Unable to map github team to RBAC group using github connector #6714
Answered
by
webvictim
saritasa-nest-test
asked this question in
Q&A
-
I have a namespace mysql with few utility pods running, that I want to grant certain access over a specific github team. The RBAC is set this way kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: team-developers-role
namespace: mysql
rules:
- apiGroups: ["*"]
resources: ["pods"]
verbs: ["list"]
- apiGroups: ["*"]
resources: ["pods/portforward", "pods/exec"]
verbs: ["create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: team:developers
namespace: mysql
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: team-developers-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: team:developers
namespace: MySQL However when I login into github with the user that belongs to "taco" github team I'm unable to invoke such functionality. ➜ tsh login --proxy=teleport.team.com:443 --auth=github --browser=none
Use the following URL to authenticate:
http://127.0.0.1:46717/01e669d1-b343-4f79-a0ad-f23d5e6bab26
> Profile URL: https://teleport.team.com:443
Logged in as: team-nest-test
Cluster: teleport.team.com
Roles: taco-developers*
Logins: taco-developers
Kubernetes: enabled
Kubernetes cluster: "teleport.team.com"
Kubernetes groups: team:developers, team:sso:taco-developers
Valid until: 2021-05-04 03:07:21 -0700 PDT [valid for 12h0m0s]
Extensions: permit-port-forwarding, permit-pty
➜ k get pods -n mysql
NAME READY STATUS RESTARTS AGE
mysql 1/1 Running 0 27d
mysql-port-forward 1/1 Running 0 27d
➜ k port-forward -n mysql mysql-port-forward 3306:3306
Error from server (Forbidden): pods "mysql-port-forward" is forbidden: User "team-nest-test" cannot get resource "pods" in API group "" in the namespace "mysql"
➜ k -n teleport-cluster exec -i ${POD?} -- tctl get connectors
kind: github
metadata:
name: github
spec:
client_id: XXX
client_secret: ""
display: Github
redirect_url: https://teleport.team.com/v1/webapi/github/callback
teams_to_logins:
- logins:
- administrators
organization: team-nest
team: team-devops
- logins:
- trekapp-developers
organization: team-nest
team: trekapp
- logins:
- taco-developers
organization: team-nest
team: taco
version: v3
➜ k -n teleport-cluster exec -i ${POD?} -- tctl get roles/taco-developers
kind: role
metadata:
id: 1620079184897171871
name: taco-developers
spec:
allow:
app_labels:
'*': '*'
db_labels:
'*': '*'
kubernetes_groups:
- team:sso:taco-developers
- team:developers
kubernetes_labels:
'*': '*'
logins:
- taco-developers
node_labels:
'*': '*'
deny: {}
options:
cert_format: standard
enhanced_recording:
- command
- network
forward_agent: false
max_session_ttl: 30h0m0s
port_forwarding: true
version: v3 What am I missing? |
Beta Was this translation helpful? Give feedback.
Answered by
webvictim
May 4, 2021
Replies: 1 comment
-
The namespace in the If changing this doesn't fix your issue, please provide the output of |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
webvictim
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The namespace in the
roleRef
of yourRoleBinding
is set toMySQL
whereas it'smysql
everywhere else.If changing this doesn't fix your issue, please provide the output of
kubectl auth can-i --as team-nest-test --as-group team:developers list pods
as it might help.