Example Kubernetes (K8s) Groups configuration with Teleport

Here is an example for adding K8s groups that can be used in roles or user traits to define access for users accessing a K8s cluster through Teleport.

This example shows two groups, one that can list and view logs for pods , and another that can also open exec sessions in the example-dev namespace.

Prerequisite: Kubernetes cluster with RBAC enabled (note that some like Microk8s you have to specifically enable this). Prior to running this you should have deployed Teleport in a Kubernetes cluster or added Teleport as a gateway to that cluster (See https://goteleport.com/teleport/docs/kubernetes-ssh/). Either through Teleport or direct to the cluster you should have the ability to define namespaces, create pods, roles and bindings.

Create a Namespace and a nginx pod to test access

$ kubectl create ns example-dev
namespace/example-dev created
$ kubectl run nginx --image=nginx -n example-dev
pod/nginx created
$ kubectl get po -n example-dev
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          14s

Create roles and bindings for accessing pods within the example-dev namespace

$ cat > exampleroles.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-exec
  namespace: example-dev
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-logs
  namespace: example-dev
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/log
  verbs:
  - get
  - list
  - watch
EOF

Insert roles definition

$ kubectl create -f exampleroles.yaml 
role.rbac.authorization.k8s.io/dev-exec created
role.rbac.authorization.k8s.io/dev-logs created

Create rolebindings configuration

$ cat > examplebindings.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-exec-binding
  namespace: example-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-oncall-exec
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: developer-exec
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-logs-binding
  namespace: example-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-logs
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: developer-logs
EOF

Insert roles bindings

$ kubectl create -f examplebindings.yaml 
rolebinding.rbac.authorization.k8s.io/dev-exec-binding created
rolebinding.rbac.authorization.k8s.io/dev-logs-binding created

Assign K8s group

Now we can assign users or roles with the developer-exec and developer-logs. The Teleport k8s guide has further examples.

In Teleport OSS you can create a user with K8s groups

tctl users add joe --k8s-groups="developer-logs"

For roles you can assign within the kubernetes_groups:

cat > developer-view.yaml <<EOF
kind: role
version: v3
metadata:
  name: developer-view
spec:
  allow:
    kubernetes_groups: ["developer-logs"]
EOF

Insert role

tctl create -f  developer-view.yaml 

Now assign a user that role ( ex: tctl users add --roles=developer-view joe) or assign it in the auth connector settings.

Login and use K8s access to list pods

Note that other attempts to access different namespaces is denied.

$ tsh status
> Profile URL:        https://teleport.example.com:3080
  Logged in as:       joe
  Cluster:            tele1c
  Roles:              developer-view*
  Logins:             -teleport-nologin-31c303e8-0065-4766-996e-1cf9b5660bc9
  Kubernetes:         enabled
  Kubernetes cluster: "tele1c"
  Kubernetes groups:  developer-logs
  Valid until:        2020-12-09 05:38:18 -0500 EST [valid for 11h59m0s]
  Extensions:         permit-port-forwarding, permit-pty


* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise
$ kubectl get po -n example-dev
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          42m
$ kubectl get po -n example-devother
Error from server (Forbidden): pods is forbidden: User "joe" cannot list resource "pods" in API group "" in the namespace "example-devother"