Auditing and Session Recording

Description

## The Missing Piece: Auditing We've deployed Teleport, wired up GitHub for SSO, built fine-grained RBAC with deny rules, and set up just-in-time access requests. The final piece of the puzzle is auditing. Every time someone runs a kubectl command through Teleport, an audit event is created. Every login, every API call, every session start and end — it's all recorded and tied to a real human identity from your SSO provider. ## The Audit Log Teleport's audit log captures everything happening within your cluster: - Certificate issuance events with SSO login details - Every Kubernetes API call with the user who made it - Access request creation and approval events - Failed login attempts and MFA failures ## Session Recording When someone runs `kubectl exec` into a pod, Teleport records the entire session. You can play it back with `tsh play session-id` to see exactly what commands were executed — invaluable for incident response and compliance. ## Live Session Joining Active sessions can be joined in real-time: - **Observer mode** (default): Watch someone else's session without being able to type - **Peer mode**: Join as a collaborator and take over typing — perfect for pair debugging production issues This is a feature we used every week when filming Klustered. ## Course Summary Over these six videos, we've gone from a blank slate to a fully functional Teleport deployment with: - Identity-based access via GitHub SSO - Fine-grained RBAC with defense in depth - Just-in-time access requests - Audit logging and session recording - Live session joining and peer programming Everything was built on the Teleport Community Edition, which is free and open source. There are several features worth exploring further — OIDC and SAML integration, SSH proxying, database connections, application proxying, and Windows desktop access — all through the same unified access plane with the same audit trail. Check out the documentation at goteleport.com/docs to keep going.