From 24b7d0d5fe2e07a249db6fbe6c888c497fe1dd8e Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <andrew@goteleport.com>
Date: Wed, 24 Mar 2021 11:39:29 -0700
Subject: [PATCH] mfa: don't check MFA for teleport services in
 UpsertKubeService

---
 lib/auth/auth_with_roles.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
index 95a8dab2369c7..d0e43c7223202 100644
--- a/lib/auth/auth_with_roles.go
+++ b/lib/auth/auth_with_roles.go
@@ -2625,8 +2625,14 @@ func (a *ServerWithRoles) UpsertKubeService(ctx context.Context, s services.Serv
 	if err != nil {
 		return trace.Wrap(err)
 	}
+	_, isService := a.context.Checker.(BuiltinRoleSet)
+	isMFAVerified := a.context.Identity.GetIdentity().MFAVerified != ""
 	mfaParams := services.AccessMFAParams{
-		Verified:       a.context.Identity.GetIdentity().MFAVerified != "",
+		// MFA requirement only applies to users.
+		//
+		// Builtin services (like proxy_service and kube_service) are not gated
+		// on MFA and only need to pass the RBAC action check above.
+		Verified:       isService || isMFAVerified,
 		AlwaysRequired: ap.GetRequireSessionMFA(),
 	}
 	for _, kube := range s.GetKubernetesClusters() {