Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Moderated sessions with a require policy via trusted cluster setup does not allow access #48591

Open
TeleLos opened this issue Nov 7, 2024 · 0 comments

Comments

@TeleLos
Copy link
Contributor

TeleLos commented Nov 7, 2024

Expected behavior:
In a trusted clusters environment, a root cluster user and moderator should be seamlessly initiate a session with a leaf cluster resource all via the root cluster.

Current behavior:
It was observed that when a root cluster user creates a session with leaf cluster kube resource, the root user moderator is not able to join the session. The session is not visible to moderator user.

The following scenarios works.
If the require policy is removed from the role moderated session connection works. The moderators connection to the session via the Root Cluster is present and that moderator can join the session.

The customer and I observed that If the session to the same kube resource directly on the leaf cluster and moderated via the leaf cluster the connection works. This is expected to work all via the root cluster as users do not have direct access to the leaf clusters.

Bug details:

  • Teleport version 16.4.2 Teleport Clusters and Agents
  • Recreation steps
Test steps for User A
- tsh login to root cluster with role assignment: root_k8s_backend_connectivity
- tsh kube login macmini
- tsh kubectl exec -it nginx-deployment-pod -- /bin/bash  to initiate a session 
- Session starts waiting for required participants
- Teleport > Creating session with ID: 7863931d...
- Teleport > Waiting for required participants...
 
 Test steps for User B (moderator) 
- tsh login to root cluster with role assignment: root_moderator
- tsh kube sessions -c <root-cluster> to get session id  
- This output show matching session id created by User A.  Observe that User A's session is missing from the ouptut. 
- In the Teleport UI > Active Sessions > the leaf cluster session is missing 
  • Debug logs

  • Roles Definitions for the root cluster and replicated in the leaf cluster and also mapped in the Trusted cluster configuration. The filter option was originally set as filter: equals("true", "true") expecting it to grant access no matter the case. Variations to this filter fail to achieve the required access.

kind: role
metadata:
  name: tech26_dev_k8s_backend_connectivity
  description: Root Cluster role giving permission to access k8s resources on the leaf cluster 
spec:
  allow:
    cluster_labels:
      '*': '*'
    join_sessions:
    - kinds:
      - k8s
      modes:
      - moderator
      name: Team member oversight
      roles:
      - '*'
    kubernetes_groups:
    - system:masters
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
    - kind: '*'
      name: '*'
      namespace: '*'
      verbs:
      - '*'
    require_session_join:
    - count: 1
      filter: equals("true", "true") || contains(user.spec.roles, "moderator") ||
        || contains(user.spec.roles, "tech26_dev_moderator") || contains(user.name,
        "remote-carlos.vasquez-nara-cluster")
      kinds:
      - k8s
      - ssh
      modes:
      - moderator
      name: Team member oversight
      on_leave: pause
  deny: {}


kind: role
metadata:
  name: tech26_dev_moderator
  description: Root Cluster role assigned to moderator user. 
spec:
  allow:
    cluster_labels:
      '*': '*'
    join_sessions:
    - kinds:
      - k8s
      - ssh
      modes:
      - moderator
      name: Team member oversight
      roles:
      - '*'
    kubernetes_resources:
    - kind: pod
      name: '*'
      namespace: '*'
      verbs:
      - '*'
    rules:
    - resources:
      - session_tracker
      verbs:
      - '*'
  deny: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants