Managing user access to kubernetes resource in teleport role or kubernetes RBAC ?

[mositafan10]

Hi everyone. I am using teleport version 14 and define some roles for team members to use kubernetes through teleport.
In teleport tole i define this :

kind: role
metadata:
  name: kube-access
version: v6
spec:
  allow:
    kubernetes_groups:
    - editor
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
      - kind: 'service'
        namespace: 'test''
        name: "*"
        verbs:
        - get

The editor group in kubernetes has bind with edit clusterrole. i want to restrict this role to get just service in namespace test but this role get servicec in all namespace and also get other resource because of editor group apparently. how should define such a role ?

in another role when i define nothing in kubernetes_groups, i get forbidden error when i run kubectl get services test.
So apparently for each role i should define group in kubernetes. is that correct ?

please show a best practice for managing role access in teleport and kubernetes in order to the manage in one place (teleport or kubernetes)

[webvictim]

I think the reason you're seeing this difference is because your role is using version: v6 rather than version: v7: https://goteleport.com/docs/changelog/#extended-kubernetes-per-resource-rbac

When using version: v7, this should work the way you're describing. Even though the editor Kubernetes group has greater permissions, setting kubernetes_resources should cause Teleport to filter out any resources in other namespaces before the response is passed back to the user.

So here's what should happen:

• if you run kubectl -n test get services I'd expect that you see all services in the test namespace
• if you run kubectl -n test get pods you should see nothing (even if there are pods in the test namespace)
• if you run kubectl -n kube-system get services you should see nothing.