Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ConnectionTester ¶
type ConnectionTester interface {
// TestConnection implementations should be as close to a real-world scenario as possible.
//
// They should create a ConnectionDiagnostic and pass its id in their certificate when trying to connect to the resource.
// The agent/server/node should check for the id in the certificate and add traces to the ConnectionDiagnostic
// according to whether it passed certain checkpoints.
TestConnection(context.Context, TestConnectionRequest) (types.ConnectionDiagnostic, error)
}
ConnectionTester is a mechanism to test resource access. The result is a list of traces generated in multiple checkpoints. If the connection fails, those traces will be of precious help to the end-user.
func ConnectionTesterForKind ¶
func ConnectionTesterForKind(cfg ConnectionTesterConfig) (ConnectionTester, error)
ConnectionTesterForKind returns the proper Tester given a resource name. It returns trace.NotImplemented if the resource kind does not have a tester.
type ConnectionTesterConfig ¶
type ConnectionTesterConfig struct {
// ResourceKind contains the resource type to test.
// You should use the types.Kind<Resource> strings.
ResourceKind string
// UserClient is an auth client that has a User's identity.
// This is the user that is running the SSH Connection Test.
UserClient auth.ClientI
// ProxyHostPort is the proxy to use in the `--proxy` format (host:webPort,sshPort)
ProxyHostPort string
// KubernetesPublicProxyAddr is the kubernetes proxy.
KubernetesPublicProxyAddr string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
ConnectionTesterConfig contains all the required variables to build a connection test.
type KubeConnectionTester ¶
type KubeConnectionTester struct {
// contains filtered or unexported fields
}
KubeConnectionTester implements the ConnectionTester interface for Testing Kubernetes access.
func NewKubeConnectionTester ¶
func NewKubeConnectionTester(cfg KubeConnectionTesterConfig) (*KubeConnectionTester, error)
NewKubeConnectionTester returns a new KubeConnectionTester
func (*KubeConnectionTester) TestConnection ¶
func (s *KubeConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error)
TestConnection tests an Kubernetes Access to the target Kubernetes Cluster using
- the provided client
- resource name
A new ConnectionDiagnostic is created and used to store the traces as it goes through the checkpoints To connect to the KubeCluster, we will create a cert-key pair and setup a Kubernetes client back to Teleport Proxy. We report the following cases:
- trace of whether the Kubernetes cluster is reachable
- trace of whether the User Role defines Kubernetes principals for the cluster: `kubernetes_groups` & `kubernetes_users`
- trace of whether the User role has access to the desired kubernetes cluster: `kubernetes_labels` allow access.
- trace of weather the cluster is accessible and we can list pods on the desired namespace.
type KubeConnectionTesterConfig ¶
type KubeConnectionTesterConfig struct {
// UserClient is an auth client that has a User's identity.
UserClient auth.ClientI
// ProxyHostPort is the proxy to use in the `--proxy` format (host:webPort,sshPort)
ProxyHostPort string
// KubernetesPublicProxyAddr is the kubernetes proxy address.
KubernetesPublicProxyAddr string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
KubeConnectionTesterConfig defines the config fields for KubeConnectionTester.
type KubernetesImpersonation ¶
type KubernetesImpersonation struct {
// KubernetesUser is the Kubernetes user to impersonate for this request.
// Optional - If multiple values are configured the user must select one
// otherwise the request will return an error.
KubernetesUser string `json:"kubernetes_user,omitempty"`
// KubernetesGroups are the Kubernetes groups to impersonate for this request.
// Optional - If not specified it use all configured groups.
// When KubernetesGroups is specified, KubernetesUser must be provided
// as well.
KubernetesGroups []string `json:"kubernetes_groups,omitempty"`
}
KubernetesImpersonation allows to configure a subset of `kubernetes_users` and `kubernetes_groups` to impersonate.
type SSHConnectionTester ¶
type SSHConnectionTester struct {
// contains filtered or unexported fields
}
SSHConnectionTester implements the ConnectionTester interface for Testing SSH access
func NewSSHConnectionTester ¶
func NewSSHConnectionTester(cfg SSHConnectionTesterConfig) (*SSHConnectionTester, error)
NewSSHConnectionTester creates a new SSHConnectionTester
func (*SSHConnectionTester) TestConnection ¶
func (s *SSHConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error)
TestConnection tests an SSH Connection to the target Node using
- the provided client
- resource name
- principal / linux user
A new ConnectionDiagnostic is created and used to store the traces as it goes through the checkpoints To set up the SSH client, it will generate a new cert and inject the ConnectionDiagnosticID
- add a trace of whether the SSH Node was reachable
- SSH Node receives the cert and extracts the ConnectionDiagnostiID
- the SSH Node will append a trace indicating if the has access (RBAC)
- the SSH Node will append a trace indicating if the requested principal is valid for the target Node
type SSHConnectionTesterConfig ¶
type SSHConnectionTesterConfig struct {
// UserClient is an auth client that has a User's identity.
// This is the user that is running the SSH Connection Test.
UserClient auth.ClientI
// ProxyHostPort is the proxy to use in the `--proxy` format (host:webPort,sshPort)
ProxyHostPort string
// TLSRoutingEnabled indicates that proxy supports ALPN SNI server where
// all proxy services are exposed on a single TLS listener (Proxy Web Listener).
TLSRoutingEnabled bool
}
SSHConnectionTesterConfig has the necessary fields to create a new SSHConnectionTester.
type TestConnectionRequest ¶
type TestConnectionRequest struct {
// ResourceKind describes the type of resource to test.
ResourceKind string `json:"resource_kind"`
// ResourceName is the identification of the resource's instance to test.
ResourceName string `json:"resource_name"`
// SSHPrincipal is the Linux username to use in a connection test.
// Specific to SSHTester.
SSHPrincipal string `json:"ssh_principal,omitempty"`
// KubernetesNamespace is the Kubernetes Namespace to List the Pods in.
// Specific to KubernetesTester.
KubernetesNamespace string `json:"kubernetes_namespace,omitempty"`
// KubernetesImpersonation allows to configure a subset of `kubernetes_users` and
// `kubernetes_groups` to impersonate.
// Specific to KubernetesTester.
KubernetesImpersonation KubernetesImpersonation `json:"kubernetes_impersonation,omitempty"`
// DialTimeout when trying to connect to the destination host
DialTimeout time.Duration `json:"dial_timeout,omitempty"`
}
TestConnectionRequest contains - the identification of the resource kind and resource name to test - additional paramenters which depend on the actual kind of resource to test As an example, for SSH Node it also includes the User/Principal that will be used to login.
func (*TestConnectionRequest) CheckAndSetDefaults ¶
func (r *TestConnectionRequest) CheckAndSetDefaults() error
CheckAndSetDefaults validates the Request has the required fields.
Source Files