Open metsoft68 opened 3 weeks ago
kind: '*'
, name: '*'
matches all namespaces. If your goal is to give access to only the specified namespaces, opt by using:
`
Since granting access to a namespace grants access to all objects within
@metsoft68 what Teleport version are you using?
In any case, this functionality already exists in Teleport, and config provided by Tiago should work for you.
What would you like Teleport to do? I would like when I list down the allowed namespaces in the config scheme below, when the user issues kubectl get ns cannot list down all namespaces other than permitted below:
kubernetes_resources:
so the the output for kubectl get ns should be just dev-team1 and dev-team2. not listing all namespaces.
What problem does this solve? I don't want the person whom connect to my kubernetes cluster via teleport can view all namespaces exist there, just the list should be limited to the ones which they've already listed in RBAC and the other namespaces would be invisible
If a workaround exists, please include it. I think teleport should process the the json returns from api server of kubernetes and intercept it and matches it based on the RBAC it has when the get or list command comes for namespace resources in k8s