Here is an example for adding K8s groups that can be used in roles or user traits to define access for users accessing a K8s cluster through Teleport.
This example shows two groups, one that can list and view logs for pods , and another that can also open exec sessions in the example-dev
namespace.
Prerequisite: Kubernetes cluster with RBAC enabled (note that some like Microk8s you have to specifically enable this). Prior to running this you should have deployed Teleport in a Kubernetes cluster or added Teleport as a gateway to that cluster (See https://goteleport.com/teleport/docs/kubernetes-ssh/). Either through Teleport or direct to the cluster you should have the ability to define namespaces, create pods, roles and bindings.
Create a Namespace and a nginx pod to test access
$ kubectl create ns example-dev
namespace/example-dev created
$ kubectl run nginx --image=nginx -n example-dev
pod/nginx created
$ kubectl get po -n example-dev
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 14s
Create roles and bindings for accessing pods within the example-dev namespace
$ cat > exampleroles.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-exec
namespace: example-dev
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-logs
namespace: example-dev
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- watch
EOF
Insert roles definition
$ kubectl create -f exampleroles.yaml
role.rbac.authorization.k8s.io/dev-exec created
role.rbac.authorization.k8s.io/dev-logs created
Create rolebindings configuration
$ cat > examplebindings.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-exec-binding
namespace: example-dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dev-oncall-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: developer-exec
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-logs-binding
namespace: example-dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dev-logs
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: developer-logs
EOF
Insert roles bindings
$ kubectl create -f examplebindings.yaml
rolebinding.rbac.authorization.k8s.io/dev-exec-binding created
rolebinding.rbac.authorization.k8s.io/dev-logs-binding created
Assign K8s group
Now we can assign users or roles with the developer-exec
and developer-logs
. The Teleport k8s guide has further examples.
In Teleport OSS you can create a user with K8s groups
tctl users add joe --k8s-groups="developer-logs"
For roles you can assign within the kubernetes_groups
:
cat > developer-view.yaml <<EOF
kind: role
version: v3
metadata:
name: developer-view
spec:
allow:
kubernetes_groups: ["developer-logs"]
EOF
Insert role
tctl create -f developer-view.yaml
Now assign a user that role ( ex: tctl users add --roles=developer-view joe
) or assign it in the auth connector settings.
Login and use K8s access to list pods
Note that other attempts to access different namespaces is denied.
$ tsh status
> Profile URL: https://teleport.example.com:3080
Logged in as: joe
Cluster: tele1c
Roles: developer-view*
Logins: -teleport-nologin-31c303e8-0065-4766-996e-1cf9b5660bc9
Kubernetes: enabled
Kubernetes cluster: "tele1c"
Kubernetes groups: developer-logs
Valid until: 2020-12-09 05:38:18 -0500 EST [valid for 11h59m0s]
Extensions: permit-port-forwarding, permit-pty
* RBAC is only available in Teleport Enterprise
https://gravitational.com/teleport/docs/enterprise
$ kubectl get po -n example-dev
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 42m
$ kubectl get po -n example-devother
Error from server (Forbidden): pods is forbidden: User "joe" cannot list resource "pods" in API group "" in the namespace "example-devother"