Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable IP pinning enforcement for Kube and DB #22310

Merged
merged 1 commit into from
Mar 8, 2023
Merged

Enable IP pinning enforcement for Kube and DB #22310

merged 1 commit into from
Mar 8, 2023

Conversation

AntonAM
Copy link
Contributor

@AntonAM AntonAM commented Feb 27, 2023
edited

This PR enables enforcement of IP pinning for Kube and DB services (as part of #22061).
Should be merged after #21080 .
I've included both Kube and DB in one PR since they share checking function and actual functionality changes are not that large, only ~150 lines, most of the changes are tests.

@AntonAM AntonAM added kubernetes-access database-access Database access related issues and PRs backport/branch/v12 labels Feb 27, 2023
@AntonAM AntonAM force-pushed the anton/ip-pinning-kube-db branch 5 times, most recently from 3f71a11 to 96d9f94 Compare February 27, 2023 19:32
@AntonAM AntonAM changed the title Enabled IP pinning enforcement for Kube and DB Enable IP pinning enforcement for Kube and DB Feb 27, 2023
@AntonAM AntonAM marked this pull request as ready for review February 27, 2023 19:47
@AntonAM AntonAM mentioned this pull request Feb 27, 2023
Closed
@AntonAM AntonAM force-pushed the anton/ip-propagation-reverse-tunnel branch from f3985ab to 6085014 Compare February 27, 2023 23:39
@AntonAM AntonAM force-pushed the anton/ip-propagation-reverse-tunnel branch 5 times, most recently from 89c7e95 to 75497fa Compare February 28, 2023 20:12
@AntonAM AntonAM changed the base branch from anton/ip-propagation-reverse-tunnel to master February 28, 2023 22:00
@AntonAM AntonAM force-pushed the anton/ip-pinning-kube-db branch 4 times, most recently from 95e4b28 to 6b581c2 Compare February 28, 2023 22:48
@AntonAM
Copy link
Contributor Author

AntonAM commented Mar 1, 2023

@strideynet @espadolini @rosstimothy hey folks, sorry for being pushy, but it would be great if you could prio this review 🙏 (this feature is scheduled for 12.1 release)

@AntonAM AntonAM enabled auto-merge March 8, 2023 14:16
@AntonAM AntonAM added this pull request to the merge queue Mar 8, 2023
Merged via the queue into master with commit 8f3b2b1 Mar 8, 2023
@public-teleport-github-review-bot
Copy link

@AntonAM See the table below for backport results.

Branch Result
branch/v12 Failed

@AntonAM AntonAM mentioned this pull request Mar 9, 2023
Closed
AntonAM added a commit that referenced this pull request Mar 9, 2023
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
16eb0ef
AntonAM added a commit that referenced this pull request Mar 10, 2023
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
816b154
@AntonAM AntonAM mentioned this pull request Mar 10, 2023
Closed
AntonAM added a commit that referenced this pull request Mar 20, 2023
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
3dd87c6
@AntonAM AntonAM mentioned this pull request Mar 22, 2023
Merged
AntonAM added a commit that referenced this pull request Mar 29, 2023
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
30204ec
AntonAM added a commit that referenced this pull request Mar 31, 2023
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
e5a759b
AntonAM added a commit that referenced this pull request Apr 3, 2023
@AntonAM
Enabled IP pinning enforcement for Kube and DB (#22310)
ce57728
AntonAM added a commit that referenced this pull request Apr 3, 2023
@AntonAM
[v12] Backport IP pinning for Kube and DB access (#23418)
6519aab 
* Add secure client IP propagation throughout teleport (#21080)

* Allow node to handle old and new way of client IP propagation on same listener

With addition of signed PROXY headers, node was listening on multiplexer, but because
 of that it couldn't processing incoming connection from older proxies
 when ProxyHelloSignature was used, because
 both ends were waiting for the other side to send data first.
 Here we integrate ability to handle PROXY headers into connection itself,
 so we can start ssh server without waiting for multiplexer to detect connection

* Enabled IP pinning enforcement for Kube and DB (#22310)

* Don't allow different tcp version IP addresses in signed PROXY headers

* Send signed proxy header to the kube service

Because it was checking version, which was empty, signed headers were not sent,
 when we contacted leaf cluster's kube service

* Temporary disable ip propagation tests.
@zmb3 zmb3 deleted the anton/ip-pinning-kube-db branch May 7, 2024 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy left review comments

@mdwn mdwn mdwn approved these changes

@tigrato tigrato tigrato approved these changes

@smallinsky smallinsky smallinsky approved these changes

Assignees
No one assigned
Labels
database-access Database access related issues and PRs kubernetes-access size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@AntonAM @mdwn @tigrato @smallinsky @rosstimothy