diff --git a/docs/pages/admin-guides.mdx b/docs/pages/admin-guides.mdx
index 4141a2e1bff9c..fc6592d7f0332 100644
--- a/docs/pages/admin-guides.mdx
+++ b/docs/pages/admin-guides.mdx
@@ -33,6 +33,8 @@ Guides for enrolling servers, databases, and other infrastructure resources with
- [Protect Linux Servers with Teleport (section)](admin-guides/protect-resources/server-access.mdx): How to enroll Linux servers in your Teleport cluster to enable secure SSH access.
- [Teleport Agents (section)](admin-guides/protect-resources/agents.mdx): How to use Teleport Agents, which enable users to connect to resources in your infrastructure.
- [Teleport Auto-Discovery (section)](admin-guides/protect-resources/auto-discovery.mdx): Learn how to use the Teleport Discovery Service, which automatically enrolls resources by query APIs
+- [Teleport Desktop Access (section)](admin-guides/protect-resources/desktop-access.mdx): How to proctect Windows Desktops with Teleport
+- [Teleport Kubernetes Access (section)](admin-guides/protect-resources/kubernetes-access.mdx): Protect Kubernetes clusters with Teleport
## Self-Hosting Teleport
diff --git a/docs/pages/admin-guides/protect-resources.mdx b/docs/pages/admin-guides/protect-resources.mdx
index 9e6c2af2b25c4..6c90e0c02594a 100644
--- a/docs/pages/admin-guides/protect-resources.mdx
+++ b/docs/pages/admin-guides/protect-resources.mdx
@@ -44,3 +44,26 @@ Learn how to use the Teleport Discovery Service, which automatically enrolls res
- [Automatically Enroll Kubernetes Clusters (section)](protect-resources/auto-discovery/kubernetes.mdx): Register Kubernetes clusters with your Teleport cluster by polling service discovery endpoints.
- [Enroll Kubernetes Services as Teleport Applications (section)](protect-resources/auto-discovery/kubernetes-applications.mdx): Teleport can automatically detect applications running in your Kubernetes clusters and register them with Teleport for secure access.
- [Server Auto-Discovery (section)](protect-resources/auto-discovery/servers.mdx): You can set up the Teleport Discovery Service to automatically enroll servers in your infrastructure.
+
+## Teleport Desktop Access
+
+How to proctect Windows Desktops with Teleport ([more info](protect-resources/desktop-access.mdx))
+
+- [Automatic User Creation](protect-resources/desktop-access/user-creation.mdx): Using Automatic User Creation with Teleport desktop access.
+- [Clipboard Sharing](protect-resources/desktop-access/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access.
+- [Configure access for Active Directory manually](protect-resources/desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain.
+- [Configure access for local Windows users](protect-resources/desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users.
+- [Directory Sharing](protect-resources/desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop.
+- [Manage Access to Windows Resources](protect-resources/desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport.
+- [Session Recording and Playback](protect-resources/desktop-access/sessions.mdx): Recording and playing back Teleport desktop access sessions.
+- [Troubleshooting Desktop Access](protect-resources/desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access
+
+## Teleport Kubernetes Access
+
+Protect Kubernetes clusters with Teleport ([more info](protect-resources/kubernetes-access.mdx))
+
+- [Access Kubernetes Clusters with Teleport](protect-resources/kubernetes-access/introduction.mdx): Learn how Teleport can protect your Kubernetes clusters with RBAC, audit logging, and more.
+- [Enroll a Kubernetes Cluster](protect-resources/kubernetes-access/getting-started.mdx): Demonstrates how to enroll a Kubernetes cluster as a resource protected by Teleport.
+- [Kubernetes Access Troubleshooting](protect-resources/kubernetes-access/troubleshooting.mdx): Troubleshooting common issues with Kubernetes access
+- [Registering Kubernetes Clusters with Teleport (section)](protect-resources/kubernetes-access/register-clusters.mdx): How to manually add a Kubernetes cluster to Teleport after creating it.
+- [Setting Up Teleport Access Controls for Kubernetes](protect-resources/kubernetes-access/manage-access.mdx): How to configure Teleport roles to access clusters, groups, users, and resources in Kubernetes.
diff --git a/docs/pages/admin-guides/protect-resources/desktop-access.mdx b/docs/pages/admin-guides/protect-resources/desktop-access.mdx
new file mode 100644
index 0000000000000..c411f8060c073
--- /dev/null
+++ b/docs/pages/admin-guides/protect-resources/desktop-access.mdx
@@ -0,0 +1,15 @@
+---
+title: Teleport Desktop Access
+description: How to proctect Windows Desktops with Teleport
+---
+
+{/*TOPICS*/}
+
+- [Automatic User Creation](desktop-access/user-creation.mdx): Using Automatic User Creation with Teleport desktop access.
+- [Clipboard Sharing](desktop-access/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access.
+- [Configure access for Active Directory manually](desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain.
+- [Configure access for local Windows users](desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users.
+- [Directory Sharing](desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop.
+- [Manage Access to Windows Resources](desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport.
+- [Session Recording and Playback](desktop-access/sessions.mdx): Recording and playing back Teleport desktop access sessions.
+- [Troubleshooting Desktop Access](desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access
diff --git a/docs/pages/desktop-access/active-directory-manual.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/active-directory-manual.mdx
similarity index 100%
rename from docs/pages/desktop-access/active-directory-manual.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/active-directory-manual.mdx
diff --git a/docs/pages/desktop-access/reference/clipboard.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/clipboard.mdx
similarity index 100%
rename from docs/pages/desktop-access/reference/clipboard.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/clipboard.mdx
diff --git a/docs/pages/desktop-access/directory-sharing.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/directory-sharing.mdx
similarity index 100%
rename from docs/pages/desktop-access/directory-sharing.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/directory-sharing.mdx
diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/getting-started.mdx
similarity index 100%
rename from docs/pages/desktop-access/getting-started.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/getting-started.mdx
diff --git a/docs/pages/desktop-access/introduction.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/introduction.mdx
similarity index 100%
rename from docs/pages/desktop-access/introduction.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/introduction.mdx
diff --git a/docs/pages/desktop-access/reference/sessions.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/sessions.mdx
similarity index 97%
rename from docs/pages/desktop-access/reference/sessions.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/sessions.mdx
index 7e4903e2287d5..92450ace27b84 100644
--- a/docs/pages/desktop-access/reference/sessions.mdx
+++ b/docs/pages/admin-guides/protect-resources/desktop-access/sessions.mdx
@@ -62,7 +62,7 @@ Recorded sessions can be viewed in the *Session Recordings* page under the
*Activity* section in the *Management* area. Desktop recordings show a
desktop icon in the first column to distinguish them from SSH recordings.
-
+
Click the play button to open the player in a new tab. To export desktop session
recordings to video for playback outside of Teleport, use the
diff --git a/docs/pages/desktop-access/troubleshooting.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/troubleshooting.mdx
similarity index 100%
rename from docs/pages/desktop-access/troubleshooting.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/troubleshooting.mdx
diff --git a/docs/pages/desktop-access/reference/user-creation.mdx b/docs/pages/admin-guides/protect-resources/desktop-access/user-creation.mdx
similarity index 100%
rename from docs/pages/desktop-access/reference/user-creation.mdx
rename to docs/pages/admin-guides/protect-resources/desktop-access/user-creation.mdx
diff --git a/docs/pages/kubernetes-access.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access.mdx
similarity index 84%
rename from docs/pages/kubernetes-access.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access.mdx
index b7a273b80abb8..96d63052885d4 100644
--- a/docs/pages/kubernetes-access.mdx
+++ b/docs/pages/admin-guides/protect-resources/kubernetes-access.mdx
@@ -7,10 +7,8 @@ description: Protect Kubernetes clusters with Teleport
- [Access Kubernetes Clusters with Teleport](kubernetes-access/introduction.mdx): Learn how Teleport can protect your Kubernetes clusters with RBAC, audit logging, and more.
- [Enroll a Kubernetes Cluster](kubernetes-access/getting-started.mdx): Demonstrates how to enroll a Kubernetes cluster as a resource protected by Teleport.
-- [Kubernetes Access FAQ](kubernetes-access/faq.mdx): Frequently asked questions about Teleport Kubernetes Access
- [Kubernetes Access Troubleshooting](kubernetes-access/troubleshooting.mdx): Troubleshooting common issues with Kubernetes access
- [Setting Up Teleport Access Controls for Kubernetes](kubernetes-access/manage-access.mdx): How to configure Teleport roles to access clusters, groups, users, and resources in Kubernetes.
-- [Teleport Kubernetes Access Controls](kubernetes-access/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes
## Registering Kubernetes Clusters with Teleport
diff --git a/docs/pages/kubernetes-access/getting-started.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/getting-started.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/getting-started.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/getting-started.mdx
diff --git a/docs/pages/kubernetes-access/introduction.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/introduction.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/introduction.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/introduction.mdx
diff --git a/docs/pages/kubernetes-access/manage-access.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/manage-access.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/manage-access.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/manage-access.mdx
diff --git a/docs/pages/kubernetes-access/register-clusters.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/register-clusters.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters.mdx
diff --git a/docs/pages/kubernetes-access/register-clusters/dynamic-registration.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/dynamic-registration.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/register-clusters/dynamic-registration.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/dynamic-registration.mdx
diff --git a/docs/pages/kubernetes-access/register-clusters/iam-joining.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/iam-joining.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/register-clusters/iam-joining.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/iam-joining.mdx
diff --git a/docs/pages/kubernetes-access/register-clusters/static-kubeconfig.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/static-kubeconfig.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/register-clusters/static-kubeconfig.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/register-clusters/static-kubeconfig.mdx
diff --git a/docs/pages/kubernetes-access/troubleshooting.mdx b/docs/pages/admin-guides/protect-resources/kubernetes-access/troubleshooting.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/troubleshooting.mdx
rename to docs/pages/admin-guides/protect-resources/kubernetes-access/troubleshooting.mdx
diff --git a/docs/pages/desktop-access.mdx b/docs/pages/desktop-access.mdx
deleted file mode 100644
index e473d82d0eff1..0000000000000
--- a/docs/pages/desktop-access.mdx
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Teleport Desktop Access
-description: How to proctect Windows Desktops with Teleport
----
-
-{/*TOPICS*/}
-
-- [Configure access for Active Directory manually](desktop-access/active-directory-manual.mdx): Explains how to manually connect Teleport to an Active Directory domain.
-- [Configure access for local Windows users](desktop-access/getting-started.mdx): Use Teleport to configure passwordless access for local Windows users.
-- [Directory Sharing](desktop-access/directory-sharing.mdx): Teleport desktop Directory Sharing lets you easily send files to a remote desktop.
-- [Manage Access to Windows Resources](desktop-access/introduction.mdx): Demonstrates how you can manage access to Windows desktops with Teleport.
-- [Role-Based Access Control for Desktops](desktop-access/rbac.mdx): Role-based access control (RBAC) for desktops protected by Teleport.
-- [Troubleshooting Desktop Access](desktop-access/troubleshooting.mdx): Common issues and resolutions for Teleport's desktop access
-
-## Desktop Access Reference
-
-Comprehensive guides to configuring and auditing desktop access. ([more info](desktop-access/reference.mdx))
-
-- [Automatic User Creation](desktop-access/reference/user-creation.mdx): Using Automatic User Creation with Teleport desktop access.
-- [Clipboard Sharing](desktop-access/reference/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access.
-- [Desktop Access Audit Events Reference](desktop-access/reference/audit.mdx): Audit events reference for Teleport desktop access.
-- [Desktop Access CLI Reference](desktop-access/reference/cli.mdx): CLI reference for Teleport desktop access.
-- [Desktop Access Configuration Reference](desktop-access/reference/configuration.mdx): Configuration reference for Teleport desktop access.
-- [Session Recording and Playback](desktop-access/reference/sessions.mdx): Recording and playing back Teleport desktop access sessions.
diff --git a/docs/pages/desktop-access/reference.mdx b/docs/pages/desktop-access/reference.mdx
deleted file mode 100644
index 1b203b73119c0..0000000000000
--- a/docs/pages/desktop-access/reference.mdx
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Desktop Access Reference
-description: Comprehensive guides to configuring and auditing desktop access.
-layout: tocless-doc
----
-
-{/*TOPICS*/}
-
-- [Automatic User Creation](reference/user-creation.mdx): Using Automatic User Creation with Teleport desktop access.
-- [Clipboard Sharing](reference/clipboard.mdx): Using Clipboard Sharing with Teleport desktop access.
-- [Desktop Access Audit Events Reference](reference/audit.mdx): Audit events reference for Teleport desktop access.
-- [Desktop Access CLI Reference](reference/cli.mdx): CLI reference for Teleport desktop access.
-- [Desktop Access Configuration Reference](reference/configuration.mdx): Configuration reference for Teleport desktop access.
-- [Session Recording and Playback](reference/sessions.mdx): Recording and playing back Teleport desktop access sessions.
diff --git a/docs/pages/reference.mdx b/docs/pages/reference.mdx
index 09b2afed55c95..5bfa87df09f5d 100644
--- a/docs/pages/reference.mdx
+++ b/docs/pages/reference.mdx
@@ -9,6 +9,7 @@ description: Comprehensive guides to commands, configuration options, and other
Contains guides to frequently asked questions for various Teleport features and use cases. ([more info](reference/faq.mdx))
+- [Kubernetes Access FAQ](reference/faq/kubernetes-access.mdx): Frequently asked questions about Teleport Kubernetes Access
- [Teleport Enterprise Cloud FAQ](reference/faq/cloud-hosting.mdx): Teleport cloud frequently asked questions.
- [Teleport FAQ](reference/faq/faq.mdx): Frequently Asked Questions About Using Teleport
@@ -29,6 +30,8 @@ References for concepts and tools available for operating Teleport. ([more info]
Available options for configuring access to Teleport privileges and infrastructure resources. ([more info](reference/rbac.mdx))
- [Access Controls for Servers](reference/rbac/server-rbac.mdx): Role-based access control (RBAC) for Teleport server access.
+- [Role-Based Access Control for Desktops](reference/rbac/desktop-access.mdx): Role-based access control (RBAC) for desktops protected by Teleport.
+- [Teleport Kubernetes Access Controls](reference/rbac/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes
## Teleport Architecture Guides
@@ -52,6 +55,7 @@ Guides to the inner workings of components within a Teleport cluster. ([more inf
Comprehensive lists of commands, arguments, and flags for Teleport CLI tools. ([more info](reference/cli.mdx))
- [CLI Reference Introduction](reference/cli/overview.mdx): Detailed guide and reference documentation for Teleport's command line interface (CLI) tools.
+- [Desktop Access CLI Reference](reference/cli/desktop-access.mdx): CLI reference for Teleport desktop access.
- [tbot CLI reference](reference/cli/tbot.mdx): Comprehensive reference of subcommands, flags, and arguments for the tbot CLI tool.
- [tctl CLI reference](reference/cli/tctl.mdx): Comprehensive reference of subcommands, flags, and arguments for the tctl CLI tool.
- [teleport CLI Reference](reference/cli/teleport.mdx): Comprehensive reference of subcommands, flags, and arguments for the teleport CLI tool.
@@ -61,6 +65,7 @@ Comprehensive lists of commands, arguments, and flags for Teleport CLI tools. ([
Comprehensive guides to configuring Teleport. ([more info](reference/config-references.mdx))
+- [Desktop Access Configuration Reference](reference/config-references/database-access-config.mdx): Configuration reference for Teleport desktop access.
- [Helm Chart Reference (section)](reference/config-references/helm-reference.mdx): Comprehensive lists of configuration values in Teleport's Helm charts
- [Predicate Language](reference/config-references/predicate-language.mdx): How to use Teleport's predicate language to define filter conditions.
- [Teleport Configuration Reference](reference/config-references/config.mdx): The detailed guide and reference documentation for configuring Teleport for SSH and Kubernetes access.
@@ -71,9 +76,9 @@ Comprehensive guides to configuring Teleport. ([more info](reference/config-refe
How to obtain information about activity in your Teleport cluster. ([more info](reference/monitoring.mdx))
-- [Audit Events and Records](reference/monitoring/audit.mdx): Reference of Teleport Audit Events and Session Records
- [Distributed Tracing Configuration Reference](reference/monitoring/configuration.mdx): Configuration reference for Distributed Tracing.
- [Distributed Tracing](reference/monitoring/tracing.mdx): How to enable tracing within Teleport.
- [Health Monitoring](reference/monitoring/monitoring.mdx): Monitoring health and readiness.
- [Metrics](reference/monitoring/metrics.mdx): How to enable and consume metrics
- [Profiling](reference/monitoring/profiles.mdx): Collecting pprof profiles.
+- [Teleport Audit Event References (section)](reference/monitoring/audit.mdx): Reference guides to audit events that you can export and track in Teleport.
diff --git a/docs/pages/reference/cli.mdx b/docs/pages/reference/cli.mdx
index 8fbebebcceb21..4839854a4974a 100644
--- a/docs/pages/reference/cli.mdx
+++ b/docs/pages/reference/cli.mdx
@@ -6,6 +6,7 @@ description: Comprehensive lists of commands, arguments, and flags for Teleport
{/*TOPICS*/}
- [CLI Reference Introduction](cli/overview.mdx): Detailed guide and reference documentation for Teleport's command line interface (CLI) tools.
+- [Desktop Access CLI Reference](cli/desktop-access.mdx): CLI reference for Teleport desktop access.
- [tbot CLI reference](cli/tbot.mdx): Comprehensive reference of subcommands, flags, and arguments for the tbot CLI tool.
- [tctl CLI reference](cli/tctl.mdx): Comprehensive reference of subcommands, flags, and arguments for the tctl CLI tool.
- [teleport CLI Reference](cli/teleport.mdx): Comprehensive reference of subcommands, flags, and arguments for the teleport CLI tool.
diff --git a/docs/pages/desktop-access/reference/cli.mdx b/docs/pages/reference/cli/desktop-access.mdx
similarity index 100%
rename from docs/pages/desktop-access/reference/cli.mdx
rename to docs/pages/reference/cli/desktop-access.mdx
diff --git a/docs/pages/reference/config-references.mdx b/docs/pages/reference/config-references.mdx
index fbee02639d660..9d552d34e094c 100644
--- a/docs/pages/reference/config-references.mdx
+++ b/docs/pages/reference/config-references.mdx
@@ -5,6 +5,7 @@ description: Comprehensive guides to configuring Teleport.
{/*TOPICS*/}
+- [Desktop Access Configuration Reference](config-references/database-access-config.mdx): Configuration reference for Teleport desktop access.
- [Predicate Language](config-references/predicate-language.mdx): How to use Teleport's predicate language to define filter conditions.
- [Teleport Configuration Reference](config-references/config.mdx): The detailed guide and reference documentation for configuring Teleport for SSH and Kubernetes access.
- [Teleport Resource Reference](config-references/resources.mdx): Reference documentation for Teleport resources
diff --git a/docs/pages/desktop-access/reference/configuration.mdx b/docs/pages/reference/config-references/database-access-config.mdx
similarity index 100%
rename from docs/pages/desktop-access/reference/configuration.mdx
rename to docs/pages/reference/config-references/database-access-config.mdx
diff --git a/docs/pages/reference/faq.mdx b/docs/pages/reference/faq.mdx
index 5329523b3b715..b823f0150e789 100644
--- a/docs/pages/reference/faq.mdx
+++ b/docs/pages/reference/faq.mdx
@@ -5,5 +5,6 @@ description: Contains guides to frequently asked questions for various Teleport
{/*TOPICS*/}
+- [Kubernetes Access FAQ](faq/kubernetes-access.mdx): Frequently asked questions about Teleport Kubernetes Access
- [Teleport Enterprise Cloud FAQ](faq/cloud-hosting.mdx): Teleport cloud frequently asked questions.
- [Teleport FAQ](faq/faq.mdx): Frequently Asked Questions About Using Teleport
diff --git a/docs/pages/kubernetes-access/faq.mdx b/docs/pages/reference/faq/kubernetes-access.mdx
similarity index 100%
rename from docs/pages/kubernetes-access/faq.mdx
rename to docs/pages/reference/faq/kubernetes-access.mdx
diff --git a/docs/pages/reference/monitoring.mdx b/docs/pages/reference/monitoring.mdx
index 2af6110da6786..2584229eb70db 100644
--- a/docs/pages/reference/monitoring.mdx
+++ b/docs/pages/reference/monitoring.mdx
@@ -5,9 +5,15 @@ description: How to obtain information about activity in your Teleport cluster.
{/*TOPICS*/}
-- [Audit Events and Records](monitoring/audit.mdx): Reference of Teleport Audit Events and Session Records
- [Distributed Tracing Configuration Reference](monitoring/configuration.mdx): Configuration reference for Distributed Tracing.
- [Distributed Tracing](monitoring/tracing.mdx): How to enable tracing within Teleport.
- [Health Monitoring](monitoring/monitoring.mdx): Monitoring health and readiness.
- [Metrics](monitoring/metrics.mdx): How to enable and consume metrics
- [Profiling](monitoring/profiles.mdx): Collecting pprof profiles.
+
+## Teleport Audit Event References
+
+Reference guides to audit events that you can export and track in Teleport. ([more info](monitoring/audit.mdx))
+
+- [Audit Events and Records](monitoring/audit/audit.mdx): Reference of Teleport Audit Events and Session Records
+- [Desktop Access Audit Events Reference](monitoring/audit/desktop-events.mdx): Audit events reference for Teleport desktop access.
diff --git a/docs/pages/reference/monitoring/audit.mdx b/docs/pages/reference/monitoring/audit.mdx
index ff45f06ef67a5..85e774c784cc6 100644
--- a/docs/pages/reference/monitoring/audit.mdx
+++ b/docs/pages/reference/monitoring/audit.mdx
@@ -1,234 +1,9 @@
---
-title: Audit Events and Records
-description: Reference of Teleport Audit Events and Session Records
+title: Teleport Audit Event References
+description: Reference guides to audit events that you can export and track in Teleport.
---
-Teleport logs cluster activity by emitting various events into its audit log.
-There are two components of the audit log:
+{/*TOPICS*/}
-
-
-
-- **Cluster Events:** Teleport logs events like successful user logins along
- with metadata like remote IP address, time, and the session ID.
-- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and
- can be replayed later. By default, the recording is done by Teleport Nodes,
- but can be configured to be done by the proxy.
-
-
-
-
-- **Cluster Events:** Teleport logs events like successful user logins along
- with metadata like remote IP address, time, and the session ID.
-- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and
- can be replayed later. Teleport Cloud manages the storage of session
- recording data.
-
-
-
-
-
-
-You can use
-[Enhanced Session Recording with BPF](../server-access/guides/bpf-session-recording.mdx)
-to get even more comprehensive audit logs with advanced security.
-
-
-
-## Events
-
-
-
-
-Teleport supports multiple storage backends for storing audit events. The `dir`
-backend uses the local filesystem of an Auth Service host. When this backend is
-used, events are written to the filesystem in JSON format. The `dir` backend rotates
-the event file approximately once every 24 hours, but never deletes captured events.
-
-For High Availability configurations, users can refer to our
-[Athena](./backends.mdx#athena), [DynamoDB](./backends.mdx#dynamodb) or
-[Firestore](./backends.mdx#firestore) chapters for information on how to
-configure the SSH events and recorded sessions to be stored on network storage.
-When these backends are in use, audit events will eventually expire and be
-removed from the log. The default retention period is 1 year, but this can be
-overridden using the `retention_period` configuration parameter.
-
-It is even possible to store audit logs in multiple places at the same time. For
-more information on how to configure the audit log, refer to the `storage`
-section of the example configuration file in the
-[Teleport Configuration Reference](./config.mdx).
-
-Let's examine the Teleport audit log using the `dir` backend. The event log is
-stored in Teleport's data dir under the `log` directory. This is usually
-`/var/lib/teleport/log`. Each day is represented as a file:
-
-```code
-$ ls -l /var/lib/teleport/log/
-
-# total 104
-# -rw-r----- 1 root root 31638 Jan 22 20:00 2017-01-23.00:00:00.log
-# -rw-r----- 1 root root 91256 Jan 31 21:00 2017-02-01.00:00:00.log
-# -rw-r----- 1 root root 15815 Feb 32 22:54 2017-02-03.00:00:00.log
-```
-
-
-
-
-Teleport Enterprise Cloud manages the storage of audit logs for you. You can
-access your audit logs via the Teleport Web UI by clicking:
-
-**Activity** > **Audit Log**
-
-
-
-
-Audit logs use JSON format. They are human readable but can also be
-programmatically parsed. Each line represents an event and has the following
-format:
-
-```javascript
-{
- // Event type. See below for the list of all possible event types.
- "event": "session.start",
- // A unique ID for the event log. Useful for deduplication.
- "uid": "59cf8d1b-7b36-4894-8e90-9d9713b6b9ef",
- // Teleport user name
- "user": "ekontsevoy",
- // OS login
- "login": "root",
- // Server namespace. This field is reserved for future use.
- "namespace": "default",
- // Unique server ID
- "server_id": "f84f7386-5e22-45ff-8f7d-b8079742e63f",
- // Server Labels
- "server_labels": {
- "datacenter": "us-east-1",
- "label-b": "x"
- }
- // Session ID. Can be used to replay the session.
- "sid": "8d3895b6-e9dd-11e6-94de-40167e68e931",
- // Address of the SSH node
- "addr.local": "10.5.l.15:3022",
- // Address of the connecting client (user)
- "addr.remote": "73.223.221.14:42146",
- // Terminal size
- "size": "80:25",
- // Timestamp
- "time": "2017-02-03T06:54:05Z"
-}
-```
-
-## Event types
-
-Below are some possible types of audit events.
-
-
-
-This list is not comprehensive. We recommend exporting audit events to a
-platform that automatically parses event payloads so you can group and filter
-them by their `event` key and discover trends. To set up audit event exporting,
-read [Exporting Teleport Audit Events](../management/export-audit-events.mdx).
-
-
-
-| Event Type | Description |
-| - | - |
-| auth | Authentication attempt. Adds the following fields: `{"success": "false", "error": "access denied"}` |
-| session.start | Started an interactive shell session. |
-| session.end | An interactive shell session has ended. |
-| session.join | A new user has joined the existing interactive shell session. |
-| session.leave | A user has left the session. |
-| session.disk | A list of files opened during the session. *Requires Enhanced Session Recording*. |
-| session.network | A list of network connections made during the session. *Requires Enhanced Session Recording*. |
-| session.command | A list of commands ran during the session. *Requires Enhanced Session Recording*. |
-| session.recording.access | A session recording has been accessed. |
-| exec | Remote command has been executed via SSH, like `tsh ssh root@node ls /`. The following fields will be logged: `{"command": "ls /", "exitCode": 0, "exitError": ""}` |
-| scp | Remote file copy has been executed. The following fields will be logged: `{"path": "/path/to/file.txt", "len": 32344, "action": "read" }` |
-| resize | Terminal has been resized. |
-| user.login | A user logged into web UI or via tsh. The following fields will be logged: `{"user": "alice@example.com", "method": "local"}` . |
-| app.session.start | A user accessed an application |
-| app.session.chunk | A record of activity during an app session |
-| join_token.create | A new join token has been created. Adds the following fields: `{"roles": ["Node", "Db"], "join_method": "token"}` |
-
-## Recorded sessions
-
-In addition to logging start and end events, Teleport can also record the entire session.
-For SSH or Kubernetes sessions this captures the entire stream of bytes from the PTY.
-For desktop sessions the recording includes the contents of the screen.
-
-
-
-
-Teleport can store the recorded sessions in an [AWS S3 bucket](./backends.mdx#s3)
-or in a local filesystem (including NFS).
-
-The recorded sessions are stored as raw bytes in the `sessions` directory under
-`log`. Each session is a protobuf-encoded stream of binary data.
-
-You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play)
-command or the Web UI.
-
-For example, replay a session via CLI:
-
-```code
-$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931
-```
-
-Print the session events in JSON to stdout:
-
-```code
-$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json
-```
-
-
-
-
-Teleport Enterprise Cloud automatically stores recorded sessions.
-
-You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play)
-command or the Web UI.
-
-For example, replay a session via CLI:
-
-```code
-$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931
-```
-
-Print the session events in JSON to stdout:
-
-```code
-$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json
-```
-
-
-
-
-### Modes
-
-
-Available only for SSH sessions and when Teleport is configured with
-`auth_service.session_recording: node`.
-
-
-Modes define how Teleport deals with recording failures, such as a full disk
-error. They are configured per-service at the role level, where the strictest
-value takes precedence. The available modes are:
-
-|Mode|After a recording failure|
-|----|-------------------------|
-|Best effort (`best_effort`)|Disables recording without terminating the session.|
-|Strict (`strict`)|Immediately terminates the session.|
-
-If the user role doesn’t specify a recording mode, `best_effort` will be used. Here
-is an example of a role configured to use strict mode for SSH sessions:
-
-```yaml
-kind: role
-version: v5
-metadata:
- name: ssh-strict
-spec:
- options:
- record_session:
- ssh: strict
-```
+- [Audit Events and Records](audit/audit.mdx): Reference of Teleport Audit Events and Session Records
+- [Desktop Access Audit Events Reference](audit/desktop-events.mdx): Audit events reference for Teleport desktop access.
diff --git a/docs/pages/reference/monitoring/audit/audit.mdx b/docs/pages/reference/monitoring/audit/audit.mdx
new file mode 100644
index 0000000000000..ff45f06ef67a5
--- /dev/null
+++ b/docs/pages/reference/monitoring/audit/audit.mdx
@@ -0,0 +1,234 @@
+---
+title: Audit Events and Records
+description: Reference of Teleport Audit Events and Session Records
+---
+
+Teleport logs cluster activity by emitting various events into its audit log.
+There are two components of the audit log:
+
+
+
+
+- **Cluster Events:** Teleport logs events like successful user logins along
+ with metadata like remote IP address, time, and the session ID.
+- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and
+ can be replayed later. By default, the recording is done by Teleport Nodes,
+ but can be configured to be done by the proxy.
+
+
+
+
+- **Cluster Events:** Teleport logs events like successful user logins along
+ with metadata like remote IP address, time, and the session ID.
+- **Recorded Sessions:** Every SSH, desktop, or Kubernetes shell session is recorded and
+ can be replayed later. Teleport Cloud manages the storage of session
+ recording data.
+
+
+
+
+
+
+You can use
+[Enhanced Session Recording with BPF](../server-access/guides/bpf-session-recording.mdx)
+to get even more comprehensive audit logs with advanced security.
+
+
+
+## Events
+
+
+
+
+Teleport supports multiple storage backends for storing audit events. The `dir`
+backend uses the local filesystem of an Auth Service host. When this backend is
+used, events are written to the filesystem in JSON format. The `dir` backend rotates
+the event file approximately once every 24 hours, but never deletes captured events.
+
+For High Availability configurations, users can refer to our
+[Athena](./backends.mdx#athena), [DynamoDB](./backends.mdx#dynamodb) or
+[Firestore](./backends.mdx#firestore) chapters for information on how to
+configure the SSH events and recorded sessions to be stored on network storage.
+When these backends are in use, audit events will eventually expire and be
+removed from the log. The default retention period is 1 year, but this can be
+overridden using the `retention_period` configuration parameter.
+
+It is even possible to store audit logs in multiple places at the same time. For
+more information on how to configure the audit log, refer to the `storage`
+section of the example configuration file in the
+[Teleport Configuration Reference](./config.mdx).
+
+Let's examine the Teleport audit log using the `dir` backend. The event log is
+stored in Teleport's data dir under the `log` directory. This is usually
+`/var/lib/teleport/log`. Each day is represented as a file:
+
+```code
+$ ls -l /var/lib/teleport/log/
+
+# total 104
+# -rw-r----- 1 root root 31638 Jan 22 20:00 2017-01-23.00:00:00.log
+# -rw-r----- 1 root root 91256 Jan 31 21:00 2017-02-01.00:00:00.log
+# -rw-r----- 1 root root 15815 Feb 32 22:54 2017-02-03.00:00:00.log
+```
+
+
+
+
+Teleport Enterprise Cloud manages the storage of audit logs for you. You can
+access your audit logs via the Teleport Web UI by clicking:
+
+**Activity** > **Audit Log**
+
+
+
+
+Audit logs use JSON format. They are human readable but can also be
+programmatically parsed. Each line represents an event and has the following
+format:
+
+```javascript
+{
+ // Event type. See below for the list of all possible event types.
+ "event": "session.start",
+ // A unique ID for the event log. Useful for deduplication.
+ "uid": "59cf8d1b-7b36-4894-8e90-9d9713b6b9ef",
+ // Teleport user name
+ "user": "ekontsevoy",
+ // OS login
+ "login": "root",
+ // Server namespace. This field is reserved for future use.
+ "namespace": "default",
+ // Unique server ID
+ "server_id": "f84f7386-5e22-45ff-8f7d-b8079742e63f",
+ // Server Labels
+ "server_labels": {
+ "datacenter": "us-east-1",
+ "label-b": "x"
+ }
+ // Session ID. Can be used to replay the session.
+ "sid": "8d3895b6-e9dd-11e6-94de-40167e68e931",
+ // Address of the SSH node
+ "addr.local": "10.5.l.15:3022",
+ // Address of the connecting client (user)
+ "addr.remote": "73.223.221.14:42146",
+ // Terminal size
+ "size": "80:25",
+ // Timestamp
+ "time": "2017-02-03T06:54:05Z"
+}
+```
+
+## Event types
+
+Below are some possible types of audit events.
+
+
+
+This list is not comprehensive. We recommend exporting audit events to a
+platform that automatically parses event payloads so you can group and filter
+them by their `event` key and discover trends. To set up audit event exporting,
+read [Exporting Teleport Audit Events](../management/export-audit-events.mdx).
+
+
+
+| Event Type | Description |
+| - | - |
+| auth | Authentication attempt. Adds the following fields: `{"success": "false", "error": "access denied"}` |
+| session.start | Started an interactive shell session. |
+| session.end | An interactive shell session has ended. |
+| session.join | A new user has joined the existing interactive shell session. |
+| session.leave | A user has left the session. |
+| session.disk | A list of files opened during the session. *Requires Enhanced Session Recording*. |
+| session.network | A list of network connections made during the session. *Requires Enhanced Session Recording*. |
+| session.command | A list of commands ran during the session. *Requires Enhanced Session Recording*. |
+| session.recording.access | A session recording has been accessed. |
+| exec | Remote command has been executed via SSH, like `tsh ssh root@node ls /`. The following fields will be logged: `{"command": "ls /", "exitCode": 0, "exitError": ""}` |
+| scp | Remote file copy has been executed. The following fields will be logged: `{"path": "/path/to/file.txt", "len": 32344, "action": "read" }` |
+| resize | Terminal has been resized. |
+| user.login | A user logged into web UI or via tsh. The following fields will be logged: `{"user": "alice@example.com", "method": "local"}` . |
+| app.session.start | A user accessed an application |
+| app.session.chunk | A record of activity during an app session |
+| join_token.create | A new join token has been created. Adds the following fields: `{"roles": ["Node", "Db"], "join_method": "token"}` |
+
+## Recorded sessions
+
+In addition to logging start and end events, Teleport can also record the entire session.
+For SSH or Kubernetes sessions this captures the entire stream of bytes from the PTY.
+For desktop sessions the recording includes the contents of the screen.
+
+
+
+
+Teleport can store the recorded sessions in an [AWS S3 bucket](./backends.mdx#s3)
+or in a local filesystem (including NFS).
+
+The recorded sessions are stored as raw bytes in the `sessions` directory under
+`log`. Each session is a protobuf-encoded stream of binary data.
+
+You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play)
+command or the Web UI.
+
+For example, replay a session via CLI:
+
+```code
+$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931
+```
+
+Print the session events in JSON to stdout:
+
+```code
+$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json
+```
+
+
+
+
+Teleport Enterprise Cloud automatically stores recorded sessions.
+
+You can replay recorded sessions using the [`tsh play`](./cli/tsh.mdx#tsh-play)
+command or the Web UI.
+
+For example, replay a session via CLI:
+
+```code
+$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931
+```
+
+Print the session events in JSON to stdout:
+
+```code
+$ tsh play 4c146ec8-eab6-11e6-b1b3-40167e68e931 --format=json
+```
+
+
+
+
+### Modes
+
+
+Available only for SSH sessions and when Teleport is configured with
+`auth_service.session_recording: node`.
+
+
+Modes define how Teleport deals with recording failures, such as a full disk
+error. They are configured per-service at the role level, where the strictest
+value takes precedence. The available modes are:
+
+|Mode|After a recording failure|
+|----|-------------------------|
+|Best effort (`best_effort`)|Disables recording without terminating the session.|
+|Strict (`strict`)|Immediately terminates the session.|
+
+If the user role doesn’t specify a recording mode, `best_effort` will be used. Here
+is an example of a role configured to use strict mode for SSH sessions:
+
+```yaml
+kind: role
+version: v5
+metadata:
+ name: ssh-strict
+spec:
+ options:
+ record_session:
+ ssh: strict
+```
diff --git a/docs/pages/desktop-access/reference/audit.mdx b/docs/pages/reference/monitoring/audit/desktop-events.mdx
similarity index 100%
rename from docs/pages/desktop-access/reference/audit.mdx
rename to docs/pages/reference/monitoring/audit/desktop-events.mdx
diff --git a/docs/pages/reference/rbac.mdx b/docs/pages/reference/rbac.mdx
index 471300b42865e..4eb98953919b7 100644
--- a/docs/pages/reference/rbac.mdx
+++ b/docs/pages/reference/rbac.mdx
@@ -6,3 +6,5 @@ description: Available options for configuring access to Teleport privileges and
{/*TOPICS*/}
- [Access Controls for Servers](rbac/server-rbac.mdx): Role-based access control (RBAC) for Teleport server access.
+- [Role-Based Access Control for Desktops](rbac/desktop-access.mdx): Role-based access control (RBAC) for desktops protected by Teleport.
+- [Teleport Kubernetes Access Controls](rbac/controls.mdx): How the Teleport Kubernetes Service applies RBAC to manage access to Kubernetes
diff --git a/docs/pages/kubernetes-access/controls.mdx b/docs/pages/reference/rbac/controls.mdx
similarity index 99%
rename from docs/pages/kubernetes-access/controls.mdx
rename to docs/pages/reference/rbac/controls.mdx
index 92fccb3b6b821..c1c36b4285f45 100644
--- a/docs/pages/kubernetes-access/controls.mdx
+++ b/docs/pages/reference/rbac/controls.mdx
@@ -201,7 +201,7 @@ headers](https://kubernetes.io/docs/reference/access-authn-authz/authentication/
to send requests to the API server with one Kubernetes user and zero or more
Kubernetes groups.
-
+
The `kubernetes_users` and `kubernetes_groups` fields indicate which users and
groups to allow a user to assume when they send requests to a Kubernetes API
diff --git a/docs/pages/desktop-access/rbac.mdx b/docs/pages/reference/rbac/desktop-access.mdx
similarity index 100%
rename from docs/pages/desktop-access/rbac.mdx
rename to docs/pages/reference/rbac/desktop-access.mdx
diff --git a/package.json b/package.json
index d6fe1a6814c1d..ba1e3034eebc9 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
"name": "teleport-ui",
"version": "1.0.0",
"scripts": {
- "all-topics": "node docs/gen-topic-pages/index.js --in docs/pages/admin-guides,docs/pages/database-access,docs/pages/access-controls,docs/pages/desktop-access,docs/pages/kubernetes-access,docs/pages/connect-your-client,docs/pages/machine-id,docs/pages/reference,docs/pages/application-access",
+ "all-topics": "node docs/gen-topic-pages/index.js --in docs/pages/admin-guides,docs/pages/database-access,docs/pages/access-controls,docs/pages/connect-your-client,docs/pages/machine-id,docs/pages/reference,docs/pages/application-access",
"build-ui": "yarn build-ui-oss && yarn build-ui-e",
"build-ui-oss": "yarn workspace @gravitational/teleport build",
"build-ui-e": "yarn workspace @gravitational/teleport.e build",