Unable to map github team to RBAC group using github connector

[saritasa-nest-test]

I have a namespace mysql with few utility pods running, that I want to grant certain access over a specific github team. The RBAC is set this way

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: team-developers-role
 namespace: mysql
rules:
  - apiGroups: ["*"]
    resources: ["pods"]
    verbs: ["list"]
  - apiGroups: ["*"]
    resources: ["pods/portforward", "pods/exec"]
    verbs: ["create"]
 
---

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: team:developers
  namespace: mysql
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: team-developers-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: team:developers
  namespace: MySQL

However when I login into github with the user that belongs to "taco" github team I'm unable to invoke such functionality.

➜ tsh login --proxy=teleport.team.com:443 --auth=github  --browser=none
Use the following URL to authenticate:
 http://127.0.0.1:46717/01e669d1-b343-4f79-a0ad-f23d5e6bab26
> Profile URL:        https://teleport.team.com:443
  Logged in as:       team-nest-test
  Cluster:            teleport.team.com
  Roles:              taco-developers*
  Logins:             taco-developers
  Kubernetes:         enabled
  Kubernetes cluster: "teleport.team.com"
  Kubernetes groups:  team:developers, team:sso:taco-developers
  Valid until:        2021-05-04 03:07:21 -0700 PDT [valid for 12h0m0s]
  Extensions:         permit-port-forwarding, permit-pty

➜ k get pods -n mysql                                            
NAME                                READY   STATUS    RESTARTS   AGE
mysql                               1/1     Running   0          27d
mysql-port-forward                  1/1     Running   0          27d

➜ k port-forward -n mysql mysql-port-forward  3306:3306
Error from server (Forbidden): pods "mysql-port-forward" is forbidden: User "team-nest-test" cannot get resource "pods" in API group "" in the namespace "mysql"

➜ k -n teleport-cluster exec -i ${POD?} -- tctl get connectors
kind: github
metadata:
  name: github
spec:
  client_id: XXX
  client_secret: ""
  display: Github
  redirect_url: https://teleport.team.com/v1/webapi/github/callback
  teams_to_logins:
  - logins:
    - administrators
    organization: team-nest
    team: team-devops
  - logins:
    - trekapp-developers
    organization: team-nest
    team: trekapp
  - logins:
    - taco-developers
    organization: team-nest
    team: taco
version: v3

➜ k -n teleport-cluster exec -i ${POD?} -- tctl get roles/taco-developers
kind: role
metadata:
  id: 1620079184897171871
  name: taco-developers
spec:
  allow:
    app_labels:
      '*': '*'
    db_labels:
      '*': '*'
    kubernetes_groups:
    - team:sso:taco-developers
    - team:developers
    kubernetes_labels:
      '*': '*'
    logins:
    - taco-developers
    node_labels:
      '*': '*'
  deny: {}
  options:
    cert_format: standard
    enhanced_recording:
    - command
    - network
    forward_agent: false
    max_session_ttl: 30h0m0s
    port_forwarding: true
version: v3

What am I missing?

[webvictim]

The namespace in the roleRef of your RoleBinding is set to MySQL whereas it's mysql everywhere else.

If changing this doesn't fix your issue, please provide the output of kubectl auth can-i --as team-nest-test --as-group team:developers list pods as it might help.