ProficientNowTechRFCs
Platform RFCs/RFC-PAM-0001: Privileged Access Management Architecture

4. Components

RFC-PAM-0001                                                    Section 4
Category: Standards Track                                     Components

4. Components

← Previous: Architecture | Index | Next: Identity Integration →

4.1 Teleport Cluster

4.1.1 Overview

Teleport is the centralized access broker for all privileged infrastructure access. It provides:

  • Unified access gateway for SSH, databases, Kubernetes, and applications
  • Certificate-based authentication eliminating long-lived credentials
  • Session recording for compliance and audit
  • Role-based access control integrated with identity providers
  • Just-in-time access with approval workflows

4.1.2 Core Services

ServiceResponsibilityDeployment
Auth ServiceUser authentication, certificate issuance, RBACStatefulSet (HA)
Proxy ServiceConnection routing, TLS termination, web UIDeployment (scaled)
Session RecordingCapture and store session dataIntegrated with Auth

4.1.3 Auth Service

The Auth Service is the control plane for Teleport:

FunctionDescription
SSO IntegrationOIDC connector to Keycloak
Certificate AuthorityIssues short-lived certificates for users and hosts
RBAC EngineEvaluates access requests against role definitions
Audit BackendStores audit events and session metadata
Cluster StateMaintains registered resources and active sessions

High Availability: Auth Service runs as a StatefulSet with multiple replicas. State is stored in a backend (etcd or PostgreSQL) for consistency.

4.1.4 Proxy Service

The Proxy Service is the data plane for Teleport:

FunctionDescription
Protocol RoutingRoutes SSH, database, and Kubernetes traffic
TLS TerminationHandles client TLS connections
Web UIServes the Teleport web interface
Load DistributionBalances connections across agents

Scaling: Proxy Service runs as a Deployment and can be horizontally scaled based on connection load.

4.1.5 Teleport Cluster Diagram

4.2 Teleport Agents

4.2.1 Overview

Teleport Agents run on or near target resources and enable Teleport to manage access:

Agent TypeTarget ResourceDeployment
SSH AgentLinux/Unix serversDaemonSet or per-host
Database AgentPostgreSQL, MySQL, MongoDBDeployment
Kubernetes AgentKubernetes clustersDeployment
Application AgentInternal web appsDeployment
Windows AgentWindows serversPer-host service

4.2.2 SSH Agent

The SSH Agent enables certificate-based SSH access:

FunctionDescription
Host RegistrationRegisters host with Teleport cluster
Certificate ValidationValidates user certificates against Teleport CA
Session ProxyProxies SSH sessions through Teleport
Session RecordingCaptures terminal I/O for recording

Deployment Options:

  • DaemonSet: One agent per node in Kubernetes
  • Standalone: Installed directly on target hosts
  • Agentless: Using OpenSSH with Teleport CA (limited features)

4.2.3 Database Agent

The Database Agent proxies database connections:

FunctionDescription
Protocol SupportPostgreSQL, MySQL, MongoDB, and more
Credential InjectionInjects Vault-issued credentials
Query LoggingCaptures queries for audit
Connection PoolingManages database connections

Supported Protocols:

ProtocolPortQuery Logging
PostgreSQL5432Full SQL capture
MySQL3306Full SQL capture
MongoDB27017Command capture
Redis6379Command capture
SQL Server1433Full SQL capture

4.2.4 Kubernetes Agent

The Kubernetes Agent enables governed Kubernetes access:

FunctionDescription
API ProxyProxies kubectl commands through Teleport
Exec/Attach ControlEnforces policies on pod exec/attach
Port-Forward ControlGoverns port-forward requests
Session RecordingCaptures exec sessions via eBPF

Integration with Kubernetes RBAC:

  • Teleport roles define which namespaces/pods users can access
  • Kubernetes RBAC remains authoritative for API permissions
  • Teleport adds audit layer and session recording

4.2.5 Agent Architecture

4.3 Vault SSH Secrets Engine

4.3.1 Overview

The Vault SSH Secrets Engine provides certificate authority functionality for SSH authentication. Per RFC-SECOPS-0001, Vault is the authoritative source for all credentials.

4.3.2 SSH CA Configuration

Vault maintains an SSH Certificate Authority:

ComponentPurpose
CA Private KeySigns SSH certificates (never leaves Vault)
CA Public KeyDistributed to all managed hosts
Signing RolesDefine certificate parameters per use case

4.3.3 Signing Roles

RoleTTLPrincipalsUse Case
developer1hubuntu, ec2-userStandard development access
operator4hubuntu, ec2-user, rootOperations support
emergency30mrootBreak-glass emergency access

4.3.4 Certificate Flow

4.3.5 Host Configuration

Managed hosts are configured to trust only the Vault SSH CA:

ConfigurationSetting
TrustedUserCAKeys/etc/ssh/trusted-user-ca-keys.pem (Vault CA public key)
AuthorizedPrincipalsFile/etc/ssh/auth_principals/%u
PubkeyAuthenticationyes (for certificates)
PasswordAuthenticationno

Direct SSH key authentication is disabled—only certificates signed by Vault are accepted.

4.4 Vault Database Secrets Engine

4.4.1 Overview

The Vault Database Secrets Engine generates ephemeral database credentials on-demand. This eliminates standing database passwords for human access.

4.4.2 Database Connections

Vault maintains connections to managed databases:

ConnectionDatabasePurpose
postgres-prodProduction PostgreSQLProduction database access
postgres-stagingStaging PostgreSQLStaging database access
mysql-analyticsAnalytics MySQLAnalytics database access

4.4.3 Dynamic Credential Roles

RolePermissionsTTLUse Case
readonlySELECT1hDebugging, investigation
readwriteSELECT, INSERT, UPDATE, DELETE2hDevelopment tasks
adminALL PRIVILEGES30mEmergency maintenance

4.4.4 Credential Lifecycle

4.4.5 Credential Properties

PropertyValueRationale
UniquenessUnique per user per sessionIndividual accountability
TTL1-4 hours depending on roleLimit exposure window
Auto-revocationYes, at TTL expiryNo stale credentials
RenewabilityYes, within max TTLSupport long sessions

4.5 External Secrets Operator

4.5.1 Overview

External Secrets Operator (ESO) distributes secrets from Vault to Kubernetes per RFC-SECOPS-0001 patterns. For PAM, ESO distributes:

  • Teleport agent enrollment tokens
  • OIDC client secrets for Keycloak integration
  • TLS certificates for Teleport services
ExternalSecretVault PathTarget SecretPurpose
teleport-auth-secretssecret/platform/teleport/authteleport-auth-secretsAuth service configuration
teleport-oidc-secretsecret/platform/teleport/oidcteleport-oidc-clientKeycloak OIDC client secret
teleport-agent-tokensecret/platform/teleport/agentsteleport-join-tokenAgent enrollment token

4.5.3 Secret Distribution Pattern

4.6 Target Resources

4.6.1 Linux/Unix Servers

Managed servers require:

RequirementImplementation
Teleport SSH AgentInstalled and enrolled
SSH CA TrustVault CA public key in TrustedUserCAKeys
Principal MappingAuthorizedPrincipals configured
Direct Key Auth DisabledPubkeyAuthentication for certs only

4.6.2 Databases

Managed databases require:

RequirementImplementation
Network AccessTeleport Database Agent can connect
Vault ConnectionVault can create/drop users
Protocol SupportDatabase protocol supported by Teleport

4.6.3 Kubernetes Clusters

Managed clusters require:

RequirementImplementation
Teleport Kubernetes AgentDeployed in cluster
API Server AccessAgent can reach API server
RBAC ConfigurationAgent has permissions to proxy exec/attach

4.6.4 Resource Enrollment

Resources are enrolled in Teleport through agent deployment:

Document Navigation

PreviousIndexNext
← 3. ArchitectureTable of Contents5. Identity Integration →

End of Section 4

Next

3. Architecture

Next

5. Identity Integration

On this page