Skip to content
This repository has been archived by the owner on Feb 8, 2024. It is now read-only.

Commit

Permalink
backport of role template updates
Browse files Browse the repository at this point in the history 
v5 setting, introduced all protocols and used non-root type credentials
  • Loading branch information
@stevenGravy
stevenGravy authored Mar 4, 2022
1 parent b2a50ab commit 83cabbf
Showing 1 changed file with 51 additions and 10 deletions.
61 changes: 51 additions & 10 deletions packages/teleport/src/Roles/templates/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,64 @@ metadata:
# insert the name of your role here:
name: new_role_name
spec:
# This example defines an administrative role. It maps to Kubernetes "admin"
# group and allows SSH to every node.
# This example defines a typical role. It allows listing all resources
# with typical developer credentials.
allow:
# This role is mapped to Kubernetes 'admin' group.
kubernetes_groups: [admin]

# List of Kubernetes cluster users can access the k8s API
kubernetes_labels:
'*': '*'
# This role is mapped to Kubernetes 'developer' group.
kubernetes_groups:
- '{{internal.kubernetes_groups}}'
- developer
kubernetes_users:
- '{{internal.kubernetes_users}}'
- 'dev'
# List of allowed SSH logins
logins: [root]
logins: ['{{internal.logins}}', ubuntu, debian]

# List of node labels that users can SSH into
node_labels:
'*': '*'

# List of application labels users can access
app_labels:
'*': '*'

# List of database labels users can access database servers
db_labels:
'*': '*'
# List of databases on the database server users can access
db_names:
- '{{internal.db_names}}'
- '*'
# List of database users allowed to open database connections with
db_users:
- '{{internal.db_users}}'
- developer

# List of windows desktop access labels that users can open desktop sessions to
windows_desktop_labels:
'*': '*'
# Windows logins a user is allowed to use for desktop sessions.
windows_desktop_logins:
- '{{internal.windows_logins}}'
- developer

# RBAC rules for various resources within a cluster.
# RBAC rules for various resources within a cluster. This
# example provides access to the Audit Log and replaying a user's own sessions.
rules:
- resources: ['*']
verbs: ['*']
- resources:
- event
verbs:
- list
- read
- resources:
- session
verbs:
- read
- list
where: contains(session.participants, user.metadata.name)

# The 'deny' section can have settings that override their 'allow' counterparts
# It uses the same format as the 'allow' section
Expand All @@ -30,4 +71,4 @@ spec:
# Limits user credentials to 8 hours. After the time to live (TTL) expires,
# users must re-login
max_session_ttl: 8h0m0s
version: v3
version: v5

0 comments on commit 83cabbf

Please sign in to comment.