Teleport alternatives

[gawertm]

Following the teleport license change https://gigantic.slack.com/archives/C02BM8B09/p1711526979809279

we want to check the alternatives, to be prepared for further changes. Maybe we will also need to take a decision to buy teleport eventually.

[teemow]

Possible alternatives:

• https://github.com/juanfont/headscale
• https://kilo.squat.ai/

[gawertm]

we need to define hard requirements first and and nice to have features

[tuladhar]

Resources we access

• K8s API (HTTPS)
• SSH nodes (SSH)
• In-cluster internal web apps (HTTPS), e.g: happa, grafana (not yet possible with Teleport)

Hard Requirements

• Ease of Deployment: The solution should be straightforward to deploy and use, requiring minimal or no actions from the customer.
• Easy Connectivity: Access to resources without the need for a VPN or bastion host on the target environment. This is a key reason we chose Teleport.
• Auditing: The ability to audit and track all resource access, including who accessed resources and when. Additionally, the customer should have access to the audit logs.
• Secure Authentication & Authorization: Two-Factor Authentication (2FA) and Identity-based authentication with basic Role-Based Access Control (RBAC) to securely access resources.

Nice-to-have Features

• Single Sign-On (SSO)
• Session Recording
• Short-Lived Access

[tuladhar]

Headscale - Single Tailnet

Headscale seems to be designed to only allow single Tailnet (Tailscale Network). This means that we need to run 1 headscale per cluster, cause we can't share tailnet across customer, as all nodes in single tailnet can communicate to each other.

[tuladhar]

Exploring Headscale

• Headscale doesn't support SSH access out of box, like Tailscale does, we need to setup bastion host for SSH access to nodes.
• Accessing Kubernetes cluster (kubectl) through tailnet network is not easy, we need to whitelist tailnet IP in Kubernetes API server certificate or use similar to Tailscale Kubernetes Operator to act as Kubernetes proxy to access the cluster, which is cumbersome.
• Headscale focuses on networking capability as such we need to setup additional tools or services to facitilate audit log capability.
• Headscale is designed for hobbyists projects as such it may not have undergone extensive security audits for SME production use. As such, we need to conduct security assesments when considering running Headscale in production.

Conclusion: Not an ideal substitute for Teleport

[tuladhar]

Exploring Kilo

• Kilo is designed as a multi-cloud network overlay built on WireGuard, and rather than for infra access management. For example, it facilitates accessing Pods via VPN or creating multi-cluster services.
• Similar to Headscale, uses Wireguard, and requires open port UDP 51820 to enable node communication, we don't need this functionality.
• For outside access to Kilo-powered Kubernetes cluster (kubectl from outside), we need public IP on atleast one node, which is not feasible for public or private network as nodes only have private IP and Kubernetes API is exposed via public/private load balancer.
• Doesn't support out of box feature for accessing nodes via SSH, as such we need additional way to manage SSH keys for infra access.

Conclusion: Not an ideal substitute for Teleport.

[tuladhar]

StrongDM

• ✅ Easy kubernetes cluster access similar to Teleport
• ✅ SSH access similar to Teleport
• ✅ Uses gateways and relay which is similar to Teleport agent, dails out to StrongDM gateway (reverse tunnel)
• ✅ Integrates with many different IdP for SSO
• ✅ Supports auditing
• ✅ Session recording
• ❌ Proprietary solution, no open-source self-hosted version
• ❌ Paid cloud-hosted solution
• 🏷️ 75$ per user per month (essential plan)

Hashicorp Boundary

• ✅ Open-source, can self-host Boundary cluster using community edition
• ✅ OIDC integration
• ✅ Kubernetes cluster access
• ✅ SSH node access
• ❌ BSL license
• ❌ Session recording only on HCP
• ❌ Real-time audit log streaming only on HCP
• ❌ Depends on Vault for secrets management, we need to maintain Vault.
• ❌ Pricing: $0.50 per session (standard cloud), self-managed custom.

CyberArk

• ❌ Proprietary solution, no open-source self-hosted version
• ❌ Paid cloud-hosted or on-prem solution
• ❌ Traditional privileged access solutions, pricing is not listed.

[tuladhar]

Based on the exploration for alternatives, I couldn't spot any popular, and reliable open-source projects that's playing in this zero-trust access field.

The only open-source project that come close is Boundary by Hashicorp with it's BSL license. Additionally, Boundary's dependency on Vault may introduce further complexity.

What are you thoughts on this? @gawertm @teemow

[tuladhar]

Summary

• Headscale and Kilo lacks infra access feature, as such isn't ideal alternative.
• Other alternatives listed above are mostly commercial cloud-hosted focusing on Enterprises.
• Hashicorp Boundary come close, but with it's BSL license + self-hosting it seems more complex (vault integration, etc) than Teleport.

Maybe, now with Teleport license change, there will be rise of open source projects to counter that. I also think, it's because Teleport community edition or Hashicorp Boundary fills the void, so nobody found the urge develop truely open-source version of it, like headscale did for tailscale (A closed source coordination server)

[gawertm]

decided on Monday 10th June 2024, that for now we will continue with teleport as we are still under their given limits. Even if we reach the limits, we might be able to compile the binaries ourselves under the agpl license. but we will need to deal with that only once we hit the limit