You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected behavior:
In a trusted clusters environment, a root cluster user and moderator should be seamlessly initiate a session with a leaf cluster resource all via the root cluster.
Current behavior:
It was observed that when a root cluster user creates a session with leaf cluster kube resource, the root user moderator is not able to join the session. The session is not visible to moderator user.
The following scenarios works.
If the require policy is removed from the role moderated session connection works. The moderators connection to the session via the Root Cluster is present and that moderator can join the session.
The customer and I observed that If the session to the same kube resource directly on the leaf cluster and moderated via the leaf cluster the connection works. This is expected to work all via the root cluster as users do not have direct access to the leaf clusters.
Bug details:
Teleport version 16.4.2 Teleport Clusters and Agents
Recreation steps
Test steps for User A
- tsh login to root cluster with role assignment: root_k8s_backend_connectivity
- tsh kube login macmini
- tsh kubectl exec -it nginx-deployment-pod -- /bin/bash to initiate a session
- Session starts waiting for required participants
- Teleport > Creating session with ID: 7863931d...
- Teleport > Waiting for required participants...
Test steps for User B (moderator)
- tsh login to root cluster with role assignment: root_moderator
- tsh kube sessions -c <root-cluster> to get session id
- This output show matching session id created by User A. Observe that User A's session is missing from the ouptut.
- In the Teleport UI > Active Sessions > the leaf cluster session is missing
Debug logs
Roles Definitions for the root cluster and replicated in the leaf cluster and also mapped in the Trusted cluster configuration. The filter option was originally set as filter: equals("true", "true") expecting it to grant access no matter the case. Variations to this filter fail to achieve the required access.
kind: role
metadata:
name: tech26_dev_k8s_backend_connectivity
description: Root Cluster role giving permission to access k8s resources on the leaf cluster
spec:
allow:
cluster_labels:
'*': '*'
join_sessions:
- kinds:
- k8s
modes:
- moderator
name: Team member oversight
roles:
- '*'
kubernetes_groups:
- system:masters
kubernetes_labels:
'*': '*'
kubernetes_resources:
- kind: '*'
name: '*'
namespace: '*'
verbs:
- '*'
require_session_join:
- count: 1
filter: equals("true", "true") || contains(user.spec.roles, "moderator") ||
|| contains(user.spec.roles, "tech26_dev_moderator") || contains(user.name,
"remote-carlos.vasquez-nara-cluster")
kinds:
- k8s
- ssh
modes:
- moderator
name: Team member oversight
on_leave: pause
deny: {}
kind: role
metadata:
name: tech26_dev_moderator
description: Root Cluster role assigned to moderator user.
spec:
allow:
cluster_labels:
'*': '*'
join_sessions:
- kinds:
- k8s
- ssh
modes:
- moderator
name: Team member oversight
roles:
- '*'
kubernetes_resources:
- kind: pod
name: '*'
namespace: '*'
verbs:
- '*'
rules:
- resources:
- session_tracker
verbs:
- '*'
deny: {}
The text was updated successfully, but these errors were encountered:
Expected behavior:
In a trusted clusters environment, a root cluster user and moderator should be seamlessly initiate a session with a leaf cluster resource all via the root cluster.
Current behavior:
It was observed that when a root cluster user creates a session with leaf cluster kube resource, the root user moderator is not able to join the session. The session is not visible to moderator user.
The following scenarios works.
If the require policy is removed from the role moderated session connection works. The moderators connection to the session via the Root Cluster is present and that moderator can join the session.
The customer and I observed that If the session to the same kube resource directly on the leaf cluster and moderated via the leaf cluster the connection works. This is expected to work all via the root cluster as users do not have direct access to the leaf clusters.
Bug details:
Debug logs
Roles Definitions for the root cluster and replicated in the leaf cluster and also mapped in the Trusted cluster configuration. The filter option was originally set as
filter: equals("true", "true")
expecting it to grant access no matter the case. Variations to this filter fail to achieve the required access.The text was updated successfully, but these errors were encountered: