TeleportRoleV6

Report an issue with this page

This guide is a comprehensive reference to the fields in the TeleportRoleV6 resource, which you can apply after installing the Teleport Kubernetes operator.

resources.teleport.dev/v1

apiVersion: resources.teleport.dev/v1

Field	Type	Description
apiVersion	string	APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind	string	Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata	object
spec	object	Role resource definition v6 from Teleport

spec

Field	Type	Description
allow	object	Allow is the set of conditions evaluated to grant access.
deny	object	Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.
options	object	Options is for OpenSSH options like agent forwarding.

spec.allow

Field	Type	Description
account_assignments	[]object	AccountAssignments holds the list of account assignments affected by this condition.
app_labels	object	AppLabels is a map of labels used as part of the RBAC system.
app_labels_expression	string	AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arns	[]string	AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identities	[]string	AzureIdentities is a list of Azure identities this role is allowed to assume.
cluster_labels	object	ClusterLabels is a map of node labels (used to dynamically grant access to clusters).
cluster_labels_expression	string	ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labels	object	DatabaseLabels are used in RBAC system to allow/deny access to databases.
db_labels_expression	string	DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_names	[]string	DatabaseNames is a list of database names this role is allowed to connect to.
db_permissions	[]object	DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
db_roles	[]string	DatabaseRoles is a list of databases roles for automatic user creation.
db_service_labels	object	DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.
db_service_labels_expression	string	DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_users	[]string	DatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groups	[]string	DesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accounts	[]string	GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
github_permissions	[]object	GitHubPermissions defines GitHub integration related permissions.
group_labels	object	GroupLabels is a map of labels used as part of the RBAC system.
group_labels_expression	string	GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groups	[]string	HostGroups is a list of groups for created users to be added to
host_sudoers	[]string	HostSudoers is a list of entries to include in a users sudoer file
impersonate	object	Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
join_sessions	[]object	JoinSessions specifies policies to allow users to join other sessions.
kubernetes_groups	[]string	KubeGroups is a list of kubernetes groups
kubernetes_labels	object	KubernetesLabels is a map of kubernetes cluster labels used for RBAC.
kubernetes_labels_expression	string	KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resources	[]object	KubernetesResources is the Kubernetes Resources this Role grants access to.
kubernetes_users	[]string	KubeUsers is an optional kubernetes users to impersonate
logins	[]string	Logins is a list of *nix system logins.
mcp	object	MCPPermissions defines MCP servers related permissions.
node_labels	object	NodeLabels is a map of node labels (used to dynamically grant access to nodes).
node_labels_expression	string	NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
request	object
require_session_join	[]object	RequireSessionJoin specifies policies for required users to start a session.
review_requests	object	ReviewRequests defines conditions for submitting access reviews.
rules	[]object	Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
spiffe	[]object	SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
windows_desktop_labels	object	WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
windows_desktop_labels_expression	string	WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_logins	[]string	WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
workload_identity_labels	object	WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
workload_identity_labels_expression	string	WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.

spec.allow.account_assignments items

Field	Type	Description
account	string
permission_set	string

spec.allow.db_permissions items

Field	Type	Description
match	object	Match is a list of object labels that must be matched for the permission to be granted.
permissions	[]string	Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

spec.allow.github_permissions items

Field	Type	Description
orgs	[]string

spec.allow.impersonate

Field	Type	Description
roles	[]string	Roles is a list of resources this role is allowed to impersonate
users	[]string	Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
where	string	Where specifies optional advanced matcher

spec.allow.join_sessions items

Field	Type	Description
kinds	[]string	Kinds are the session kinds this policy applies to.
modes	[]string	Modes is a list of permitted participant modes for this policy.
name	string	Name is the name of the policy.
roles	[]string	Roles is a list of roles that you can join the session of.

spec.allow.kubernetes_resources items

Field	Type	Description
api_group	string	APIGroup specifies the Kubernetes API group of the Kubernetes resource. It supports wildcards.
kind	string	Kind specifies the Kubernetes Resource type.
name	string	Name is the resource name. It supports wildcards.
namespace	string	Namespace is the resource namespace. It supports wildcards.
verbs	[]string	Verbs are the allowed Kubernetes verbs for the following resource.

spec.allow.mcp

Field	Type	Description
tools	[]string	Tools defines the list of tools allowed or denied for this role. Each entry can be a literal string, a glob pattern (e.g. "prefix_*"), or a regular expression (must start with '^' and end with '$'). If the list is empty, no tools are allowed.

spec.allow.request

Field	Type	Description
annotations	object	Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions.
claims_to_roles	[]object	ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
kubernetes_resources	[]object	kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources.
max_duration	string	MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
reason	object	Reason defines settings for the reason for the access provided by the user.
roles	[]string	Roles is the name of roles which will match the request rule.
search_as_roles	[]string	SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewers	[]string	SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholds	[]object	Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

spec.allow.request.claims_to_roles items

Field	Type	Description
claim	string	Claim is a claim name.
roles	[]string	Roles is a list of static teleport roles to match.
value	string	Value is a claim value to match.

spec.allow.request.kubernetes_resources items

Field	Type	Description
api_group	string	APIGroup specifies the Kubernetes Resource API group.
kind	string	kind specifies the Kubernetes Resource type.

spec.allow.request.reason

Field	Type	Description
mode	string	Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.

spec.allow.request.thresholds items

Field	Type	Description
approve	integer	Approve is the number of matching approvals needed for state-transition.
deny	integer	Deny is the number of denials needed for state-transition.
filter	string	Filter is an optional predicate used to determine which reviews count toward this threshold.
name	string	Name is the optional human-readable name of the threshold.

spec.allow.require_session_join items

Field	Type	Description
count	integer	Count is the amount of people that need to be matched for this policy to be fulfilled.
filter	string	Filter is a predicate that determines what users count towards this policy.
kinds	[]string	Kinds are the session kinds this policy applies to.
modes	[]string	Modes is the list of modes that may be used to fulfill this policy.
name	string	Name is the name of the policy.
on_leave	string	OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

spec.allow.review_requests

Field	Type	Description
claims_to_roles	[]object	ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
preview_as_roles	[]string	PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
roles	[]string	Roles is the name of roles which may be reviewed.
where	string	Where is an optional predicate which further limits which requests are reviewable.

spec.allow.review_requests.claims_to_roles items

Field	Type	Description
claim	string	Claim is a claim name.
roles	[]string	Roles is a list of static teleport roles to match.
value	string	Value is a claim value to match.

spec.allow.rules items

Field	Type	Description
actions	[]string	Actions specifies optional actions taken when this rule matches
resources	[]string	Resources is a list of resources
verbs	[]string	Verbs is a list of verbs
where	string	Where specifies optional advanced matcher

spec.allow.spiffe items

Field	Type	Description
dns_sans	[]string	DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sans	[]string	IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
path	string	Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

spec.deny

Field	Type	Description
account_assignments	[]object	AccountAssignments holds the list of account assignments affected by this condition.
app_labels	object	AppLabels is a map of labels used as part of the RBAC system.
app_labels_expression	string	AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arns	[]string	AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identities	[]string	AzureIdentities is a list of Azure identities this role is allowed to assume.
cluster_labels	object	ClusterLabels is a map of node labels (used to dynamically grant access to clusters).
cluster_labels_expression	string	ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labels	object	DatabaseLabels are used in RBAC system to allow/deny access to databases.
db_labels_expression	string	DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_names	[]string	DatabaseNames is a list of database names this role is allowed to connect to.
db_permissions	[]object	DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
db_roles	[]string	DatabaseRoles is a list of databases roles for automatic user creation.
db_service_labels	object	DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.
db_service_labels_expression	string	DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_users	[]string	DatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groups	[]string	DesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accounts	[]string	GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
github_permissions	[]object	GitHubPermissions defines GitHub integration related permissions.
group_labels	object	GroupLabels is a map of labels used as part of the RBAC system.
group_labels_expression	string	GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groups	[]string	HostGroups is a list of groups for created users to be added to
host_sudoers	[]string	HostSudoers is a list of entries to include in a users sudoer file
impersonate	object	Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
join_sessions	[]object	JoinSessions specifies policies to allow users to join other sessions.
kubernetes_groups	[]string	KubeGroups is a list of kubernetes groups
kubernetes_labels	object	KubernetesLabels is a map of kubernetes cluster labels used for RBAC.
kubernetes_labels_expression	string	KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resources	[]object	KubernetesResources is the Kubernetes Resources this Role grants access to.
kubernetes_users	[]string	KubeUsers is an optional kubernetes users to impersonate
logins	[]string	Logins is a list of *nix system logins.
mcp	object	MCPPermissions defines MCP servers related permissions.
node_labels	object	NodeLabels is a map of node labels (used to dynamically grant access to nodes).
node_labels_expression	string	NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
request	object
require_session_join	[]object	RequireSessionJoin specifies policies for required users to start a session.
review_requests	object	ReviewRequests defines conditions for submitting access reviews.
rules	[]object	Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
spiffe	[]object	SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
windows_desktop_labels	object	WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
windows_desktop_labels_expression	string	WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_logins	[]string	WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
workload_identity_labels	object	WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
workload_identity_labels_expression	string	WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.

spec.deny.account_assignments items

Field	Type	Description
account	string
permission_set	string

spec.deny.db_permissions items

Field	Type	Description
match	object	Match is a list of object labels that must be matched for the permission to be granted.
permissions	[]string	Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

spec.deny.github_permissions items

Field	Type	Description
orgs	[]string

spec.deny.impersonate

Field	Type	Description
roles	[]string	Roles is a list of resources this role is allowed to impersonate
users	[]string	Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
where	string	Where specifies optional advanced matcher

spec.deny.join_sessions items

Field	Type	Description
kinds	[]string	Kinds are the session kinds this policy applies to.
modes	[]string	Modes is a list of permitted participant modes for this policy.
name	string	Name is the name of the policy.
roles	[]string	Roles is a list of roles that you can join the session of.

spec.deny.kubernetes_resources items

Field	Type	Description
api_group	string	APIGroup specifies the Kubernetes API group of the Kubernetes resource. It supports wildcards.
kind	string	Kind specifies the Kubernetes Resource type.
name	string	Name is the resource name. It supports wildcards.
namespace	string	Namespace is the resource namespace. It supports wildcards.
verbs	[]string	Verbs are the allowed Kubernetes verbs for the following resource.

spec.deny.mcp

Field	Type	Description
tools	[]string	Tools defines the list of tools allowed or denied for this role. Each entry can be a literal string, a glob pattern (e.g. "prefix_*"), or a regular expression (must start with '^' and end with '$'). If the list is empty, no tools are allowed.

spec.deny.request

Field	Type	Description
annotations	object	Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions.
claims_to_roles	[]object	ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
kubernetes_resources	[]object	kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources.
max_duration	string	MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
reason	object	Reason defines settings for the reason for the access provided by the user.
roles	[]string	Roles is the name of roles which will match the request rule.
search_as_roles	[]string	SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewers	[]string	SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholds	[]object	Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

spec.deny.request.claims_to_roles items

Field	Type	Description
claim	string	Claim is a claim name.
roles	[]string	Roles is a list of static teleport roles to match.
value	string	Value is a claim value to match.

spec.deny.request.kubernetes_resources items

Field	Type	Description
api_group	string	APIGroup specifies the Kubernetes Resource API group.
kind	string	kind specifies the Kubernetes Resource type.

spec.deny.request.reason

Field	Type	Description
mode	string	Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.

spec.deny.request.thresholds items

Field	Type	Description
approve	integer	Approve is the number of matching approvals needed for state-transition.
deny	integer	Deny is the number of denials needed for state-transition.
filter	string	Filter is an optional predicate used to determine which reviews count toward this threshold.
name	string	Name is the optional human-readable name of the threshold.

spec.deny.require_session_join items

Field	Type	Description
count	integer	Count is the amount of people that need to be matched for this policy to be fulfilled.
filter	string	Filter is a predicate that determines what users count towards this policy.
kinds	[]string	Kinds are the session kinds this policy applies to.
modes	[]string	Modes is the list of modes that may be used to fulfill this policy.
name	string	Name is the name of the policy.
on_leave	string	OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

spec.deny.review_requests

Field	Type	Description
claims_to_roles	[]object	ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
preview_as_roles	[]string	PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
roles	[]string	Roles is the name of roles which may be reviewed.
where	string	Where is an optional predicate which further limits which requests are reviewable.

spec.deny.review_requests.claims_to_roles items

Field	Type	Description
claim	string	Claim is a claim name.
roles	[]string	Roles is a list of static teleport roles to match.
value	string	Value is a claim value to match.

spec.deny.rules items

Field	Type	Description
actions	[]string	Actions specifies optional actions taken when this rule matches
resources	[]string	Resources is a list of resources
verbs	[]string	Verbs is a list of verbs
where	string	Where specifies optional advanced matcher

spec.deny.spiffe items

Field	Type	Description
dns_sans	[]string	DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sans	[]string	IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
path	string	Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

spec.options

Field	Type	Description
cert_extensions	[]object	CertExtensions specifies the key/values
cert_format	string	CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH.
client_idle_timeout	string	ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration.
create_db_user	boolean	CreateDatabaseUser enabled automatic database user creation.
create_db_user_mode	string or integer	CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.
create_desktop_user	boolean	CreateDesktopUser allows users to be automatically created on a Windows desktop
create_host_user	boolean	Deprecated: use CreateHostUserMode instead.
create_host_user_default_shell	string	CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
create_host_user_mode	string or integer	CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.
desktop_clipboard	boolean	DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.
desktop_directory_sharing	boolean	DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true.
device_trust_mode	string	DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode.
disconnect_expired_cert	boolean	DisconnectExpiredCert sets disconnect clients on expired certificates.
enhanced_recording	[]string	BPF defines what events to record for the BPF-based session recorder.
forward_agent	boolean	ForwardAgent is SSH agent forwarding.
idp	object	IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
lock	string	Lock specifies the locking mode (strict
max_connections	integer	MaxConnections defines the maximum number of concurrent connections a user may hold.
max_kubernetes_connections	integer	MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold.
max_session_ttl	string	MaxSessionTTL defines how long a SSH session can last for.
max_sessions	integer	MaxSessions defines the maximum number of concurrent sessions per connection.
mfa_verification_interval	string	MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to max_session_ttl.
permit_x11_forwarding	boolean	PermitX11Forwarding authorizes use of X11 forwarding.
pin_source_ip	boolean	PinSourceIP forces the same client IP for certificate generation and usage
port_forwarding	boolean	Deprecated: Use SSHPortForwarding instead
record_session	object	RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
request_access	string	RequestAccess defines the request strategy (optional
request_prompt	string	RequestPrompt is an optional message which tells users what they aught to request.
require_session_mfa	string or integer	RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.
ssh_file_copy	boolean	SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
ssh_port_forwarding	object	SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.

spec.options.cert_extensions items

Field	Type	Description
mode	string or integer	Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension". Can be either the string or the integer representation of each option.
name	string	Name specifies the key to be used in the cert extension.
type	string or integer	Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh". Can be either the string or the integer representation of each option.
value	string	Value specifies the value to be used in the cert extension.

spec.options.idp

Field	Type	Description
saml	object	SAML are options related to the Teleport SAML IdP.

spec.options.idp.saml

Field	Type	Description
enabled	boolean	Enabled is set to true if this option allows access to the Teleport SAML IdP.

spec.options.record_session

Field	Type	Description
default	string	Default indicates the default value for the services.
desktop	boolean	Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
ssh	string	SSH indicates the session mode used on SSH sessions.

spec.options.ssh_port_forwarding

Field	Type	Description
local	object	Allow local port forwarding.
remote	object	Allow remote port forwarding.

spec.options.ssh_port_forwarding.local

Field	Type	Description
enabled	boolean

spec.options.ssh_port_forwarding.remote

Field	Type	Description
enabled	boolean