Teleport version: 4.4.6
My single teleport auth/proxy/node server is being killed by a torrential inflow of incorrect session recordings. The docker logs look like this:
WARN [AUTH] Rejecting session recording from 7d2e19cd-515a-4de2-801b-6b08c111bf89: server ID 834afe58-6256-4fc0-992b-7c75500f6316 not valid. System may be under attack, a node is attempting to submit events for an identity other than its own. auth/apiserver.go:1981
WARN [AUTH] Rejecting session recording from 7d2e19cd-515a-4de2-801b-6b08c111bf89: server ID 02d82ef1-2b94-403d-a9f9-fd7f9aaa1968 not valid. System may be under attack, a node is attempting to submit events for an identity other than its own. auth/apiserver.go:1981
WARN [AUTH] Rejecting session recording from 7d2e19cd-515a-4de2-801b-6b08c111bf89: server ID 1be4a891-78bc-49bd-aa1e-84bfaa9dafd9 not valid. System may be under attack, a node is attempting to submit events for an identity other than its own. auth/apiserver.go:1981
WARN [AUTH] Rejecting session recording from 7d2e19cd-515a-4de2-801b-6b08c111bf89: server ID 834afe58-6256-4fc0-992b-7c75500f6316 not valid. System may be under attack, a node is attempting to submit events for an identity other than its own. auth/apiserver.go:1981
At hundreds of logs per minute.
I’m running the teleport server as an EC2 instance behind an internal load balancer, which I’m aware isn’t a great setup. In my teleport.yaml I’ve set:
proxy_service:
enabled: "yes"
listen_addr: 0.0.0.0:3023
web_listen_addr: 0.0.0.0:3080
tunnel_listen_addr: 0.0.0.0:3024
public_addr: <private-ip>:3080
Which I’m not too happy about (I’d much prefer to set the actual DNS name instead of the private IP), but it’s a “legacy” system and I’m not in the position to go changing that easily.
Any ideas if there is a workaround for the session recording rejection logs? To be fair, I don’t really want to keep the session recordings (or even make them), but some research hasn’t shown me a way to disable making/storing them.
some related online duckduckgo’ings: