requested. 112 00:10:45,042 --> 00:10:45,806 but everything else works. 113 00:10:45,806 --> 00:10:47,876 Kubernetes access works databases. 114 00:10:47,926 --> 00:10:56,500 and then there's another new feature for teams, which we call access requests and access requests that you, access from other teammates. 115 00:10:57,100 --> 00:11:01,030 And probably if you're running in a small team, it's pretty less of a concern. 116 00:11:01,030 --> 00:11:07,838 You can have wider access, but for people who want to really gate and have extra compliance, one feature that we provide. 117 00:11:08,453 --> 00:11:08,873 Interesting. 118 00:11:08,873 --> 00:11:12,863 So that's almost like a PR review on my server access. 119 00:11:13,943 --> 00:11:14,753 at The moment I 120 00:11:14,913 --> 00:11:20,996 what's cool is, you can just say set it similar to your point in the Navy, I actually did a webinar on the nuclear launch codes. 121 00:11:21,116 --> 00:11:26,492 So you can set like multiple people, so you have three people must approve this before you can launch access in. 122 00:11:26,577 --> 00:11:27,037 means that 123 00:11:27,037 --> 00:11:30,057 They know you did it because not everybody looks at logs. 124 00:11:30,099 --> 00:11:35,801 Like we might log everything, but if there's something about the analogy of, if the tree falls in the woods and no one's around us, it really whatever. 125 00:11:35,821 --> 00:11:43,031 If a server, if a guy, if someone, a SSHes into a server and it's logged, but no one's reading the logs, did it really happen? 126 00:11:43,276 --> 00:11:44,296 it, does anyone know? 127 00:11:44,296 --> 00:11:44,926 Does it matter? 128 00:11:45,256 --> 00:11:48,226 Because now you have that one-off server that's slightly changed. 129 00:11:48,312 --> 00:11:48,912 but no one else 130 00:11:49,212 --> 00:11:49,782 knows about it. 131 00:11:50,052 --> 00:11:50,702 of Teleport. 132 00:11:50,702 --> 00:11:59,352 It provides the centralized logging without having to use AuditD or some other kind of configuration, which could be tricky, or you just forget about it. 133 00:11:59,432 --> 00:12:01,202 And if something happens, you're like, oh, where are our logs? 134 00:12:01,225 --> 00:12:06,585 So this is covering Kubernetes databases? 135 00:12:07,565 --> 00:12:08,825 I meant Teleport as a whole. 136 00:12:08,875 --> 00:12:13,135 Databases, as our databases, we have MySQL and Postgres. 137 00:12:13,885 --> 00:12:18,775 We support Kubernetes, so you can think of this as getting your sort of short-lived kubeconfigs. 138 00:12:19,315 --> 00:12:24,723 We have applications, so securing internal web apps and then servers. 139 00:12:25,373 --> 00:12:25,643 Okay. 140 00:12:25,848 --> 00:12:27,771 The server can be anything from a Raspberry PI to a 141 00:12:27,829 --> 00:12:29,151 A thing that's running a kernel, 142 00:12:30,441 --> 00:12:30,571 Yes 143 00:12:30,571 --> 00:12:32,011 that you connect to in some way. 144 00:12:32,488 --> 00:12:33,688 Can it be self hosted? 145 00:12:34,176 --> 00:12:34,656 Yes. 146 00:12:35,027 --> 00:12:37,547 Actually only recently, did we have a cloud version. 147 00:12:37,547 --> 00:12:42,270 For a long time, we were self hosted and our open source edition is also self hosted. 148 00:12:43,055 --> 00:12:50,184 I have Teleport running on the public internet and we generally assume in the world of the sort of access tools. 149 00:12:50,184 --> 00:12:53,124 You have the idea of bastion hosts and jump hosts. 150 00:12:53,299 --> 00:12:53,599 Yup. 151 00:12:53,934 --> 00:12:58,183 One is inside of your network security and one is inside, one is outside. 152 00:12:58,333 --> 00:13:01,843 I think a jump host is outside, bastion's inside. 153 00:13:02,393 --> 00:13:04,943 The proxy is fine to be on the public internet. 154 00:13:05,243 --> 00:13:17,353 And there's also methods in which you can run Teleport in a sort of very secure way in which the proxy service runs separately from the auth service, and we go very deep and not to take all security very seriously. 155 00:13:17,853 --> 00:13:29,189 And so your teammates welcomed with this sort of sign in, and you can sign in with a local user and we always enforced to a strong second factor or a preferred method is this user identity provider that you already have. 156 00:13:29,279 --> 00:13:30,280 I have a GitHub group. 157 00:13:31,280 --> 00:13:40,595 Even when I work with teams that have, they might have Kubernetes in it, there might be a jump host, but it's usually just one jump host and we all have to know the name or the IP to get through. 158 00:13:42,625 --> 00:13:46,293 And utility machines like that often don't get a lot of the love, right? 159 00:13:46,293 --> 00:13:52,053 Cause it's usually the production infrastructure for the customer, the internal customer, the whatever, the developer customer that you're dealing with. 160 00:13:52,233 --> 00:13:53,733 It's usually that it gets all the attention. 161 00:13:53,733 --> 00:14:00,830 And it's usually this other, ancillary infrastructure that tends to from a lack of automation and stuff. 162 00:14:00,830 --> 00:14:06,853 So this it's good to see that concepts like that, where it doesn't really matter what machine I'm getting into, I just need to get into a machine. 163 00:14:08,383 --> 00:14:08,623 Yeah. 164 00:14:08,623 --> 00:14:10,633 You can also put in your AWS tags as well. 165 00:14:11,428 --> 00:14:14,286 So, if, it's pretty common to have like heavily tagged machines 166 00:14:14,351 --> 00:14:14,651 Right. 167 00:14:14,706 --> 00:14:16,686 use that same sort of tag flow in Teleport. 168 00:14:16,733 --> 00:14:21,900 And so right now, when you're running these commands, you're running it against basically a Teleport instance, right. 169 00:14:21,922 --> 00:14:24,292 That you've got running on a machine 170 00:14:24,292 --> 00:14:24,712 somewhere 171 00:14:25,207 --> 00:14:26,557 That's when I logged in. 172 00:14:26,557 --> 00:14:32,795 We do support multiple clusters as well depending upon how you configure, you can configure like multiple tracks, the clusters. 173 00:14:33,535 --> 00:14:47,843 And this is another powerful feature that we have, even like some customers who like MSPs, which is a sort of service provider, and if they want to get access to someone else's infrastructure, they can just share their trusted cluster for a short period of time and then cut off the access. 174 00:14:48,473 --> 00:14:51,842 And deals with that sort of jumping between hosts seamlessly. 175 00:14:52,342 --> 00:15:09,426 So first question is, if we're talking about Kubernetes, which we actually haven't gotten to yet, but we've got some questions coming in, so I'm prefacing this, Teleport, needs to be in each cluster of Kubernetes, so when I say, when I see THS clusters, is that Teleport clusters or Kubernetes clusters, are they the same? 176 00:15:09,506 --> 00:15:11,981 It could be the same thing, depending upon how you've deployed it. 177 00:15:12,401 --> 00:15:23,681 In my case, I just upload my sort of route Teleport cluster on a dedicated AWS host, but I could have also just deployed Teleport just in a Kubernetes cluster, and that'll be the same thing. 178 00:15:23,759 --> 00:15:25,418 And you, I'm sure you can you run it all the same way? 179 00:15:25,448 --> 00:15:28,868 Like You can run it in Docker, you can run it natively on the host, you can run on Kubernetes. 180 00:15:28,868 --> 00:15:30,604 You can just kind of run it how you prefer? 181 00:15:31,589 --> 00:15:41,659 How is this different or better than the zero trust network access concept also named the VPN killer feature, that is available more and more on firewalls? 182 00:15:42,136 --> 00:15:47,648 You can think of it, I guess the world of zero trust is definitely an abused term. 183 00:15:47,648 --> 00:15:56,092 It can mean lots of different things, and I think Teleport part of a zero trust policy to deploy. 184 00:15:56,122 --> 00:16:00,452 So we do have some customers who will deploy a VPN and use Teleport. 185 00:16:01,192 --> 00:16:04,216 So there's still uses of VPNs but it's not required. 186 00:16:05,116 --> 00:16:18,022 And how we're different is very deep on the protocol and then also deep on the individual action and identity, which can be different from some zero trust solutions. 187 00:16:18,522 --> 00:16:30,828 I think the answer is always kind of complex, I mean, if you talk to like a person in a uh, conference booth spending point they're selling, they're like soap, whatever they need, but often do you need like multiple sort of solutions to obtain these sort of zero trust... 188 00:16:30,828 --> 00:16:36,016 And for myself as well as those that maybe don't know that, in this context, what are we assuming? 189 00:16:36,046 --> 00:16:37,966 What do we consider zero trust in this context? 190 00:16:38,466 --> 00:16:40,386 So I think it was like step back a bit. 191 00:16:40,416 --> 00:17:01,546 I think in the old days I would have just given you access to the VPN and then you can have access to everything and say, how things has evolved is when you logged in, you had to authenticate through Github to prove that you were your own identity, and then Teleport also enforces these short-lived certificates and everything audited. 192 00:17:01,786 --> 00:17:03,376 And now it goes deep on the protocol. 193 00:17:03,861 --> 00:17:06,324 And it's to a specific resource, instead of. 194 00:17:06,409 --> 00:17:12,331 most VPNs that I use that it's like you have access to everything like or everything that the VPN has access to you, carte blanche, right? 195 00:17:12,391 --> 00:17:19,907 It's all, it's a universal policy, it's a very broad set of systems and resources, and you may only need one server. 196 00:17:19,907 --> 00:17:33,301 I don't know if that's in the scope of zero trust ideas, but that's something that's always been attractive to me is where, giving people basically in that moment, just the thing they need and not over-provision, which is what VPN is classically known for, 197 00:17:33,301 --> 00:17:40,898 over provisioning, complete access, which is where a lot of the, it's the whole, we have one guard at the gate and once you get past the gate, there's no more security. 198 00:17:41,048 --> 00:17:46,471 So you have access to all the ports and all the servers and all the networks, as long as you get through the VPN connection. 199 00:17:46,528 --> 00:17:49,019 So yeah, this seems much more granular and flexible. 200 00:17:49,019 --> 00:17:49,258 Yeah. 201 00:17:49,258 --> 00:17:55,524 And this is not a great example since these are two wildcard stars, but it does let you use the labeling that we already saw. 202 00:17:55,584 --> 00:18:10,637 And then you can create roles to provide sort of fine grain access, for whether it's labels on Kubernetes clusters or also groups, another bad example, that's system masters is not a great example of zero trust and Kubernetes because you get access to everything. 203 00:18:11,605 --> 00:18:16,661 Up to you to assign your Kubernetes groups and then give them to your teammates appropriately. 204 00:18:16,661 --> 00:18:18,794 Yeah, so you've got a Mac there. 205 00:18:18,794 --> 00:18:26,976 So on a Mac, if I need to SSH on a server, is there something running in the background as a service that's like relaying my SSH or how does that connection actually? 206 00:18:26,976 --> 00:18:27,396 happen? 207 00:18:28,041 --> 00:18:36,774 have this, like TSH small binary that you download and install, which does everything behind and the thing that hits us, like populates these clusters. 208 00:18:36,864 --> 00:18:41,813 And so you can see here these like the X 509 certificates for, this cluster. 209 00:18:42,093 --> 00:19:02,474 So this is my one, SSH, what it's slightly different for, kubeconfig, especially populate your kubeconfigs locally, but under the hood, going back to like our open SSH, public private keys for your certificates, under the hood, it's just open SSH certificates, but in a much easier way than having managing and orchestrate it yourself. 210 00:19:02,664 --> 00:19:03,054 Okay. 211 00:19:03,234 --> 00:19:09,204 So in this case, there has to be a machine on the internet that is running SSH for me to get to? 212 00:19:09,704 --> 00:19:17,674 Teleport is not providing a separate port tunnel into someplace that has an SSH Daemon running somewhere. 213 00:19:18,124 --> 00:19:19,474 I think so. 214 00:19:19,504 --> 00:19:20,434 Yeah, I'm correct. 215 00:19:20,644 --> 00:19:29,324 So you can just run Teleport, once you run Teleport in a certain independent go from the mode in which you run it, you don't necessarily get access to SSH into that node. 216 00:19:29,864 --> 00:19:35,724 You then need to add nodes, running the SSH service to connect back to your sort of root cluster. 217 00:19:36,224 --> 00:19:37,274 And you actually have two options. 218 00:19:37,274 --> 00:19:40,711 You can over the local network. 219 00:19:41,401 --> 00:19:52,200 If you're you, say you could configure Teleport in a VPC, or you could just, in my case, I just have Teleport, I on the public internet and I'm tunneling through, but you actually don't even need to do that. 220 00:19:52,200 --> 00:19:57,163 You can change your sort of networks set up depending upon sort of the risks in your organization. 221 00:19:57,688 --> 00:20:00,510 Sly has a question, similar as can you explain better how it works? 222 00:20:00,510 --> 00:20:03,300 Do you have a server running and an agent in every machine? 223 00:20:03,303 --> 00:20:07,514 Did that network diagram do a basic description of some of that sort of the pieces? 224 00:20:08,514 --> 00:20:09,624 That's probably a better one. 225 00:20:09,654 --> 00:20:12,384 That one was actually maybe how it works. 226 00:20:12,384 --> 00:20:13,284 Might be a good one. 227 00:20:13,734 --> 00:20:17,798 So we have this Teleport basic concepts, which is this probably a perfect one. 228 00:20:17,798 --> 00:20:22,468 So we have the users which go through the proxy, which is Teleport to.earth. 229 00:20:22,468 --> 00:20:26,328 And we have our auto server in our case, we have registering. 230 00:20:26,566 --> 00:20:27,256 I need to access it. 231 00:20:27,256 --> 00:20:29,266 I go through the proxy and the proxy dials back. 232 00:20:29,266 --> 00:20:34,823 So in this SSH node, we're running a Teleport service in node mode to an agent. 233 00:20:36,293 --> 00:20:36,653 Okay. 234 00:20:37,973 --> 00:20:43,463 And that's the four different sets, the four different ways or the four different types of resources I can access through the proxy. 235 00:20:45,123 --> 00:20:52,624 And then for Kubernetes, I've deployed a helm charts, which is this same sort of thing, but it runs, Teleport in a Kubernetes mode 236 00:20:52,627 --> 00:20:52,957 Runs it. 237 00:20:53,137 --> 00:20:59,576 I'm assuming it runs a pod with a similar executable that you ran on a native SSH on the host there. 238 00:20:59,936 --> 00:21:00,266 Yeah. 239 00:21:00,681 --> 00:21:00,981 Yeah. 240 00:21:01,481 --> 00:21:02,411 And the same for web apps. 241 00:21:02,411 --> 00:21:11,321 So I actually have another cool example in which I'm running Grafana and Teleport locally and Docker to provide like local access to a sort of web app that I'm running. 242 00:21:12,321 --> 00:21:14,691 And is that an agent on the web server? 243 00:21:14,871 --> 00:21:18,441 It can be, yeah, it can be on the web server host itself. 244 00:21:18,441 --> 00:21:26,561 So a very popular example of this would be like, if you have a Grafana dashboard, I can see if you can do this the Kubernetes dashboard. 245 00:21:27,161 --> 00:21:34,871 People will make it publicly exposed, and so you could give a loopback address that only the Teleport agent on that host can access it. 246 00:21:35,141 --> 00:21:42,191 And then it creates the reverse tunnel back to Teleport to make sure that there's no sort of know where remote access to it. 247 00:21:42,726 --> 00:21:46,336 So this prevents you from needing to put those apps on the public. 248 00:21:46,706 --> 00:21:47,036 Yeah. 249 00:21:47,406 --> 00:21:48,606 the http part of it. 250 00:21:50,036 --> 00:21:50,276 Yeah. 251 00:21:50,776 --> 00:21:51,136 All right. 252 00:21:51,158 --> 00:21:56,468 Alexandra has a question of what encryption is used between the inside node or agent and the outside machine. 253 00:21:56,468 --> 00:21:59,498 Is there any mechanism for posture check? 254 00:22:00,208 --> 00:22:04,468 So we have a few things based upon how you run it. 255 00:22:05,428 --> 00:22:15,068 You can, have a CA pin, which is a hash of Teleport certificate authority, which you can use to verify that the auth server is the right auth server. 256 00:22:15,958 --> 00:22:21,358 If you're using this edge mode, we just do it through the mutual TLS certificate. 257 00:22:21,388 --> 00:22:26,008 There's some encoding on making sure that you're joining the correct host. 258 00:22:26,691 --> 00:22:36,016 So for me, as an admin, as a Kubernetes person, I just have to make sure Teleport's on my machine, Teleport command line is on my machine, on my the command line tool. 259 00:22:36,316 --> 00:22:40,316 And then when I run those TSH log-ins, that's all I have to do. 260 00:22:40,327 --> 00:22:45,097 I can just, I run the log in and now my kubectl is able to talk to that server. 261 00:22:45,462 --> 00:22:45,702 Yeah. 262 00:22:45,782 --> 00:22:52,000 So the first batch of connection does take a little bit of time to do the initial handshake, but we're like connected to a minute. 263 00:22:52,030 --> 00:22:54,940 This is just an empty cluster that I've been running for a week or so. 264 00:22:55,440 --> 00:23:04,420 And on is the, is my kubectl actually talking, kubectl command line, actually talking to the proxy server directly. 265 00:23:04,900 --> 00:23:06,010 Is that how the connection's happening? 266 00:23:07,288 --> 00:23:07,708 All right. 267 00:23:07,811 --> 00:23:15,268 And so in that case, when you did the log-in, if you were like earlier, you were talking about, this new thing of requiring having others approve you're log in. 268 00:23:15,268 --> 00:23:18,418 Is that where all that process would take place, during the login phase? 269 00:23:18,668 --> 00:23:19,178 or 270 00:23:19,253 --> 00:23:20,903 take a prior to it. 271 00:23:20,903 --> 00:23:23,768 So you'd ask for access to the cluster oh, 272 00:23:23,863 --> 00:23:24,223 and then went 273 00:23:24,643 --> 00:23:24,913 role. 274 00:23:25,303 --> 00:23:25,903 And okay. 275 00:23:26,353 --> 00:23:33,994 And then that certificate based on your policies, I'm assuming that you configure on the Teleport, the login certificates are time bombed based on the policy. 276 00:23:34,004 --> 00:23:37,004 because I didn't see you ask for amount of time or anything like that in the command line, 277 00:23:37,004 --> 00:23:39,658 And I say by default, I have a 30 hour session. 278 00:23:39,873 --> 00:23:40,533 Oh, okay. 279 00:23:40,542 --> 00:23:40,683 And 280 00:23:40,718 --> 00:23:41,168 Interesting. 281 00:23:42,063 --> 00:23:46,751 this is quite a large generous role but I have access to all clusters, 282 00:23:46,804 --> 00:23:47,734 So it is for demos. 283 00:23:48,039 --> 00:23:50,349 We always get God got access to DevOps. 284 00:23:50,349 --> 00:23:50,514 Yeah. 285 00:23:50,726 --> 00:23:51,326 Very cool. 286 00:23:51,426 --> 00:23:56,866 Does this take care of our back management of a Kubernetes cluster for me? 287 00:23:56,866 --> 00:24:00,736 Or do I need to already have all those set up and then apply these policies here? 288 00:24:00,736 --> 00:24:01,486 Like how does that work? 289 00:24:02,018 --> 00:24:07,420 Yeah, you'd have to set it up on your cluster of choice based upon how you want to define the roles. 290 00:24:08,147 --> 00:24:22,696 So we have some people I know who create users in Kubernetes based upon their user, but we have some more advanced these, like internal DB users, but you can just put in external identity provider options. 291 00:24:22,726 --> 00:24:28,431 So if you have an SSO provider, which for your Kubernetes cluster, you can map that same thing into Teleport as well. 292 00:24:29,431 --> 00:24:29,821 Okay. 293 00:24:30,241 --> 00:24:44,491 Yeah, I was wondering if I could have roles in Kubernetes and then specifically have users in Teleport and alleviate needing specific users because Teleport's logging all the things, right? 294 00:24:44,491 --> 00:24:53,066 So it's showing the connection, it's showing who did it, so now I'm maybe not so much looking at my kube logs and I'm not paying more attention to Teleport logs. 295 00:24:53,066 --> 00:24:56,606 If that's the only way you can get into my Kubernetes server. 296 00:24:56,606 --> 00:24:56,696 Yeah. 297 00:24:57,696 --> 00:24:57,876 Yeah. 298 00:24:57,876 --> 00:25:02,917 So in that case, it depends upon the risks in your team and how you want to provide access. 299 00:25:02,917 --> 00:25:10,099 Maybe you have like system masses for the ops team, but you have a dev role, which is like fine-grained, but all developers share the Kubernetes dev group. 300 00:25:10,175 --> 00:25:13,984 and then you create costum users based and then use Teleport to give them access. 301 00:25:14,484 --> 00:25:14,814 Yeah. 302 00:25:14,875 --> 00:25:23,105 So I see that there's potential for error for a lot of configuration in the Teleport itself and in the proxy or server or whatever we're calling it. 303 00:25:23,345 --> 00:25:24,174 I keep forgetting the names. 304 00:25:24,226 --> 00:25:24,436 Yeah. 305 00:25:24,946 --> 00:25:28,066 Can I put that stuff in Git and not have it stored on the server? 306 00:25:28,074 --> 00:25:32,026 Can I control Teleport through, GitOps or some sort of. 307 00:25:32,026 --> 00:25:32,086 Yeah. 308 00:25:32,421 --> 00:25:38,712 I forget the resource for the RBAC connectors, but you can like get these and set them and then we'll have an API to that, you can configure it as well. 309 00:25:38,862 --> 00:25:42,442 So do have some customers who have, I think 10,000 different roles. 310 00:25:42,942 --> 00:25:43,302 Oh, wow. 311 00:25:43,302 --> 00:25:44,632 So you can really customize it. 312 00:25:44,752 --> 00:25:52,159 But if you actually have that many, you're probably configured this Guid and this is like some other more advanced, like regexes that you can do to like really narrow down your roles. 313 00:25:52,629 --> 00:25:53,019 Right, 314 00:25:53,469 --> 00:25:53,859 Okay. 315 00:25:54,489 --> 00:25:56,319 Is, this is what we've been seeing so far. 316 00:25:56,319 --> 00:25:58,089 Is this all the open source stuff? 317 00:25:59,074 --> 00:25:59,404 Yep. 318 00:25:59,869 --> 00:26:00,190 Okay. 319 00:26:00,215 --> 00:26:04,925 and then what does, if I use this, is it a SAS solution? 320 00:26:04,925 --> 00:26:07,095 Is that correct, the best way to describe that? 321 00:26:07,095 --> 00:26:07,329 Yeah. 322 00:26:07,389 --> 00:26:07,869 Yeah. 323 00:26:07,869 --> 00:26:13,753 So is that just alleviate, what am I getting, what can I pay for, I guess this is maybe 324 00:26:13,987 --> 00:26:17,977 we have Teleport Enterprise, which I think includes cloud now. 325 00:26:18,007 --> 00:26:20,877 And that just means you don't have to run this root cluster. 326 00:26:20,967 --> 00:26:27,731 So we run and maintain Teleport if you're used to being very SAS centric, it just makes your administration a bit easier, it's one less thing to worry about. 327 00:26:28,231 --> 00:26:35,171 But often people like Teleport because they can run it themselves within the data center and really limit and sort of fine tune and control it. 328 00:26:35,221 --> 00:26:37,621 Okay, so you have the SAS offering essentially, 329 00:26:37,725 --> 00:26:38,025 Yeah. 330 00:26:38,525 --> 00:26:45,482 Are the four, I think we talked about the beginning about there's different types of Teleport or different. 331 00:26:45,482 --> 00:26:48,482 Maybe I'm thinking of the different ways, different types of resources I can connect. 332 00:26:48,532 --> 00:26:59,123 So I like the database stuff was really interesting to me and I was, you may not may or not have a demo for that, but I didn't quite understand how a protocol-specific connection worked. 333 00:26:59,162 --> 00:27:06,490 If I bring up a SQL GUI for MySQL, is it actually talking the, MySQL to the proxy? 334 00:27:06,970 --> 00:27:08,390 Is that kind of what's happening? 335 00:27:08,390 --> 00:27:08,930 Yes. 336 00:27:10,238 --> 00:27:14,830 So sometimes that's a little bit of like yak shaving for the intricacies of the different platforms. 337 00:27:14,862 --> 00:27:17,876 But once you configured it, you do it once and then you can access it. 338 00:27:18,416 --> 00:27:36,183 Talking about GUIs, lots of GUIs do support certificates, especially in MySQL, like they still couldn't like SSL certificates, somebody new, if they're not updated TLS, but you can also say support it, so you can use short lived certificates for access for Postgres and MySQL well. 339 00:27:37,183 --> 00:27:37,633 Yeah. 340 00:27:37,663 --> 00:27:46,224 I was going to say, is this, I'm trying to figure out how that connection works because obviously, this is another problem of, when we're troubleshooting, right? 341 00:27:46,276 --> 00:28:05,801 There's a database, let's say it's RDS in AWS, and I got a Postgres server in there and it's the production database, and we're seeing weird errors and we're worried that it may be something wrong with the SQL data, and we just need to get someone connected directly to the database to do some selects and figure out if the data needs to be, somehow it got screwed up. 342 00:28:06,161 --> 00:28:16,487 And that process, inevitably it's like, now I'm creating a database user and I'm handing that to a particular person and now they always have it and the passwords never expire. 343 00:28:16,489 --> 00:28:20,992 And that would be, is that kind of a scenario where this just replaces that whole workflow? 344 00:28:21,992 --> 00:28:22,312 Yeah. 345 00:28:22,872 --> 00:28:23,152 Yeah. 346 00:28:23,177 --> 00:28:28,224 And it's a similar vein, databases have the most sensitive information. 347 00:28:28,254 --> 00:28:37,387 You might have a range of people from like a data engineering to just an engineer, wants to run a query, like any kind of human interaction you should use sort of Teleport. 348 00:28:37,387 --> 00:28:41,148 Just because you get so much visibility into what's happening about these, database connections. 349 00:28:41,478 --> 00:28:50,698 And that's a good distinction to make real quick, it sounds like Teleport is focused on humans connecting to systems or resources, not resources connecting to resources. 350 00:28:50,794 --> 00:28:51,004 Yeah. 351 00:28:51,004 --> 00:28:55,114 You can configure, so you can use Teleport with Jenkins, for example. 352 00:28:55,894 --> 00:28:59,467 And it also depends upon your threat model. 353 00:28:59,498 --> 00:29:04,898 You can't necessarily give Jenkins a 10 hour certificate for access because, you need a new one in 10 hours. 354 00:29:05,438 --> 00:29:13,133 And so in that case, we have people who use our API and they always re-issue Jenkins a new certificate every 10 hours or if you can have people to each run. 355 00:29:14,003 --> 00:29:23,812 And so what that means is if your CI system was ever compromised and someone got the certificates of the service, then you've got access for that short period of time, and everything's like refreshed again. 356 00:29:24,777 --> 00:29:25,107 Okay. 357 00:29:25,227 --> 00:29:30,337 If you start thinking about short lived certificates, you get like a much better, like hygiene kind of policy in place. 358 00:29:30,337 --> 00:29:30,457 Right. 359 00:29:30,481 --> 00:29:32,565 All year long, I've been talking about GitHub actions. 360 00:29:32,565 --> 00:29:52,519 Do you have anything in the works for something with GitHub actions for that so that we can run an action against, for example, I've got some functional tests that I'm running in GitHub actions on, GitHub action public runners, and they need a remote database maybe because it's got to actually test RDS and some S3 stuff inside of a VPC. 361 00:29:52,939 --> 00:29:54,808 So is there, Is there anything with that? 362 00:29:55,318 --> 00:29:57,448 out of the box but I think it's something fun to explore. 363 00:29:57,973 --> 00:29:58,167 Yeah. 364 00:29:58,367 --> 00:30:08,373 I'm a big fan this year of getting all of my tooling into their own actions so that I can, just basically plug and play a workflow together and not have to write a bunch of custom bash. 365 00:30:08,373 --> 00:30:16,471 And, I'm trying to downplay all the bash scripts that everyone's putting in their CI and say, let's get back to, declarative approaches and try to take our CI to the next level. 366 00:30:16,471 --> 00:30:20,305 So we've talked a lot about GitHub actions, so I just thought I'd ask there. 367 00:30:20,373 --> 00:30:22,143 Definitely something to be thinking of. 368 00:30:22,143 --> 00:30:28,281 So Sly asking about yeah, database GUIs, like SSMS, or is this really just command line tooling? 369 00:30:28,351 --> 00:30:31,409 So it sounds like the GUIs have to support certificates. 370 00:30:32,299 --> 00:30:32,479 Yeah. 371 00:30:32,479 --> 00:30:39,852 If you come to docs, I think there's actually a page here for guides for database GUI clients. 372 00:30:39,872 --> 00:30:41,402 And these are ones that we've tried. 373 00:30:42,122 --> 00:30:46,556 like PG admin, And, like, it's a bit weird, these sort of these GUIs. 374 00:30:46,576 --> 00:30:49,481 So just like read our instructions, so you can also reach out to us, we're happy to help. 375 00:30:50,141 --> 00:30:56,832 And so what you do is you load in the key file, which kind of stays the same and you just do thh login, which will refresh them. 376 00:30:57,662 --> 00:30:58,142 Okay. 377 00:30:58,932 --> 00:31:00,405 Yeah, because I have to keep remembering it. 378 00:31:00,448 --> 00:31:04,528 This isn't some system based VPN that allows anything to run through that tunnel. 379 00:31:04,528 --> 00:31:11,563 This is a protocol specific and it doesn't wrap my client tools, it sounds like. 380 00:31:12,383 --> 00:31:19,363 It's dependent upon the client tools functionality, and this is all using PKI, this is like all certificate based. 381 00:31:20,188 --> 00:31:20,468 Yeah. 382 00:31:20,498 --> 00:31:22,778 So we've talked about Kubernetes, we've talked about SSH. 383 00:31:22,808 --> 00:31:25,100 We've talked about database connections. 384 00:31:25,100 --> 00:31:30,399 You want to cover real quick since we got a few more minutes, you want to cover a little bit more of how the web based access works. 385 00:31:31,164 --> 00:31:31,464 Yeah. 386 00:31:31,464 --> 00:31:37,160 I'm actually, I just have this Docker Compose script, which it just has Grafana and Teleport running. 387 00:31:37,173 --> 00:31:43,063 So what we have is we just have a Grafana service and a Teleport service running. 388 00:31:43,613 --> 00:31:49,373 We have a small network, like a bridge network between these two, and this is running a node map mode. 389 00:31:49,943 --> 00:31:51,473 I have a range of applications. 390 00:31:51,973 --> 00:31:56,534 The Grafana dashboard, and then it's the connection's going through Teleport. 391 00:31:57,034 --> 00:31:58,224 Even you can access this. 392 00:31:58,224 --> 00:32:02,091 And this is an example of using Teleport for application access. 393 00:32:03,051 --> 00:32:15,838 You might want to secure your own Grafana dashboard, or you could use this for, if you had some staging or a local dev environment you wanted to share with the rest of your teammates, could use Teleport application access to share it and get sort of early feedback. 394 00:32:16,338 --> 00:32:17,868 I'm trying to think about how that works. 395 00:32:17,898 --> 00:32:20,808 So you've got that running on your local system. 396 00:32:20,868 --> 00:32:23,648 You're like, you're creating some custom Grafana dashboard. 397 00:32:24,518 --> 00:32:26,048 How do I get access to it? 398 00:32:26,048 --> 00:32:27,508 How does that connection actually work? 399 00:32:28,598 --> 00:32:33,438 How it works is, you can think of it like an SSH reverse tunnel. 400 00:32:33,938 --> 00:32:47,135 And so the initial connection goes through Teleport, and then it proxies your connection and down to my machine where I have this Teleport running a sort of a sidecar, and that sort of puts that connection back into the Teleport root cluster. 401 00:32:47,345 --> 00:32:48,813 And you access it through the root cluster. 402 00:32:49,793 --> 00:32:55,463 It sounds a little bit like inlets, if you've ever heard of Alex Ellis' inlets proxy. 403 00:32:55,551 --> 00:32:57,401 We've talked about on the show before, we've had him on the show. 404 00:32:57,451 --> 00:33:03,922 So basically your machine is reaching out to your Teleport server, making that permanent connection that all this protocol's tunneling through. 405 00:33:03,922 --> 00:33:09,322 And then I am typing in the URL of essentially of the proxy server, right? 406 00:33:10,162 --> 00:33:10,372 Yeah. 407 00:33:10,372 --> 00:33:19,027 So to me, it looks like you just have an internet TLS proxy with a friendly name that happens to then redirect it to your machine, okay. 408 00:33:19,167 --> 00:33:23,425 Yeah, like Grafana for me, I can probably access it on this, access. 409 00:33:23,575 --> 00:33:25,345 This, I think can access on zero, zero. 410 00:33:25,845 --> 00:33:29,627 This is how I could access it through kinda like Docker networking 411 00:33:29,867 --> 00:33:31,497 Directly on your machine without Teleport. 412 00:33:31,527 --> 00:33:31,887 Okay. 413 00:33:32,067 --> 00:33:32,247 Yup. 414 00:33:32,297 --> 00:33:42,353 Yeah, so I like that sidecar analogy, So Then would you need one of these Teleport side cars for each web app that you wanted to have distinctly in that list? 415 00:33:42,366 --> 00:33:49,706 Not necessarily, you can add multiple ones, but as probably a good security model to have one sidecar, they're very small, 416 00:33:49,871 --> 00:33:50,201 right. 417 00:33:51,081 --> 00:33:55,025 Then you just have the local loopback, so you don't have to put the application too wide on the network. 418 00:33:55,185 --> 00:33:55,455 Yeah. 419 00:33:55,455 --> 00:34:01,155 Otherwise I would imagine you can't granularly control each individual, one is it's all or nothing if you're putting a bunch in there. 420 00:34:01,254 --> 00:34:13,314 So this is almost It's like an application list of things I can access that I may not have direct connectivity, may or may not have direct connectivity to those things, but almost becomes like the, this is, it's a totally different technology, but this 421 00:34:13,314 --> 00:34:20,722 kind of reminds me of, if anyone's ever had to run like a Citrix server, you would get a webpage with all these app buttons and they would be running all over the place. 422 00:34:20,722 --> 00:34:28,897 You have no idea where those apps are actually running and what data center, whatever, but you, the user just use a webpage, you click it, the thing opens it's magic. 423 00:34:28,922 --> 00:34:33,221 That's a totally different technology, but, it didn't matter what system I was on or where I was on the network. 424 00:34:33,221 --> 00:34:34,391 I could just get to those things. 425 00:34:34,391 --> 00:34:36,313 So that's a pretty interesting workflow there. 426 00:34:36,393 --> 00:34:39,873 So when it's listing applications, is that including Kubernetes? 427 00:34:40,913 --> 00:34:43,480 kubectl or is that really just web applications? 428 00:34:43,480 --> 00:34:44,890 These are web dashboards. 429 00:34:44,940 --> 00:34:47,850 I have added like the standard Kubernetes dashboard before. 430 00:34:48,350 --> 00:34:50,750 So like the Kubernetes dashboard, because it's HTTP. 431 00:34:50,818 --> 00:34:51,508 yeah, very neat. 432 00:34:51,808 --> 00:34:53,539 And again, this is all open source right now. 433 00:34:53,694 --> 00:34:54,114 at the. 434 00:34:54,369 --> 00:34:55,329 been open source. 435 00:34:55,438 --> 00:35:00,568 Question from the audience Muhammad asks, for tunneling, does it use something like WireGuard under the hood? 436 00:35:01,568 --> 00:35:04,058 We don't use WireGuard currently. 437 00:35:04,178 --> 00:35:07,468 I actually have a really good blog post on using WireGuard for Kubernetes. 438 00:35:07,688 --> 00:35:11,288 Is WireGuard protocol-specific or is it more of a universal tunnel? 439 00:35:11,788 --> 00:35:13,438 I always understood it was a universal. 440 00:35:13,948 --> 00:35:24,387 It's a universal So if you're interested in WireGuard and using WireGuard for Kubernetes, Kevin wrote this blog post, which we used for gravity, but I think it's an open source project you can use. 441 00:35:24,387 --> 00:35:29,127 So if you ever want to go deep on WireGuard for Kubernetes, I highly recommend checking out his post. 442 00:35:29,917 --> 00:35:32,626 And it covers sort of everything and kind of goes 443 00:35:32,806 --> 00:35:33,406 Warhol. 444 00:35:34,336 --> 00:35:34,516 Yeah. 445 00:35:34,516 --> 00:35:34,906 Wormhole. 446 00:35:34,906 --> 00:35:35,116 Yeah. 447 00:35:35,771 --> 00:35:36,893 Um, all right. 448 00:35:37,313 --> 00:35:39,897 Uh, Anything else you want to show off before we wrap this up? 449 00:35:40,507 --> 00:35:40,747 Nope. 450 00:35:40,807 --> 00:35:42,367 I think we've covered a lot today. 451 00:35:42,367 --> 00:35:43,267 It's been a lot of fun. 452 00:35:43,475 --> 00:35:43,715 okay. 453 00:35:43,715 --> 00:35:43,925 Yeah. 454 00:35:43,925 --> 00:35:44,645 So how do they get it? 455 00:35:44,712 --> 00:35:44,982 GitHub. 456 00:35:44,982 --> 00:35:46,592 Just go to Get Started. 457 00:35:47,106 --> 00:35:48,279 It's free download. 458 00:35:48,280 --> 00:35:49,090 You can download it here. 459 00:35:49,120 --> 00:35:50,990 I'd recommend checking out this quick-start guide. 460 00:35:50,991 --> 00:35:52,964 I have a short five minute video on setting it up. 461 00:35:53,085 --> 00:35:57,452 If you have seven, if there's 77 people on the phone on the line right now, you can get us to 10,000 stars 462 00:35:58,692 --> 00:35:58,962 All right. 463 00:35:58,962 --> 00:35:59,802 I'll put my star in. 464 00:35:59,802 --> 00:36:04,730 So we're a gravitational GitHub gravitational Teleport, right? 465 00:36:04,760 --> 00:36:04,987 Yeah. 466 00:36:05,927 --> 00:36:11,447 In fact on the website on github.com, it actually just shows 9.9 K. 467 00:36:12,137 --> 00:36:17,727 So I will put everyone to that, that GitHub, we'll see if we can't get you a little bit closer. 468 00:36:19,157 --> 00:36:20,117 It's a fantasy metric, 469 00:36:20,183 --> 00:36:21,130 Yeah, but it's fun. 470 00:36:21,130 --> 00:36:22,270 We all love round numbers. 471 00:36:22,317 --> 00:36:29,518 I've been watching my Twitter feed for the longest time waiting for it to hit 10,000 and it's been really slow going, but I'm excited that it might happen one day, maybe this year, who knows? 472 00:36:29,536 --> 00:36:35,986 But yeah, so we can go to the website, download it, walk through the examples, or you can read all about it on the table of contents on GitHub, if that's your preference. 473 00:36:36,048 --> 00:36:41,107 I'll tell you what, I spent so much of my life on GitHub, now I might as well just have a GitHub computer. 474 00:36:41,467 --> 00:36:47,534 Like all my tabs are all GitHub, and so I almost always prefer the GitHub format over website formats 475 00:36:47,584 --> 00:36:47,944 Yeah. 476 00:36:47,974 --> 00:36:50,941 Actually, if you want to get started, I this is super concise Readme. 477 00:36:51,151 --> 00:36:54,021 You don't have to go to our website, everything you need need is here. 478 00:36:54,521 --> 00:36:58,211 And then also if you're interested in hacking in Go, there's like a super clean Go project as well. 479 00:36:58,211 --> 00:36:59,051 We're also hiring. 480 00:36:59,162 --> 00:36:59,582 There you go 481 00:37:00,902 --> 00:37:01,292 If you want to 482 00:37:01,292 --> 00:37:01,712 for those. 483 00:37:01,742 --> 00:37:04,032 some open source Go, come join us. 484 00:37:04,032 --> 00:37:04,092 Yeah. 485 00:37:04,137 --> 00:37:07,309 If About every month I hear I, I worked with a lot of projects. 486 00:37:07,369 --> 00:37:16,567 Obviously, I have a lot of students and all the time, I see people switching to Golang and, it's so much to the point now that I feel like that even if I don't develop in it everyday, I just need to know it now. 487 00:37:16,597 --> 00:37:22,237 Like it, it's become one of those things like Python or bash or that you just, or Javascript. 488 00:37:22,307 --> 00:37:24,197 It's almost like at some point, you're going to be expected to know. 489 00:37:24,197 --> 00:37:27,837 If you're in the Cloud Native space, you probably need at least to know how to read Golang. 490 00:37:27,875 --> 00:37:29,495 It's awesome that you guys have such open source. 491 00:37:29,525 --> 00:37:31,565 Jason, thank you for the open source community version. 492 00:37:32,105 --> 00:37:34,535 And I think that's going to wrap it up. 493 00:37:34,947 --> 00:37:35,997 Thanks so much for being on the show. 494 00:37:35,997 --> 00:37:38,337 We've been planning this now for about a month, I think. 495 00:37:38,497 --> 00:37:44,720 I have been very curious about this product and wanting to use it on my own stuff, especially not realizing how much of it is open source. 496 00:37:44,770 --> 00:37:48,536 It seems very interesting to me to be able to have universal because I have all the same needs. 497 00:37:48,536 --> 00:38:00,136 Just on a personal level, I have Kubernetes clusters that I use, I have nodes that I want to get into and I have websites running in places, like the Kubernetes dashboard that I don't necessarily want to have just a complete open public access. 498 00:38:00,226 --> 00:38:07,179 And the only thing that's blocking me is the Kubernetes certificate, that's only on my machine because I haven't put it anywhere else or backed it up. 499 00:38:07,726 --> 00:38:08,986 This might be a good thing to check out. 500 00:38:09,786 --> 00:38:09,946 Yeah. 501 00:38:09,946 --> 00:38:10,373 Thanks, Ben. 502 00:38:10,373 --> 00:38:12,863 You can see, by the way, you can get ahold of him on Twitter. 503 00:38:13,103 --> 00:38:16,433 I'm just going to volunteer him, if you have any further questions, get him on Twitter. 504 00:38:16,885 --> 00:38:17,355 hopefully, 505 00:38:17,363 --> 00:38:18,770 channel too if you ever want to join us. 506 00:38:18,810 --> 00:38:19,290 Oh, nice. 507 00:38:20,110 --> 00:38:20,250 Yeah. 508 00:38:20,250 --> 00:38:23,160 So if you have more questions and I'm sure there's people in there to help. 509 00:38:23,693 --> 00:38:23,943 All right. 510 00:38:23,943 --> 00:38:25,392 thank you so much, Ben, for being on the show. 511 00:38:25,977 --> 00:38:26,307 Cool. 512 00:38:26,337 --> 00:38:26,847 Thank you. 513 00:38:27,502 --> 00:38:30,292 Thanks so much for listening and I'll see you in the next episode.