adding SSHPortForwarding config to RoleOptions

gravitational · Nov 22, 2024 · 4fc4a63 · 4fc4a63
1 parent dee7a6f
commit 4fc4a63
Show file tree

Hide file tree

Showing 14 changed files with 2,887 additions and 2,344 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -2923,6 +2923,22 @@ enum CreateDatabaseUserMode {
   DB_USER_MODE_BEST_EFFORT_DROP = 3;
 }
 
+// SSHPortForwardConfig defines which types of SSH port forwarding are permitted, if any.
+message SSHPortForwardConfig {
+  // Allow local port forwarding.
+  BoolValue Local = 1 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "local,omitempty",
+    (gogoproto.customtype) = "BoolOption"
+  ];
+  // Allow remote port forwarding.
+  BoolValue Remote = 2 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "remote,omitempty",
+    (gogoproto.customtype) = "BoolOption"
+  ];
+}
+
 // RoleOptions is a set of role options
 message RoleOptions {
   // ForwardAgent is SSH agent forwarding.
@@ -2937,11 +2953,9 @@ message RoleOptions {
     (gogoproto.casttype) = "Duration"
   ];
 
-  // PortForwarding defines if the certificate will have
-  // "permit-port-forwarding"
-  // in the certificate. PortForwarding is "yes" if not set,
-  // that's why this is a pointer
+  // Deprecated: Use SSHPortForwarding instead
   BoolValue PortForwarding = 3 [
+    deprecated = true,
     (gogoproto.nullable) = true,
     (gogoproto.jsontag) = "port_forwarding,omitempty",
     (gogoproto.customtype) = "BoolOption"
@@ -3108,6 +3122,12 @@ message RoleOptions {
 
   // CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
   string CreateHostUserDefaultShell = 31 [(gogoproto.jsontag) = "create_host_user_default_shell,omitempty"];
+
+  // SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.
+  SSHPortForwardConfig SSHPortForwarding = 32 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "ssh_port_forwarding,omitempty"
+  ];
 }
 
 message RecordSession {

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx
@@ -388,12 +388,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
 
 ### spec.options.cert_extensions items
 
@@ -424,6 +425,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean|Allow local port forwarding.|
+|remote|boolean|Allow remote port forwarding.|
+
 ## resources.teleport.dev/v6
 
 **apiVersion:** resources.teleport.dev/v6
@@ -801,12 +809,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
 
 ### spec.options.cert_extensions items
 
@@ -837,3 +846,10 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean|Allow local port forwarding.|
+|remote|boolean|Allow remote port forwarding.|
+
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx
@@ -388,12 +388,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
 
 ### spec.options.cert_extensions items
 
@@ -424,3 +425,10 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean|Allow local port forwarding.|
+|remote|boolean|Allow remote port forwarding.|
+
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx
@@ -388,12 +388,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding defines which types of SSH port forwarding are permitted, if any.|
 
 ### spec.options.cert_extensions items
 
@@ -424,3 +425,10 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean|Allow local port forwarding.|
+|remote|boolean|Allow remote port forwarding.|
+
diff --git a/docs/pages/reference/terraform-provider/data-sources/role.mdx b/docs/pages/reference/terraform-provider/data-sources/role.mdx
@@ -433,12 +433,13 @@ Optional:
 - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
 - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
-- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
+- `port_forwarding` (Boolean) Deprecated: Use SSHPortForwarding instead
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
 - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
+- `ssh_port_forwarding` (Attributes) SSHPortForwarding defines which types of SSH port forwarding are permitted, if any. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
 
 ### Nested Schema for `spec.options.cert_extensions`
 
@@ -472,3 +473,11 @@ Optional:
 - `desktop` (Boolean) Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
 - `ssh` (String) SSH indicates the session mode used on SSH sessions.
 
+
+### Nested Schema for `spec.options.ssh_port_forwarding`
+
+Optional:
+
+- `local` (Boolean) Allow local port forwarding.
+- `remote` (Boolean) Allow remote port forwarding.
+
diff --git a/docs/pages/reference/terraform-provider/resources/role.mdx b/docs/pages/reference/terraform-provider/resources/role.mdx
@@ -487,12 +487,13 @@ Optional:
 - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
 - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
-- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
+- `port_forwarding` (Boolean) Deprecated: Use SSHPortForwarding instead
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
 - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
+- `ssh_port_forwarding` (Attributes) SSHPortForwarding defines which types of SSH port forwarding are permitted, if any. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
 
 ### Nested Schema for `spec.options.cert_extensions`
 
@@ -526,3 +527,11 @@ Optional:
 - `desktop` (Boolean) Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
 - `ssh` (String) SSH indicates the session mode used on SSH sessions.
 
+
+### Nested Schema for `spec.options.ssh_port_forwarding`
+
+Optional:
+
+- `local` (Boolean) Allow local port forwarding.
+- `remote` (Boolean) Allow remote port forwarding.
+
diff --git a/...teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/...teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
@@ -1281,9 +1281,7 @@ spec:
                       generation and usage
                     type: boolean
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use SSHPortForwarding instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access
@@ -1321,6 +1319,18 @@ spec:
                       via SCP or SFTP are allowed over an SSH session. It defaults
                       to true unless explicitly set to false.
                     type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding defines which types of SSH port
+                      forwarding are permitted, if any.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        type: boolean
+                      remote:
+                        description: Allow remote port forwarding.
+                        type: boolean
+                    type: object
                 type: object
             type: object
           status:
@@ -2662,9 +2672,7 @@ spec:
                       generation and usage
                     type: boolean
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use SSHPortForwarding instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access
@@ -2702,6 +2710,18 @@ spec:
                       via SCP or SFTP are allowed over an SSH session. It defaults
                       to true unless explicitly set to false.
                     type: boolean
+                  ssh_port_forwarding:
+                    description: SSHPortForwarding defines which types of SSH port
+                      forwarding are permitted, if any.
+                    nullable: true
+                    properties:
+                      local:
+                        description: Allow local port forwarding.
+                        type: boolean
+                      remote:
+                        description: Allow remote port forwarding.
+                        type: boolean
+                    type: object
                 type: object
             type: object
           status: