How to share kubernetes groups between trusted clusters

sasha · February 13, 2019, 9:09pm

In case if teleport connects multiple kubernetes clusters,
there is a way to send the kubernetes groups coming from the roles
of the main cluster to the remote cluster:

For example, main cluster can have a user
with a role ‘main’ and kubernetes groups:

kube_groups: ['system:masters']

and SSH logins:

logins: ['root']

Remote cluster can choose to map
this ‘main’ cluster to it’s own:
‘remote-admin’ cluster in the trusted cluster config:

role_map:
  - remote: 'main'
    local: 'remote-admin'

The role ‘remote-admin’ of the remote cluster
can now be templated to use the main cluster role main
logins and kubernetes_groups using variables:

logins: ['{{internal.logins}}']
kubernetes_groups: ['{{internal.kubernetes_groups}}']

This is possible because teleport now encodes
both values in X509 certificate metadata
and remote cluster passes these values as ‘internal’ traits
to the template engine.

gus · May 30, 2019, 6:46pm

Does this work for OSS (i.e. with Github connector) or only for Enterprise?

benarent · July 12, 2019, 10:54pm

I’ve not tried it, but it looks like this is RBAC… so I would guess that it’s only for enterprise? https://gravitational.com/teleport/docs/trustedclusters/#rbac

galindro · November 4, 2019, 12:07pm

@gus @benarent I think that isn’t possible. I tried to add the role resource file on the “east” cluster and I could:

root@teleport-6dbcf847c7-948js:/# cat <<EOF > role.yaml
> kind: role
> version: v3
> metadata:
>   name: local-admin
> spec:
>   allow:
>     node_labels:
>       '*': '*'
>   deny:
>     node_labels:
>       "environment": "production"
> EOF

root@teleport-6dbcf847c7-948js:/# tctl create role.yaml 
error: creating resources of type "role" is not supported

So, I think that you should update the docs with this information. Only Enterprise users could use the feature with k8s multi-cluster env.