From 242c51477874f8c9d229e41a5c3eee6edc1d68aa Mon Sep 17 00:00:00 2001 From: Jakub Nyckowski Date: Thu, 30 May 2024 14:38:18 -0400 Subject: [PATCH 1/2] Update access graph version and add Docker deployment warning (#42002) * Update access graph version and add Docker deployment warning The access graph version in the config.json file has been updated from 1.20.1 to 1.20.4. Also, a warning notice about Docker deployment suitability for testing and development purposes only has been added in the Docker deployment page. * Update access control documentation for non-root containers The Access Graph service documentation has been updated to reflect that containers now run as non-root users by default starting from version 1.20.4. Instructions have been amended to guide users on the necessary steps to ensure certificate files are readable by the new non-root user. Obsolete file permission tweaks were also removed. * Update Access Graph documentation The documentation for the Access-Graph service has been updated to clarify the information about non-root user and adjust the command-line path. It also includes corrections to some formatting issues for a better readability. * Apply suggestions from code review Co-authored-by: Paul Gottschling --------- Co-authored-by: Paul Gottschling --- docs/config.json | 2 +- .../access-controls/access-graph/self-hosted.mdx | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/config.json b/docs/config.json index 8b76f975f0292..78e7a2753ea88 100644 --- a/docs/config.json +++ b/docs/config.json @@ -1912,7 +1912,7 @@ "nodeIP": "ip-172-31-35-170" }, "access_graph": { - "version": "1.20.1" + "version": "1.20.4" }, "ansible": { "min_version": "2.9.6" diff --git a/docs/pages/access-controls/access-graph/self-hosted.mdx b/docs/pages/access-controls/access-graph/self-hosted.mdx index d950401d50bb4..c722f5f6294cb 100644 --- a/docs/pages/access-controls/access-graph/self-hosted.mdx +++ b/docs/pages/access-controls/access-graph/self-hosted.mdx @@ -29,8 +29,19 @@ to Teleport Enterprise customers. - A TLS certificate for the Access Graph service - The TLS certificate must be issued for "server authentication" key usage, and must list the IP or DNS name of the TAG service in an X.509 v3 `subjectAltName` extension. + - Starting from version 1.20.4 of the Access Graph service, the container runs as a non-root user by default. + Make sure the certificate files are readable by the user running the container. You can set correct permissions with the following command: + ```code + $ sudo chown 65532 /etc/access_graph/tls.key + ``` - The node running the Access Graph service must be reachable from Teleport Auth Service and Proxy Service. + + The deployment with Docker is suitable for testing and development purposes. For production deployments, + consider using the Teleport Access Graph Helm chart to deploy this service on Kubernetes. + Refer to [Helm chart for Access Graph](self-hosted-helm.mdx) for instructions. + + ## Step 1/3. Set up the Teleport Access Graph service You will need a copy of your Teleport cluster's host certificate authority (CA) on the machine that hosts the Access Graph service. From 79d2a27c510e7edb320f41bf7db0f5bf21aff8e8 Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Thu, 30 May 2024 15:26:06 -0400 Subject: [PATCH 2/2] Update "agent ports" Networking Reference section (#41021) The current guide suggests that you can connect directly to the Windows Desktop Service in order to access a desktop, but this is incorrect. Change the section to provide a more accurate description of direct agent dialling. Since we recommend joining agents to a cluster via the Proxy Service, this change also adds direct dialling information to a `Details` box. --- docs/pages/reference/networking.mdx | 30 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index ad8302aac8c42..fa2d9febc24d1 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -233,21 +233,16 @@ Service, Kubernetes Service, and other services that protect resources in your infrastructure, there is no need to open ports on the machines running the agents to the public internet. -Some Teleport services listen for traffic to one of their proxied resources, -meaning that you can expose ports on that service's host directly to clients. -This is useful when you need to connect to resources directly if the Proxy -Service becomes unavailable. +
- - In Teleport Cloud, the Auth and Proxy Services run in Teleport-owned infrastructure. -For this reason, Teleport Cloud customers must connect their resources via reverse tunnels. -Exposing ports for direct dial is only supported in self-hosted deployments. - +If you run a self-hosted Teleport cluster, you can join an agent [directly to +the Teleport Auth +Service](../agents/join-services-to-your-cluster/join-token.mdx#start-your-teleport-process-with-the-invite-token). +In this setup, certain Teleport services open their own listeners rather than +accepting connections via reverse tunnel. The Proxy Service connects to these +agent services by dialing them directly. -The table below describes the ports that each Teleport Service opens for proxied +The table below describes the ports that each Teleport service opens for proxied traffic: | Port | Service | Traffic Type | @@ -256,6 +251,9 @@ traffic: | 3026 | Kubernetes Service | HTTPS traffic to a Kubernetes API server.| | 3028 | Windows Desktop Service | Teleport Desktop Protocol traffic from Teleport clients.| -You can only access enrolled applications and databases through the Teleport Proxy Service. -The Teleport Application Service and Teleport Database Service use reverse tunnel -connections through the Teleport Proxy Service and cannot expose ports directly. +You can only access enrolled applications and desktops through the Teleport +Proxy Service. The Teleport Application Service and Teleport Database Service +use reverse tunnel connections through the Teleport Proxy Service and cannot +expose ports directly. + +