diff --git a/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx b/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx index 5ce724adf9461..52c019597f64b 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/device-management.mdx @@ -13,9 +13,6 @@ token, and removing a trusted device. (!docs/pages/includes/device-trust/prereqs.mdx!) -- For clusters created after v13.3.6, Teleport supports the preset `device-admin` - role to manage devices. - ## Register a trusted device The `tctl` tool is used to manage the device inventory. A device admin is diff --git a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx index 82cc5e4dff7c7..619731b02ce44 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx @@ -35,11 +35,10 @@ by the `device_trust_mode` authentication setting: (!docs/pages/includes/device-trust/prereqs.mdx!) -- We expect your Teleport cluster to be on version 13.3.6 and above, which has - the preset `require-trusted-device` role. The preset `require-trusted-device` - role does not enforce the use of a trusted device for - [Apps](#app-access-support) or [Desktops](#desktop-access-support). Refer to - their corresponding sections for instructions. +This guide makes use of the preset `require-trusted-device` role, which does not +enforce the use of a trusted device for [Apps](#app-access-support) or +[Desktops](#desktop-access-support). Refer to their corresponding sections for +instructions. ## Role-based trusted device enforcement diff --git a/docs/pages/admin-guides/access-controls/device-trust/guide.mdx b/docs/pages/admin-guides/access-controls/device-trust/guide.mdx index 62a3fe88b4db2..3eedfbc481291 100644 --- a/docs/pages/admin-guides/access-controls/device-trust/guide.mdx +++ b/docs/pages/admin-guides/access-controls/device-trust/guide.mdx @@ -45,46 +45,6 @@ protected with Teleport. root@(=clusterDefaults.nodeIP=):~# ``` -
- The preset `require-trusted-device` role, as referenced in this guide, is only available - from Teleport version 13.3.6 and above. For older Teleport cluster, you will need to update - a role with `device_trust_mode: required`. - - For simplicity, the example below updates the preset `access` role but you can update - any existing access granting role which the user is assigned with to enforce Device Trust. - - First, fetch a role so you can update it locally: - ```code - $ tctl edit role/access - ``` - - Edit the role with Device Trust mode: - ```diff - kind: role - metadata: - labels: - teleport.internal/resource-type: preset - name: access - spec: - allow: - logins: - - '{{internal.logins}}' - ... - options: - # require authenticated device check for this role - + device_trust_mode: "required" # add this line - ... - deny: - ... - - ``` - - Save your edits. - - Now that the `access` role is configured with device mode "required", users with - this role will be enforced with Device Trust. -
- Once the above prerequisites are met, begin with the following step. ## Step 1/2. Update user profile to enforce Device Trust @@ -145,12 +105,12 @@ $ tsh device enroll --current-device Device "(=devicetrust.asset_tag=)"/macOS registered and enrolled ``` - - The `--current-device` flag tells `tsh` to enroll current device. User must have the preset `editor` + + The `--current-device` flag tells `tsh` to enroll the current device. The user must have the preset `editor` or `device-admin` role to be able to self-enroll their device. For users without the `editor` or - `device-admin` roles, an enrollment token must be generated by a device admin, which can then be + `device-admin` roles, a device admin must generate the an enrollment token, which can then be used to enroll the device. Learn more about manual device enrollment in the - [device management guide](./device-management.mdx#register-a-trusted-device) + [device management guide](./device-management.mdx#register-a-trusted-device). Relogin to fetch updated certificate with device extension: diff --git a/docs/pages/admin-guides/access-controls/guides/headless.mdx b/docs/pages/admin-guides/access-controls/guides/headless.mdx index 2a39c646aef7d..04cfd9a7758fc 100644 --- a/docs/pages/admin-guides/access-controls/guides/headless.mdx +++ b/docs/pages/admin-guides/access-controls/guides/headless.mdx @@ -31,7 +31,7 @@ For example: - Machines for Headless WebAuthn activities have [Linux](../../../installation.mdx), [macOS](../../../installation.mdx) or [Windows](../../../installation.mdx) `tsh` binary installed. - Machines used to approve Headless WebAuthn requests have a Web browser with [WebAuthn support]( https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/) or `tsh` binary installed. -- Optional: Teleport Connect v13.3.1+ for [seamless Headless WebAuthn approval](#optional-teleport-connect). +- Optional: Teleport Connect for [seamless Headless WebAuthn approval](#optional-teleport-connect). ## Step 1/3. Configuration @@ -169,9 +169,9 @@ alice@server01 $ ## Optional: Teleport Connect -Teleport Connect v13.3.1+ can also be used to approve Headless WebAuthn logins. -Teleport Connect will automatically detect the Headless WebAuthn login attempt -and allow you to approve or cancel the request. +Teleport Connect can also be used to approve Headless WebAuthn logins. Teleport +Connect will automatically detect the Headless WebAuthn login attempt and allow +you to approve or cancel the request.
![Headless Confirmation](../../../../img/headless/confirmation.png) @@ -183,10 +183,6 @@ You will be prompted to tap your MFA key to complete the approval process. ![Headless WebAuthn Approval](../../../../img/headless/approval.png)
- - This also requires a v13.3.1+ Teleport Auth Service. - - ## Troubleshooting ### "WARN: Failed to lock system memory for headless login: ..." diff --git a/docs/pages/admin-guides/access-controls/guides/webauthn.mdx b/docs/pages/admin-guides/access-controls/guides/webauthn.mdx index f6f3bdf4a0a42..425152bc0293a 100644 --- a/docs/pages/admin-guides/access-controls/guides/webauthn.mdx +++ b/docs/pages/admin-guides/access-controls/guides/webauthn.mdx @@ -246,8 +246,8 @@ The `tctl` tool is used to manage the device inventory. A device admin is responsible for managing devices, adding new devices to the inventory and removing devices that are no longer in use. - - Users with the preset `editor` or `device-admin` role (since v13.3.6) + + Users with the preset `editor` or `device-admin` role can register and enroll their device in a single step with the following command: ```code $ tsh device enroll --current-device diff --git a/docs/pages/admin-guides/access-controls/sso/oidc.mdx b/docs/pages/admin-guides/access-controls/sso/oidc.mdx index 5efb5f4301033..adf4471d50f77 100644 --- a/docs/pages/admin-guides/access-controls/sso/oidc.mdx +++ b/docs/pages/admin-guides/access-controls/sso/oidc.mdx @@ -21,8 +21,6 @@ policies like: (!docs/pages/includes/commercial-prereqs-tabs.mdx!) - (!docs/pages/includes/tctl.mdx!) -- To control the maximum age of users' sessions before they will be forced to - reauthenticate, your Teleport cluster must be on version 13.3.7 or above. ## Identity Providers @@ -197,13 +195,13 @@ spec: ### Optional: Max age -Teleport has supported setting the `max_age` field since version 13.3.7 to control the -maximum age of users' sessions before they will be forced to reauthenticate. By -default `max_age` is unset, meaning once a user authenticates using OIDC they will -not have to reauthenticate unless the configured OIDC provider forces them to. This -can be set to a duration of time to force users to reauthenticate more often. If -`max_age` is set to zero seconds, users will be forced to reauthenticate with their -OIDC provider every time they authenticate with Teleport. +The `max_age` field controls the maximum age of users' sessions before they will +be forced to reauthenticate. By default `max_age` is unset, meaning once a user +authenticates using OIDC they will not have to reauthenticate unless the +configured OIDC provider forces them to. This can be set to a duration of time +to force users to reauthenticate more often. If `max_age` is set to zero +seconds, users will be forced to reauthenticate with their OIDC provider every +time they authenticate with Teleport. Note that the specified duration must be in whole seconds. `24h` works because that's the same as `1440s`, but `60s500ms` would not be allowed as that is 60.5 seconds. diff --git a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx index de375be78b5df..70c41f1ef5cb5 100644 --- a/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx +++ b/docs/pages/admin-guides/deploy-a-cluster/helm-deployments/aws.mdx @@ -109,7 +109,6 @@ You should be aware of these potential limitations and differences when using La that it terminate all inbound TLS traffic itself on the Teleport proxy. This is not directly possible when using a Layer 7 load balancer, so the `tsh` client implements this flow itself [using ALPN connection upgrades](../../../reference/architecture/tls-routing.mdx). -- The use of Teleport and `tsh` v13 or higher is required. Using ACM with an ALB also requires that your cluster has a fully functional installation of the AWS Load Balancer diff --git a/docs/pages/admin-guides/management/operations/db-ca-migrations.mdx b/docs/pages/admin-guides/management/operations/db-ca-migrations.mdx index 7a9cdb32b0a37..a890a38f8bd30 100644 --- a/docs/pages/admin-guides/management/operations/db-ca-migrations.mdx +++ b/docs/pages/admin-guides/management/operations/db-ca-migrations.mdx @@ -12,10 +12,8 @@ the Teleport cluster. Teleport (= db_client_ca.released_version.v15 =) introduced the `db_client` CA to split the responsibilities of the Teleport `db` CA, which was acting as both -host and client CA for Teleport self-hosted database access. -The `db_client` CA was also added as a patch in Teleport -(= db_client_ca.released_version.v13 =) and -(= db_client_ca.released_version.v14 =). +host and client CA for Teleport self-hosted database access. The `db_client` CA +was also added as a patch in Teleport (= db_client_ca.released_version.v14 =). The `db` and `db_client` CAs were both introduced as an automatic migration that occurs after upgrading Teleport. @@ -113,8 +111,7 @@ However, for defense in depth, these databases should only mTLS handshake with a client that presents a `db_client` CA-issued certificate. If your Teleport cluster was upgraded to Teleport -\>=(= db_client_ca.released_version.v13 =), -\>=(= db_client_ca.released_version.v14 =), or +\>=(= db_client_ca.released_version.v14 =) or \>=(= db_client_ca.released_version.v15 =), then you should ensure that you have completed the `db_client` migration. To complete the `db_client` CA migration: @@ -144,8 +141,7 @@ and you have not rotated *both* your `host` and `db` CAs at least once since upgrading, then you should complete the `db` CA migration. If you upgraded an existing cluster to Teleport -\>=(= db_client_ca.released_version.v13 =), -\>=(= db_client_ca.released_version.v14 =), or +\>=(= db_client_ca.released_version.v14 =) or \>=(= db_client_ca.released_version.v15 =) and you have not rotated *both* your `db` and `db_client` CAs at least once since upgrading, then you should complete diff --git a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx index 8618c8a88c099..2fb8c7c1aac83 100644 --- a/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx +++ b/docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx @@ -7,7 +7,7 @@ description: Configure automatic user provisioning for PostgreSQL. ## Prerequisites -- Teleport cluster v13.1 or above with a configured [self-hosted +- Teleport cluster with a configured [self-hosted PostgreSQL](../enroll-self-hosted-databases/postgres-self-hosted.mdx) or [RDS PostgreSQL](../enroll-aws-databases/rds.mdx) database. To configure permissions for database objects like tables, your cluster must be on version diff --git a/docs/pages/includes/database-access/split-db-ca-details.mdx b/docs/pages/includes/database-access/split-db-ca-details.mdx index 8dc448464989f..b50544c463ffd 100644 --- a/docs/pages/includes/database-access/split-db-ca-details.mdx +++ b/docs/pages/includes/database-access/split-db-ca-details.mdx @@ -17,9 +17,8 @@ needs to have a long-lived certificate issued by another CA that its peer node trusts. The split `db` and `db_client` CA architecture was introduced as a security fix -in Teleport versions: -(= db_client_ca.released_version.v13 =), -(= db_client_ca.released_version.v14 =), and +in Teleport versions +(= db_client_ca.released_version.v14 =) and (= db_client_ca.released_version.v15 =). See diff --git a/docs/pages/includes/device-trust/prereqs.mdx b/docs/pages/includes/device-trust/prereqs.mdx index 32699c20b21a7..6447d7c6dd8cf 100644 --- a/docs/pages/includes/device-trust/prereqs.mdx +++ b/docs/pages/includes/device-trust/prereqs.mdx @@ -4,7 +4,7 @@ - To enroll a Windows device, you need: - A device with TPM 2.0. - A user with administrator privileges. This is only required during enrollment. - - `tsh` v13.1.2 or newer. [Download the Windows tsh installer](../../installation.mdx#windows-tsh-and-tctl-clients-only). + - The `tsh` client. [Download the Windows tsh installer](../../installation.mdx#windows-tsh-and-tctl-clients-only). - To enroll a Linux device, you need: - A device with TPM 2.0. - A user with permissions to use the /dev/tpmrm0 device (typically done by diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx index f7b7542c5311f..3cf958de6fbe6 100644 --- a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx +++ b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx @@ -1127,11 +1127,8 @@ For this reason, it is strongly discouraged to set a custom image when using automatic updates. Teleport Cloud uses automatic updates by default. -Since version 13, hardened distroless images are used by default. You can use -the deprecated debian-based images by setting the value to -`public.ecr.aws/gravitational/teleport`. Those images will be removed with -teleport 15. - +By default, the image contains only the Teleport application and its runtime +dependencies, and does not contain a shell. This setting only takes effect when [`enterprise`](#enterprise) is `false`. When running an enterprise version, you must use [`enterpriseImage`](#enterpriseImage) instead. @@ -1157,11 +1154,8 @@ Teleport-published image. using automatic updates. Teleport Cloud uses automatic updates by default. -Since version 13, hardened distroless images are used by default. -You can use the deprecated debian-based images by setting the value to -`public.ecr.aws/gravitational/teleport-ent`. Those images will be -removed with teleport 15. - +By default, the image contains only the Teleport application and its runtime +dependencies, and does not contain a shell. This setting only takes effect when [`enterprise`](#enterprise) is `true`. When running an enterprise version, you must use [`image`](#image) instead. diff --git a/docs/pages/reference/access-controls/login-rules.mdx b/docs/pages/reference/access-controls/login-rules.mdx index d49782f74feed..fdf24fe1efe45 100644 --- a/docs/pages/reference/access-controls/login-rules.mdx +++ b/docs/pages/reference/access-controls/login-rules.mdx @@ -584,11 +584,6 @@ Expression | Result ### `strings.split` - -The `strings.split` helper was introduced in Teleport v13.3.0. All Auth Service -instances must be running this version or greater before it can be used. - - #### Signature ```go @@ -625,11 +620,6 @@ Expression | Result ### `email.local` - -The `email.local` helper was introduced in Teleport v13.3.0. All Auth Service instances -must be running this version or greater before it can be used. - - #### Signature ```go @@ -661,11 +651,6 @@ Expression | Result ### `regexp.replace` - -The `regexp.replace` helper was introduced in Teleport v13.3.0. All Auth Service instances -must be running this version or greater before it can be used. - - #### Signature ```go diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx index c67dd234b8642..5d04f382a28bf 100644 --- a/docs/pages/reference/access-controls/roles.mdx +++ b/docs/pages/reference/access-controls/roles.mdx @@ -189,13 +189,6 @@ spec: ### Label expressions - -Label expressions are available starting in Teleport version `13.1.1`. -All components of your Teleport cluster must be upgraded to version `13.1.1` -or newer before you will be able to use label expressions. -This includes the Auth Service and **all** Teleport agents. - - Teleport roles also support matching resource labels with predicate expressions when you need to: diff --git a/docs/pages/reference/predicate-language.mdx b/docs/pages/reference/predicate-language.mdx index 921436f125519..adeda2509b85d 100644 --- a/docs/pages/reference/predicate-language.mdx +++ b/docs/pages/reference/predicate-language.mdx @@ -76,13 +76,6 @@ See some [examples](cli/cli.mdx) of the different ways you can filter resources. ## Label expressions - -Label expressions are available starting in Teleport version `13.1.1`. -All components of your Teleport cluster must be upgraded to version `13.1.1` -or newer before you will be able to use label expressions. -This includes the Auth Service and **all** Teleport agents. - - Label expressions can be used in Teleport roles to define access to resources with custom logic. Check out the Access Controls diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml index 7e948c15a3570..6a11b492a9879 100644 --- a/examples/chart/teleport-cluster/values.yaml +++ b/examples/chart/teleport-cluster/values.yaml @@ -568,17 +568,13 @@ tls: # Values that you shouldn't need to change. ################################################## -# Container image for the cluster. -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport`. Those images will be -# removed with teleport 14. +# Container image for the cluster. By default, the image contains only the +# Teleport application and its runtime dependencies, and does not contain a +# shell. image: public.ecr.aws/gravitational/teleport-distroless -# Enterprise version of the image -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 14. +# Enterprise version of the image. By default, the image contains only the +# Teleport application and its runtime dependencies, and does not contain a +# shell. enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless # Optional array of imagePullSecrets, to use when pulling from a private registry imagePullSecrets: [] diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index c51491783e11c..9b7783e022c11 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -891,11 +891,8 @@ adminClusterRoleBinding: # automatic updates. Teleport Cloud uses automatic updates by default. # # -# Since version 13, hardened distroless images are used by default. You can use -# the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport`. Those images will be removed with -# teleport 15. -# +# By default, the image contains only the Teleport application and its runtime +# dependencies, and does not contain a shell. # This setting only takes effect when [`enterprise`](#enterprise) is `false`. # When running an enterprise version, you must use # [`enterpriseImage`](#enterpriseImage) instead. @@ -916,11 +913,8 @@ image: public.ecr.aws/gravitational/teleport-distroless # using automatic updates. Teleport Cloud uses automatic updates by default. #
# -# Since version 13, hardened distroless images are used by default. -# You can use the deprecated debian-based images by setting the value to -# `public.ecr.aws/gravitational/teleport-ent`. Those images will be -# removed with teleport 15. -# +# By default, the image contains only the Teleport application and its runtime +# dependencies, and does not contain a shell. # This setting only takes effect when [`enterprise`](#enterprise) is `true`. # When running an enterprise version, you must use [`image`](#image) instead. enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless