search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.11k stars 1.72k forks source link

Cant make a namespace access request without wildcard kubernetes namespace access in the role #43884

Closed pschisa closed 2 weeks ago

pschisa commented 3 weeks ago

Expected behavior: When attempting to follow the documentation for cluster scoped resource access requests to a specific namespace, having the following RBAC permissions in the search as role will provide access to the indicated namespace (in the example, teleport):

    kubernetes_resources:
    - kind: '*'
      name: '*'
      namespace: teleport
      verbs:
      - '*'

Current behavior: When attempting to create an access request for a specific namespace, it only succeeds if a wildcard is used in the RBAC permissions.

    kubernetes_resources:
    - kind: '*'
      name: '*'
      namespace: '*'
      verbs:
      - '*'

This means users who wish to request a namespace via resource access requests must either have permission to request any namespace or the must resort to role-based access requets

Bug details:

Failing attempt with scoped namespace:

    kubernetes_resources:
    - kind: '*'
      name: '*'
      namespace: teleport
      verbs:
      - '*'
...
paulschisa:~$ tsh -d request create --resource "/schisa.teleport.sh/namespace/minicluster/teleport"
2024-07-05T13:52:47-04:00 [CLIENT]    INFO ALPN connection upgrade required for "schisa.teleport.sh:443": false. client/api.go:728
2024-07-05T13:52:47-04:00 [CLIENT]    INFO [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.ylRUAiysfL/Listeners" client/api.go:4572
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Reading certificates from path "/Users/paulschisa/.tsh/keys/schisa.teleport.sh/paul.schisa@gmail.com-ssh/schisa.teleport.sh-cert.pub". client/keystore.go:355
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:52:47-04:00 [KEYAGENT]  INFO Loading SSH key for user "paul.schisa@gmail.com" and cluster "schisa.teleport.sh". client/keyagent.go:196
Creating request...
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:52:47-04:00 [CLIENT]    INFO Connecting to proxy=schisa.teleport.sh:443 login="-teleport-nologin-9698fbf5-78b1-482f-9bc4-0e294ccbd31e" using TLS Routing client/api.go:3055
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:52:47-04:00 [HTTP:PROX] DEBU No proxy set in environment, returning direct dialer. proxy/proxy.go:195
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:52:47-04:00 [KEYAGENT]  DEBU "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgK7UQcYYfOSgAPR7G6rGkn7OGAT6Kd6Kg24y8rtfc/5EAAAADAQABAAABAQDF0v3daiYXReptu0Syrt9llt+d2g4vgQ+tt/oWc/3EAWwwP5NjHX4K1Y35hu3w3oVVY70mMI4YNO+Oc8c+DNGTE2Kk456G/e5MYubiOOEGOlxT8jiAg0DtICbuql93TMQ54j59EByN2q+KJW4L3FnZ+ILc4zOVM+x5C45FSym2T3l2HuZ2IZor19w8W9vkaN6QSneQnrNZC2+b4P+fU4KEJnByy1FoxQ5FlxzFsXMDPcbNlmKhOqLIoPM+HEvD1tlRKG9N2koZOVekvpvfAr2j3Bb87aTpDIH5cToR7DezRY+aEDiPdkg9XXPVXwFmtTkdrz4rCdF8ewQ+hKW5CZbDAAAAAAAAAAAAAAACAAAAAAAAAS0AAAA3ZjFjN2RjMDktYzJkZC00YTNlLTk0YTYtMzlmY2NhMjJjZWNmLnNjaGlzYS50ZWxlcG9ydC5zaAAAACRmMWM3ZGMwOS1jMmRkLTRhM2UtOTRhNi0zOWZjY2EyMmNlY2YAAAAxdGVsZXBvcnQtcHJveHktYjg0OGQ5Yzc0LWg0bnhmLnNjaGlzYS50ZWxlcG9ydC5zaAAAAB50ZWxlcG9ydC1wcm94eS1iODQ4ZDljNzQtaDRueGYAAAAJbG9jYWxob3N0AAAACTEyNy4wLjAuMQAAAAM6OjEAAAASc2NoaXNhLnRlbGVwb3J0LnNoAAAADDEwLjE4LjQ5LjI0NQAAAChyZW1vdGUua3ViZS5wcm94eS50ZWxlcG9ydC5jbHVzdGVyLmxvY2FsAAAAAGaD+tL//////////wAAAAAAAABSAAAAFHgtdGVsZXBvcnQtYXV0aG9yaXR5AAAAFgAAABJzY2hpc2EudGVsZXBvcnQuc2gAAAAPeC10ZWxlcG9ydC1yb2xlAAAACQAAAAVQcm94eQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDUXLePXjgqK1QU0sq53q/dJrqFeyQ1/8gPC+zdagkSg4wDRxKvRQ6qekmw6SQrEJPlzaDEcSTWR9t55yS2oMzscW/Ol7Lo+aq9rlFgWCRU4xdt8NHKNO3jcTldZ3qrcN5ddKPNewVg1tAOgywR34ekIotfzWN3wvArU8m43Ve9IBrKLk1oCSD7mX62/sj8Gc9Dbk7EkfoRd0ex5esbUzIS5KbAzh4YX8YEplXuVQ9YE6hqxzTfEZg0yTMdQV6b7u2fDJu/Z0ZZVPSL6SZQMY2mpIsuIr8qP7VKIujgEpLTde6s0kSUGp2GKPseuBjrLJFcURNMwl1qLoQhiWyOgQXzAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAW2O8Lc8I5Y9VeBWNpnH7+BkmBzw+x4B5ybGDi+SBuS4gVf63U+Wemqa5pgH4ueRCk43ELSi4Vx2A3mf4J6F5OeGBb3dT2mPfCcySgPgS6tZdbMWo5YfBMpDebDygfqCsA3WM0vZclQY5zy7ktE5Cg+wM2JHP7VxsTPOBsFZ6F2EtF+aTTY4l5cIzDMnQvNeT3O3tv3SqpsxR95wVEA6H240usr4lXHxxz3UKi/AC4SE7rXL0qubCXkMhKth2T011Kmk0wmzPhM2y5j9EJ4uXUpEiTOtTsZP7v04pj4nLGIxRdJ8KGPevmnsZMyLDAhdxVeGsajYPn9UAY5fTCU3jDA==\n." client/keyagent.go:368
2024-07-05T13:52:47-04:00 [KEYAGENT]  DEBU Validated host schisa.teleport.sh:443. client/keyagent.go:374
2024-07-05T13:52:47-04:00 [CLIENT]    INFO Successful auth with proxy schisa.teleport.sh:443. client/api.go:3060
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:52:47-04:00 [KEYSTORE]  DEBU Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106

ERROR REPORT:
Original Error: *trace.BadParameterError no roles configured in the "search_as_roles" for this user allow access to at least one requested resources. resources: ["/schisa.teleport.sh/namespace/minicluster/teleport"] roles: [access] unmatched resources: [namespace/teleport]
Stack Trace:
    github.com/gravitational/teleport/api@v0.0.0/client/client.go:1074 github.com/gravitational/teleport/api/client.(*Client).CreateAccessRequestV2
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:2546 github.com/gravitational/teleport/tool/tsh/common.executeAccessRequest.func1
    github.com/gravitational/teleport/lib/client/api.go:1484 github.com/gravitational/teleport/lib/client.(*TeleportClient).WithRootClusterClient
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:2545 github.com/gravitational/teleport/tool/tsh/common.executeAccessRequest
    github.com/gravitational/teleport/tool/tsh/common/access_request.go:285 github.com/gravitational/teleport/tool/tsh/common.onRequestCreate
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:1381 github.com/gravitational/teleport/tool/tsh/common.Run
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:548 github.com/gravitational/teleport/tool/tsh/common.Main
    github.com/gravitational/teleport/tool/tsh/main.go:24 main.main
    runtime/proc.go:267 runtime.main
    runtime/asm_amd64.s:1650 runtime.goexit
User Message: no roles configured in the "search_as_roles" for this user allow access to at least one requested resources. resources: ["/schisa.teleport.sh/namespace/minicluster/teleport"] roles: [access] unmatched resources: [namespace/teleport]

working attempt after changing to wildcard

    kubernetes_resources:
    - kind: '*'
      name: '*'
      namespace: '*'
      verbs:
      - '*'
...
paulschisa:~$ tsh -d request create --resource "/schisa.teleport.sh/namespace/minicluster/teleport"
2024-07-05T13:53:57-04:00 INFO [CLIENT]    ALPN connection upgrade required for "schisa.teleport.sh:443": false. client/api.go:728
2024-07-05T13:53:57-04:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.ylRUAiysfL/Listeners" client/api.go:4572
2024-07-05T13:53:57-04:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/paulschisa/.tsh/keys/schisa.teleport.sh/paul.schisa@gmail.com-ssh/schisa.teleport.sh-cert.pub". client/keystore.go:355
2024-07-05T13:53:57-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:57-04:00 INFO [KEYAGENT]  Loading SSH key for user "paul.schisa@gmail.com" and cluster "schisa.teleport.sh". client/keyagent.go:196
Creating request...
2024-07-05T13:53:57-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:57-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:57-04:00 INFO [CLIENT]    Connecting to proxy=schisa.teleport.sh:443 login="-teleport-nologin-9698fbf5-78b1-482f-9bc4-0e294ccbd31e" using TLS Routing client/api.go:3055
2024-07-05T13:53:57-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:57-04:00 DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:195
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgK7UQcYYfOSgAPR7G6rGkn7OGAT6Kd6Kg24y8rtfc/5EAAAADAQABAAABAQDF0v3daiYXReptu0Syrt9llt+d2g4vgQ+tt/oWc/3EAWwwP5NjHX4K1Y35hu3w3oVVY70mMI4YNO+Oc8c+DNGTE2Kk456G/e5MYubiOOEGOlxT8jiAg0DtICbuql93TMQ54j59EByN2q+KJW4L3FnZ+ILc4zOVM+x5C45FSym2T3l2HuZ2IZor19w8W9vkaN6QSneQnrNZC2+b4P+fU4KEJnByy1FoxQ5FlxzFsXMDPcbNlmKhOqLIoPM+HEvD1tlRKG9N2koZOVekvpvfAr2j3Bb87aTpDIH5cToR7DezRY+aEDiPdkg9XXPVXwFmtTkdrz4rCdF8ewQ+hKW5CZbDAAAAAAAAAAAAAAACAAAAAAAAAS0AAAA3ZjFjN2RjMDktYzJkZC00YTNlLTk0YTYtMzlmY2NhMjJjZWNmLnNjaGlzYS50ZWxlcG9ydC5zaAAAACRmMWM3ZGMwOS1jMmRkLTRhM2UtOTRhNi0zOWZjY2EyMmNlY2YAAAAxdGVsZXBvcnQtcHJveHktYjg0OGQ5Yzc0LWg0bnhmLnNjaGlzYS50ZWxlcG9ydC5zaAAAAB50ZWxlcG9ydC1wcm94eS1iODQ4ZDljNzQtaDRueGYAAAAJbG9jYWxob3N0AAAACTEyNy4wLjAuMQAAAAM6OjEAAAASc2NoaXNhLnRlbGVwb3J0LnNoAAAADDEwLjE4LjQ5LjI0NQAAAChyZW1vdGUua3ViZS5wcm94eS50ZWxlcG9ydC5jbHVzdGVyLmxvY2FsAAAAAGaD+tL//////////wAAAAAAAABSAAAAFHgtdGVsZXBvcnQtYXV0aG9yaXR5AAAAFgAAABJzY2hpc2EudGVsZXBvcnQuc2gAAAAPeC10ZWxlcG9ydC1yb2xlAAAACQAAAAVQcm94eQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDUXLePXjgqK1QU0sq53q/dJrqFeyQ1/8gPC+zdagkSg4wDRxKvRQ6qekmw6SQrEJPlzaDEcSTWR9t55yS2oMzscW/Ol7Lo+aq9rlFgWCRU4xdt8NHKNO3jcTldZ3qrcN5ddKPNewVg1tAOgywR34ekIotfzWN3wvArU8m43Ve9IBrKLk1oCSD7mX62/sj8Gc9Dbk7EkfoRd0ex5esbUzIS5KbAzh4YX8YEplXuVQ9YE6hqxzTfEZg0yTMdQV6b7u2fDJu/Z0ZZVPSL6SZQMY2mpIsuIr8qP7VKIujgEpLTde6s0kSUGp2GKPseuBjrLJFcURNMwl1qLoQhiWyOgQXzAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAW2O8Lc8I5Y9VeBWNpnH7+BkmBzw+x4B5ybGDi+SBuS4gVf63U+Wemqa5pgH4ueRCk43ELSi4Vx2A3mf4J6F5OeGBb3dT2mPfCcySgPgS6tZdbMWo5YfBMpDebDygfqCsA3WM0vZclQY5zy7ktE5Cg+wM2JHP7VxsTPOBsFZ6F2EtF+aTTY4l5cIzDMnQvNeT3O3tv3SqpsxR95wVEA6H240usr4lXHxxz3UKi/AC4SE7rXL0qubCXkMhKth2T011Kmk0wmzPhM2y5j9EJ4uXUpEiTOtTsZP7v04pj4nLGIxRdJ8KGPevmnsZMyLDAhdxVeGsajYPn9UAY5fTCU3jDA==\n." client/keyagent.go:368
2024-07-05T13:53:58-04:00 DEBU [KEYAGENT]  Validated host schisa.teleport.sh:443. client/keyagent.go:374
2024-07-05T13:53:58-04:00 INFO [CLIENT]    Successful auth with proxy schisa.teleport.sh:443. client/api.go:3060
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 INFO [CLIENT]    ALPN connection upgrade required for "schisa.teleport.sh:443": false. client/api.go:728
2024-07-05T13:53:58-04:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.ylRUAiysfL/Listeners" client/api.go:4572
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/paulschisa/.tsh/keys/schisa.teleport.sh/paul.schisa@gmail.com-ssh/schisa.teleport.sh-cert.pub". client/keystore.go:355
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 INFO [KEYAGENT]  Loading SSH key for user "paul.schisa@gmail.com" and cluster "schisa.teleport.sh". client/keyagent.go:196
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 INFO [CLIENT]    Connecting to proxy=schisa.teleport.sh:443 login="-teleport-nologin-9698fbf5-78b1-482f-9bc4-0e294ccbd31e" using TLS Routing client/api.go:3055
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:195
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgK7UQcYYfOSgAPR7G6rGkn7OGAT6Kd6Kg24y8rtfc/5EAAAADAQABAAABAQDF0v3daiYXReptu0Syrt9llt+d2g4vgQ+tt/oWc/3EAWwwP5NjHX4K1Y35hu3w3oVVY70mMI4YNO+Oc8c+DNGTE2Kk456G/e5MYubiOOEGOlxT8jiAg0DtICbuql93TMQ54j59EByN2q+KJW4L3FnZ+ILc4zOVM+x5C45FSym2T3l2HuZ2IZor19w8W9vkaN6QSneQnrNZC2+b4P+fU4KEJnByy1FoxQ5FlxzFsXMDPcbNlmKhOqLIoPM+HEvD1tlRKG9N2koZOVekvpvfAr2j3Bb87aTpDIH5cToR7DezRY+aEDiPdkg9XXPVXwFmtTkdrz4rCdF8ewQ+hKW5CZbDAAAAAAAAAAAAAAACAAAAAAAAAS0AAAA3ZjFjN2RjMDktYzJkZC00YTNlLTk0YTYtMzlmY2NhMjJjZWNmLnNjaGlzYS50ZWxlcG9ydC5zaAAAACRmMWM3ZGMwOS1jMmRkLTRhM2UtOTRhNi0zOWZjY2EyMmNlY2YAAAAxdGVsZXBvcnQtcHJveHktYjg0OGQ5Yzc0LWg0bnhmLnNjaGlzYS50ZWxlcG9ydC5zaAAAAB50ZWxlcG9ydC1wcm94eS1iODQ4ZDljNzQtaDRueGYAAAAJbG9jYWxob3N0AAAACTEyNy4wLjAuMQAAAAM6OjEAAAASc2NoaXNhLnRlbGVwb3J0LnNoAAAADDEwLjE4LjQ5LjI0NQAAAChyZW1vdGUua3ViZS5wcm94eS50ZWxlcG9ydC5jbHVzdGVyLmxvY2FsAAAAAGaD+tL//////////wAAAAAAAABSAAAAFHgtdGVsZXBvcnQtYXV0aG9yaXR5AAAAFgAAABJzY2hpc2EudGVsZXBvcnQuc2gAAAAPeC10ZWxlcG9ydC1yb2xlAAAACQAAAAVQcm94eQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDUXLePXjgqK1QU0sq53q/dJrqFeyQ1/8gPC+zdagkSg4wDRxKvRQ6qekmw6SQrEJPlzaDEcSTWR9t55yS2oMzscW/Ol7Lo+aq9rlFgWCRU4xdt8NHKNO3jcTldZ3qrcN5ddKPNewVg1tAOgywR34ekIotfzWN3wvArU8m43Ve9IBrKLk1oCSD7mX62/sj8Gc9Dbk7EkfoRd0ex5esbUzIS5KbAzh4YX8YEplXuVQ9YE6hqxzTfEZg0yTMdQV6b7u2fDJu/Z0ZZVPSL6SZQMY2mpIsuIr8qP7VKIujgEpLTde6s0kSUGp2GKPseuBjrLJFcURNMwl1qLoQhiWyOgQXzAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAW2O8Lc8I5Y9VeBWNpnH7+BkmBzw+x4B5ybGDi+SBuS4gVf63U+Wemqa5pgH4ueRCk43ELSi4Vx2A3mf4J6F5OeGBb3dT2mPfCcySgPgS6tZdbMWo5YfBMpDebDygfqCsA3WM0vZclQY5zy7ktE5Cg+wM2JHP7VxsTPOBsFZ6F2EtF+aTTY4l5cIzDMnQvNeT3O3tv3SqpsxR95wVEA6H240usr4lXHxxz3UKi/AC4SE7rXL0qubCXkMhKth2T011Kmk0wmzPhM2y5j9EJ4uXUpEiTOtTsZP7v04pj4nLGIxRdJ8KGPevmnsZMyLDAhdxVeGsajYPn9UAY5fTCU3jDA==\n." client/keyagent.go:368
2024-07-05T13:53:58-04:00 DEBU [KEYAGENT]  Validated host schisa.teleport.sh:443. client/keyagent.go:374
2024-07-05T13:53:58-04:00 INFO [CLIENT]    Successful auth with proxy schisa.teleport.sh:443. client/api.go:3060
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
2024-07-05T13:53:58-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-06 01:39:29 +0000 UTC". client/client_store.go:106
Request ID:     01908408-0c5d-700d-9364-48c2a70cb46e
Username:       paul.schisa@gmail.com
Roles:          access
Resources:      ["/schisa.teleport.sh/namespace/minicluster/teleport"]
Reason:         [none]
Reviewers:      [none] (suggested)
Access Expires: 2024-07-05 21:39:29
Status:         PENDING

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...
AntonAM commented 3 weeks ago 
    kubernetes_resources:
    - kind: '*'
      name: '*'
      namespace: teleport
      verbs:
      - '*'

This config allows accessing all kinds inside the namespace teleport. To allow access to the namespace itself (and everything inside of it by extension) we need to use kind: namespace, so config will look like this:

    kubernetes_resources:
    - kind: namespace
      name: teleport
      verbs:
      - '*'
pschisa commented 2 weeks ago

thanks @AntonAM that worked! I made a quick PR to update the docs