teleport icon indicating copy to clipboard operation
teleport copied to clipboard
verified publisher icon gravitational

Machine ID: Basic Unix Workload Attestation

Open strideynet opened this issue 1 year ago • 1 comments

Closes https://github.com/gravitational/teleport/issues/39866

A super basic initial pass at Workload Attestation for Unix. This will likely become much more complex in future as we'll begin to look up other information based on the PID, but for now, this just sets the stage.

Example config:

services:
  - type: spiffe-workload-api
    listen: unix:///Users/noah/code/gravitational/workload-identity-experiment/workload.sock
    svids:
      - path: /bar
        hint: test-1
        sans:
          dns:
          - example.com
          - foo.example.com
          ip:
          - 14.1.1.1
        rules:
          - unix:
              uid: 502
          - unix:
              gid: 20

changelog: Basic Unix workload attestation added to the tbot SPIFFE workload API. You can now restrict the issuance of certain SVIDs to processes running with a certain UID, GID or PID.

strideynet avatar May 07 '24 09:05 strideynet

🤖 Vercel preview here: https://docs-8huud2tk7-goteleport.vercel.app/docs/ver/preview

github-actions[bot] avatar May 08 '24 14:05 github-actions[bot]

@strideynet See the table below for backport results.

Branch Result
branch/v15 Create PR

public-teleport-github-review-bot[bot] avatar May 13 '24 09:05 public-teleport-github-review-bot[bot]