Teleport
TeleportRole
- Version 17.x
- Version 16.x
- Version 15.x
- Version 14.x
- Older Versions
This guide is a comprehensive reference to the fields in the TeleportRole
resource, which you can apply after installing the Teleport Kubernetes operator.
resources.teleport.dev/v5
apiVersion: resources.teleport.dev/v5
Field | Type | Description |
---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
metadata | object | |
spec | object | Role resource definition v5 from Teleport |
spec
Field | Type | Description |
---|---|---|
allow | object | Allow is the set of conditions evaluated to grant access. |
deny | object | Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. |
options | object | Options is for OpenSSH options like agent forwarding. |
spec.allow
Field | Type | Description |
---|---|---|
app_labels | object | AppLabels is a map of labels used as part of the RBAC system. |
app_labels_expression | string | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. |
aws_role_arns | []string | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. |
azure_identities | []string | AzureIdentities is a list of Azure identities this role is allowed to assume. |
cluster_labels | object | ClusterLabels is a map of node labels (used to dynamically grant access to clusters). |
cluster_labels_expression | string | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. |
db_labels | object | DatabaseLabels are used in RBAC system to allow/deny access to databases. |
db_labels_expression | string | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. |
db_names | []string | DatabaseNames is a list of database names this role is allowed to connect to. |
db_permissions | []object | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. |
db_roles | []string | DatabaseRoles is a list of databases roles for automatic user creation. |
db_service_labels | object | DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services. |
db_service_labels_expression | string | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. |
db_users | []string | DatabaseUsers is a list of databases users this role is allowed to connect as. |
desktop_groups | []string | DesktopGroups is a list of groups for created desktop users to be added to |
gcp_service_accounts | []string | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. |
group_labels | object | GroupLabels is a map of labels used as part of the RBAC system. |
group_labels_expression | string | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. |
host_groups | []string | HostGroups is a list of groups for created users to be added to |
host_sudoers | []string | HostSudoers is a list of entries to include in a users sudoer file |
impersonate | object | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. |
join_sessions | []object | JoinSessions specifies policies to allow users to join other sessions. |
kubernetes_groups | []string | KubeGroups is a list of kubernetes groups |
kubernetes_labels | object | KubernetesLabels is a map of kubernetes cluster labels used for RBAC. |
kubernetes_labels_expression | string | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. |
kubernetes_resources | []object | KubernetesResources is the Kubernetes Resources this Role grants access to. |
kubernetes_users | []string | KubeUsers is an optional kubernetes users to impersonate |
logins | []string | Logins is a list of *nix system logins. |
node_labels | object | NodeLabels is a map of node labels (used to dynamically grant access to nodes). |
node_labels_expression | string | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. |
request | object | |
require_session_join | []object | RequireSessionJoin specifies policies for required users to start a session. |
review_requests | object | ReviewRequests defines conditions for submitting access reviews. |
rules | []object | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. |
spiffe | []object | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. |
windows_desktop_labels | object | WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops. |
windows_desktop_labels_expression | string | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. |
windows_desktop_logins | []string | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
spec.allow.db_permissions items
Field | Type | Description |
---|---|---|
match | object | Match is a list of object labels that must be matched for the permission to be granted. |
permissions | []string | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... |
spec.allow.impersonate
Field | Type | Description |
---|---|---|
roles | []string | Roles is a list of resources this role is allowed to impersonate |
users | []string | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern |
where | string | Where specifies optional advanced matcher |
spec.allow.join_sessions items
Field | Type | Description |
---|---|---|
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is a list of permitted participant modes for this policy. |
name | string | Name is the name of the policy. |
roles | []string | Roles is a list of roles that you can join the session of. |
spec.allow.kubernetes_resources items
Field | Type | Description |
---|---|---|
kind | string | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. |
name | string | Name is the resource name. It supports wildcards. |
namespace | string | Namespace is the resource namespace. It supports wildcards. |
verbs | []string | Verbs are the allowed Kubernetes verbs for the following resource. |
spec.allow.request
Field | Type | Description |
---|---|---|
annotations | object | Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions. |
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
max_duration | string | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. |
roles | []string | Roles is the name of roles which will match the request rule. |
search_as_roles | []string | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. |
suggested_reviewers | []string | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. |
thresholds | []object | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
spec.allow.request.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.allow.request.thresholds items
Field | Type | Description |
---|---|---|
approve | integer | Approve is the number of matching approvals needed for state-transition. |
deny | integer | Deny is the number of denials needed for state-transition. |
filter | string | Filter is an optional predicate used to determine which reviews count toward this threshold. |
name | string | Name is the optional human-readable name of the threshold. |
spec.allow.require_session_join items
Field | Type | Description |
---|---|---|
count | integer | Count is the amount of people that need to be matched for this policy to be fulfilled. |
filter | string | Filter is a predicate that determines what users count towards this policy. |
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is the list of modes that may be used to fulfill this policy. |
name | string | Name is the name of the policy. |
on_leave | string | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
spec.allow.review_requests
Field | Type | Description |
---|---|---|
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
preview_as_roles | []string | PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. |
roles | []string | Roles is the name of roles which may be reviewed. |
where | string | Where is an optional predicate which further limits which requests are reviewable. |
spec.allow.review_requests.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.allow.rules items
Field | Type | Description |
---|---|---|
actions | []string | Actions specifies optional actions taken when this rule matches |
resources | []string | Resources is a list of resources |
verbs | []string | Verbs is a list of verbs |
where | string | Where specifies optional advanced matcher |
spec.allow.spiffe items
Field | Type | Description |
---|---|---|
dns_sans | []string | DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com |
ip_sans | []string | IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 |
path | string | Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar |
spec.deny
Field | Type | Description |
---|---|---|
app_labels | object | AppLabels is a map of labels used as part of the RBAC system. |
app_labels_expression | string | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. |
aws_role_arns | []string | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. |
azure_identities | []string | AzureIdentities is a list of Azure identities this role is allowed to assume. |
cluster_labels | object | ClusterLabels is a map of node labels (used to dynamically grant access to clusters). |
cluster_labels_expression | string | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. |
db_labels | object | DatabaseLabels are used in RBAC system to allow/deny access to databases. |
db_labels_expression | string | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. |
db_names | []string | DatabaseNames is a list of database names this role is allowed to connect to. |
db_permissions | []object | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. |
db_roles | []string | DatabaseRoles is a list of databases roles for automatic user creation. |
db_service_labels | object | DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services. |
db_service_labels_expression | string | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. |
db_users | []string | DatabaseUsers is a list of databases users this role is allowed to connect as. |
desktop_groups | []string | DesktopGroups is a list of groups for created desktop users to be added to |
gcp_service_accounts | []string | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. |
group_labels | object | GroupLabels is a map of labels used as part of the RBAC system. |
group_labels_expression | string | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. |
host_groups | []string | HostGroups is a list of groups for created users to be added to |
host_sudoers | []string | HostSudoers is a list of entries to include in a users sudoer file |
impersonate | object | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. |
join_sessions | []object | JoinSessions specifies policies to allow users to join other sessions. |
kubernetes_groups | []string | KubeGroups is a list of kubernetes groups |
kubernetes_labels | object | KubernetesLabels is a map of kubernetes cluster labels used for RBAC. |
kubernetes_labels_expression | string | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. |
kubernetes_resources | []object | KubernetesResources is the Kubernetes Resources this Role grants access to. |
kubernetes_users | []string | KubeUsers is an optional kubernetes users to impersonate |
logins | []string | Logins is a list of *nix system logins. |
node_labels | object | NodeLabels is a map of node labels (used to dynamically grant access to nodes). |
node_labels_expression | string | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. |
request | object | |
require_session_join | []object | RequireSessionJoin specifies policies for required users to start a session. |
review_requests | object | ReviewRequests defines conditions for submitting access reviews. |
rules | []object | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. |
spiffe | []object | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. |
windows_desktop_labels | object | WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops. |
windows_desktop_labels_expression | string | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. |
windows_desktop_logins | []string | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
spec.deny.db_permissions items
Field | Type | Description |
---|---|---|
match | object | Match is a list of object labels that must be matched for the permission to be granted. |
permissions | []string | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... |
spec.deny.impersonate
Field | Type | Description |
---|---|---|
roles | []string | Roles is a list of resources this role is allowed to impersonate |
users | []string | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern |
where | string | Where specifies optional advanced matcher |
spec.deny.join_sessions items
Field | Type | Description |
---|---|---|
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is a list of permitted participant modes for this policy. |
name | string | Name is the name of the policy. |
roles | []string | Roles is a list of roles that you can join the session of. |
spec.deny.kubernetes_resources items
Field | Type | Description |
---|---|---|
kind | string | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. |
name | string | Name is the resource name. It supports wildcards. |
namespace | string | Namespace is the resource namespace. It supports wildcards. |
verbs | []string | Verbs are the allowed Kubernetes verbs for the following resource. |
spec.deny.request
Field | Type | Description |
---|---|---|
annotations | object | Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions. |
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
max_duration | string | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. |
roles | []string | Roles is the name of roles which will match the request rule. |
search_as_roles | []string | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. |
suggested_reviewers | []string | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. |
thresholds | []object | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
spec.deny.request.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.deny.request.thresholds items
Field | Type | Description |
---|---|---|
approve | integer | Approve is the number of matching approvals needed for state-transition. |
deny | integer | Deny is the number of denials needed for state-transition. |
filter | string | Filter is an optional predicate used to determine which reviews count toward this threshold. |
name | string | Name is the optional human-readable name of the threshold. |
spec.deny.require_session_join items
Field | Type | Description |
---|---|---|
count | integer | Count is the amount of people that need to be matched for this policy to be fulfilled. |
filter | string | Filter is a predicate that determines what users count towards this policy. |
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is the list of modes that may be used to fulfill this policy. |
name | string | Name is the name of the policy. |
on_leave | string | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
spec.deny.review_requests
Field | Type | Description |
---|---|---|
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
preview_as_roles | []string | PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. |
roles | []string | Roles is the name of roles which may be reviewed. |
where | string | Where is an optional predicate which further limits which requests are reviewable. |
spec.deny.review_requests.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.deny.rules items
Field | Type | Description |
---|---|---|
actions | []string | Actions specifies optional actions taken when this rule matches |
resources | []string | Resources is a list of resources |
verbs | []string | Verbs is a list of verbs |
where | string | Where specifies optional advanced matcher |
spec.deny.spiffe items
Field | Type | Description |
---|---|---|
dns_sans | []string | DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com |
ip_sans | []string | IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 |
path | string | Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar |
spec.options
Field | Type | Description |
---|---|---|
cert_extensions | []object | CertExtensions specifies the key/values |
cert_format | string | CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH. |
client_idle_timeout | string | ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration. |
create_db_user | boolean | CreateDatabaseUser enabled automatic database user creation. |
create_db_user_mode | string or integer | CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option. |
create_desktop_user | boolean | CreateDesktopUser allows users to be automatically created on a Windows desktop |
create_host_user | boolean | CreateHostUser allows users to be automatically created on a host |
create_host_user_default_shell | string | CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users. |
create_host_user_mode | string or integer | CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option. |
desktop_clipboard | boolean | DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false. |
desktop_directory_sharing | boolean | DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true. |
device_trust_mode | string | DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. |
disconnect_expired_cert | boolean | DisconnectExpiredCert sets disconnect clients on expired certificates. |
enhanced_recording | []string | BPF defines what events to record for the BPF-based session recorder. |
forward_agent | boolean | ForwardAgent is SSH agent forwarding. |
idp | object | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. |
lock | string | Lock specifies the locking mode (strict |
max_connections | integer | MaxConnections defines the maximum number of concurrent connections a user may hold. |
max_kubernetes_connections | integer | MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold. |
max_session_ttl | string | MaxSessionTTL defines how long a SSH session can last for. |
max_sessions | integer | MaxSessions defines the maximum number of concurrent sessions per connection. |
mfa_verification_interval | string | MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to max_session_ttl . |
permit_x11_forwarding | boolean | PermitX11Forwarding authorizes use of X11 forwarding. |
pin_source_ip | boolean | PinSourceIP forces the same client IP for certificate generation and usage |
port_forwarding | boolean | PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer |
record_session | object | RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. |
request_access | string | RequestAccess defines the request strategy (optional |
request_prompt | string | RequestPrompt is an optional message which tells users what they aught to request. |
require_session_mfa | string or integer | RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option. |
ssh_file_copy | boolean | SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. |
spec.options.cert_extensions items
Field | Type | Description |
---|---|---|
mode | string or integer | Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension". Can be either the string or the integer representation of each option. |
name | string | Name specifies the key to be used in the cert extension. |
type | string or integer | Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh". Can be either the string or the integer representation of each option. |
value | string | Value specifies the value to be used in the cert extension. |
spec.options.idp
Field | Type | Description |
---|---|---|
saml | object | SAML are options related to the Teleport SAML IdP. |
spec.options.idp.saml
Field | Type | Description |
---|---|---|
enabled | boolean | Enabled is set to true if this option allows access to the Teleport SAML IdP. |
spec.options.record_session
Field | Type | Description |
---|---|---|
default | string | Default indicates the default value for the services. |
desktop | boolean | Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false. |
ssh | string | SSH indicates the session mode used on SSH sessions. |
resources.teleport.dev/v6
apiVersion: resources.teleport.dev/v6
Field | Type | Description |
---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
metadata | object | |
spec | object | Role resource definition v6 from Teleport |
spec
Field | Type | Description |
---|---|---|
allow | object | Allow is the set of conditions evaluated to grant access. |
deny | object | Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. |
options | object | Options is for OpenSSH options like agent forwarding. |
spec.allow
Field | Type | Description |
---|---|---|
app_labels | object | AppLabels is a map of labels used as part of the RBAC system. |
app_labels_expression | string | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. |
aws_role_arns | []string | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. |
azure_identities | []string | AzureIdentities is a list of Azure identities this role is allowed to assume. |
cluster_labels | object | ClusterLabels is a map of node labels (used to dynamically grant access to clusters). |
cluster_labels_expression | string | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. |
db_labels | object | DatabaseLabels are used in RBAC system to allow/deny access to databases. |
db_labels_expression | string | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. |
db_names | []string | DatabaseNames is a list of database names this role is allowed to connect to. |
db_permissions | []object | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. |
db_roles | []string | DatabaseRoles is a list of databases roles for automatic user creation. |
db_service_labels | object | DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services. |
db_service_labels_expression | string | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. |
db_users | []string | DatabaseUsers is a list of databases users this role is allowed to connect as. |
desktop_groups | []string | DesktopGroups is a list of groups for created desktop users to be added to |
gcp_service_accounts | []string | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. |
group_labels | object | GroupLabels is a map of labels used as part of the RBAC system. |
group_labels_expression | string | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. |
host_groups | []string | HostGroups is a list of groups for created users to be added to |
host_sudoers | []string | HostSudoers is a list of entries to include in a users sudoer file |
impersonate | object | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. |
join_sessions | []object | JoinSessions specifies policies to allow users to join other sessions. |
kubernetes_groups | []string | KubeGroups is a list of kubernetes groups |
kubernetes_labels | object | KubernetesLabels is a map of kubernetes cluster labels used for RBAC. |
kubernetes_labels_expression | string | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. |
kubernetes_resources | []object | KubernetesResources is the Kubernetes Resources this Role grants access to. |
kubernetes_users | []string | KubeUsers is an optional kubernetes users to impersonate |
logins | []string | Logins is a list of *nix system logins. |
node_labels | object | NodeLabels is a map of node labels (used to dynamically grant access to nodes). |
node_labels_expression | string | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. |
request | object | |
require_session_join | []object | RequireSessionJoin specifies policies for required users to start a session. |
review_requests | object | ReviewRequests defines conditions for submitting access reviews. |
rules | []object | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. |
spiffe | []object | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. |
windows_desktop_labels | object | WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops. |
windows_desktop_labels_expression | string | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. |
windows_desktop_logins | []string | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
spec.allow.db_permissions items
Field | Type | Description |
---|---|---|
match | object | Match is a list of object labels that must be matched for the permission to be granted. |
permissions | []string | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... |
spec.allow.impersonate
Field | Type | Description |
---|---|---|
roles | []string | Roles is a list of resources this role is allowed to impersonate |
users | []string | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern |
where | string | Where specifies optional advanced matcher |
spec.allow.join_sessions items
Field | Type | Description |
---|---|---|
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is a list of permitted participant modes for this policy. |
name | string | Name is the name of the policy. |
roles | []string | Roles is a list of roles that you can join the session of. |
spec.allow.kubernetes_resources items
Field | Type | Description |
---|---|---|
kind | string | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. |
name | string | Name is the resource name. It supports wildcards. |
namespace | string | Namespace is the resource namespace. It supports wildcards. |
verbs | []string | Verbs are the allowed Kubernetes verbs for the following resource. |
spec.allow.request
Field | Type | Description |
---|---|---|
annotations | object | Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions. |
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
max_duration | string | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. |
roles | []string | Roles is the name of roles which will match the request rule. |
search_as_roles | []string | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. |
suggested_reviewers | []string | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. |
thresholds | []object | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
spec.allow.request.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.allow.request.thresholds items
Field | Type | Description |
---|---|---|
approve | integer | Approve is the number of matching approvals needed for state-transition. |
deny | integer | Deny is the number of denials needed for state-transition. |
filter | string | Filter is an optional predicate used to determine which reviews count toward this threshold. |
name | string | Name is the optional human-readable name of the threshold. |
spec.allow.require_session_join items
Field | Type | Description |
---|---|---|
count | integer | Count is the amount of people that need to be matched for this policy to be fulfilled. |
filter | string | Filter is a predicate that determines what users count towards this policy. |
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is the list of modes that may be used to fulfill this policy. |
name | string | Name is the name of the policy. |
on_leave | string | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
spec.allow.review_requests
Field | Type | Description |
---|---|---|
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
preview_as_roles | []string | PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. |
roles | []string | Roles is the name of roles which may be reviewed. |
where | string | Where is an optional predicate which further limits which requests are reviewable. |
spec.allow.review_requests.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.allow.rules items
Field | Type | Description |
---|---|---|
actions | []string | Actions specifies optional actions taken when this rule matches |
resources | []string | Resources is a list of resources |
verbs | []string | Verbs is a list of verbs |
where | string | Where specifies optional advanced matcher |
spec.allow.spiffe items
Field | Type | Description |
---|---|---|
dns_sans | []string | DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com |
ip_sans | []string | IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 |
path | string | Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar |
spec.deny
Field | Type | Description |
---|---|---|
app_labels | object | AppLabels is a map of labels used as part of the RBAC system. |
app_labels_expression | string | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. |
aws_role_arns | []string | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. |
azure_identities | []string | AzureIdentities is a list of Azure identities this role is allowed to assume. |
cluster_labels | object | ClusterLabels is a map of node labels (used to dynamically grant access to clusters). |
cluster_labels_expression | string | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. |
db_labels | object | DatabaseLabels are used in RBAC system to allow/deny access to databases. |
db_labels_expression | string | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. |
db_names | []string | DatabaseNames is a list of database names this role is allowed to connect to. |
db_permissions | []object | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. |
db_roles | []string | DatabaseRoles is a list of databases roles for automatic user creation. |
db_service_labels | object | DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services. |
db_service_labels_expression | string | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. |
db_users | []string | DatabaseUsers is a list of databases users this role is allowed to connect as. |
desktop_groups | []string | DesktopGroups is a list of groups for created desktop users to be added to |
gcp_service_accounts | []string | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. |
group_labels | object | GroupLabels is a map of labels used as part of the RBAC system. |
group_labels_expression | string | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. |
host_groups | []string | HostGroups is a list of groups for created users to be added to |
host_sudoers | []string | HostSudoers is a list of entries to include in a users sudoer file |
impersonate | object | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. |
join_sessions | []object | JoinSessions specifies policies to allow users to join other sessions. |
kubernetes_groups | []string | KubeGroups is a list of kubernetes groups |
kubernetes_labels | object | KubernetesLabels is a map of kubernetes cluster labels used for RBAC. |
kubernetes_labels_expression | string | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. |
kubernetes_resources | []object | KubernetesResources is the Kubernetes Resources this Role grants access to. |
kubernetes_users | []string | KubeUsers is an optional kubernetes users to impersonate |
logins | []string | Logins is a list of *nix system logins. |
node_labels | object | NodeLabels is a map of node labels (used to dynamically grant access to nodes). |
node_labels_expression | string | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. |
request | object | |
require_session_join | []object | RequireSessionJoin specifies policies for required users to start a session. |
review_requests | object | ReviewRequests defines conditions for submitting access reviews. |
rules | []object | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. |
spiffe | []object | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. |
windows_desktop_labels | object | WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops. |
windows_desktop_labels_expression | string | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. |
windows_desktop_logins | []string | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
spec.deny.db_permissions items
Field | Type | Description |
---|---|---|
match | object | Match is a list of object labels that must be matched for the permission to be granted. |
permissions | []string | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... |
spec.deny.impersonate
Field | Type | Description |
---|---|---|
roles | []string | Roles is a list of resources this role is allowed to impersonate |
users | []string | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern |
where | string | Where specifies optional advanced matcher |
spec.deny.join_sessions items
Field | Type | Description |
---|---|---|
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is a list of permitted participant modes for this policy. |
name | string | Name is the name of the policy. |
roles | []string | Roles is a list of roles that you can join the session of. |
spec.deny.kubernetes_resources items
Field | Type | Description |
---|---|---|
kind | string | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. |
name | string | Name is the resource name. It supports wildcards. |
namespace | string | Namespace is the resource namespace. It supports wildcards. |
verbs | []string | Verbs are the allowed Kubernetes verbs for the following resource. |
spec.deny.request
Field | Type | Description |
---|---|---|
annotations | object | Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions. |
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
max_duration | string | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. |
roles | []string | Roles is the name of roles which will match the request rule. |
search_as_roles | []string | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. |
suggested_reviewers | []string | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. |
thresholds | []object | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
spec.deny.request.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.deny.request.thresholds items
Field | Type | Description |
---|---|---|
approve | integer | Approve is the number of matching approvals needed for state-transition. |
deny | integer | Deny is the number of denials needed for state-transition. |
filter | string | Filter is an optional predicate used to determine which reviews count toward this threshold. |
name | string | Name is the optional human-readable name of the threshold. |
spec.deny.require_session_join items
Field | Type | Description |
---|---|---|
count | integer | Count is the amount of people that need to be matched for this policy to be fulfilled. |
filter | string | Filter is a predicate that determines what users count towards this policy. |
kinds | []string | Kinds are the session kinds this policy applies to. |
modes | []string | Modes is the list of modes that may be used to fulfill this policy. |
name | string | Name is the name of the policy. |
on_leave | string | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
spec.deny.review_requests
Field | Type | Description |
---|---|---|
claims_to_roles | []object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. |
preview_as_roles | []string | PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. |
roles | []string | Roles is the name of roles which may be reviewed. |
where | string | Where is an optional predicate which further limits which requests are reviewable. |
spec.deny.review_requests.claims_to_roles items
Field | Type | Description |
---|---|---|
claim | string | Claim is a claim name. |
roles | []string | Roles is a list of static teleport roles to match. |
value | string | Value is a claim value to match. |
spec.deny.rules items
Field | Type | Description |
---|---|---|
actions | []string | Actions specifies optional actions taken when this rule matches |
resources | []string | Resources is a list of resources |
verbs | []string | Verbs is a list of verbs |
where | string | Where specifies optional advanced matcher |
spec.deny.spiffe items
Field | Type | Description |
---|---|---|
dns_sans | []string | DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com |
ip_sans | []string | IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 |
path | string | Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar |
spec.options
Field | Type | Description |
---|---|---|
cert_extensions | []object | CertExtensions specifies the key/values |
cert_format | string | CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH. |
client_idle_timeout | string | ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration. |
create_db_user | boolean | CreateDatabaseUser enabled automatic database user creation. |
create_db_user_mode | string or integer | CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option. |
create_desktop_user | boolean | CreateDesktopUser allows users to be automatically created on a Windows desktop |
create_host_user | boolean | CreateHostUser allows users to be automatically created on a host |
create_host_user_default_shell | string | CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users. |
create_host_user_mode | string or integer | CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option. |
desktop_clipboard | boolean | DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false. |
desktop_directory_sharing | boolean | DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true. |
device_trust_mode | string | DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. |
disconnect_expired_cert | boolean | DisconnectExpiredCert sets disconnect clients on expired certificates. |
enhanced_recording | []string | BPF defines what events to record for the BPF-based session recorder. |
forward_agent | boolean | ForwardAgent is SSH agent forwarding. |
idp | object | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. |
lock | string | Lock specifies the locking mode (strict |
max_connections | integer | MaxConnections defines the maximum number of concurrent connections a user may hold. |
max_kubernetes_connections | integer | MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold. |
max_session_ttl | string | MaxSessionTTL defines how long a SSH session can last for. |
max_sessions | integer | MaxSessions defines the maximum number of concurrent sessions per connection. |
mfa_verification_interval | string | MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to max_session_ttl . |
permit_x11_forwarding | boolean | PermitX11Forwarding authorizes use of X11 forwarding. |
pin_source_ip | boolean | PinSourceIP forces the same client IP for certificate generation and usage |
port_forwarding | boolean | PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer |
record_session | object | RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. |
request_access | string | RequestAccess defines the request strategy (optional |
request_prompt | string | RequestPrompt is an optional message which tells users what they aught to request. |
require_session_mfa | string or integer | RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option. |
ssh_file_copy | boolean | SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. |
spec.options.cert_extensions items
Field | Type | Description |
---|---|---|
mode | string or integer | Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension". Can be either the string or the integer representation of each option. |
name | string | Name specifies the key to be used in the cert extension. |
type | string or integer | Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh". Can be either the string or the integer representation of each option. |
value | string | Value specifies the value to be used in the cert extension. |
spec.options.idp
Field | Type | Description |
---|---|---|
saml | object | SAML are options related to the Teleport SAML IdP. |
spec.options.idp.saml
Field | Type | Description |
---|---|---|
enabled | boolean | Enabled is set to true if this option allows access to the Teleport SAML IdP. |
spec.options.record_session
Field | Type | Description |
---|---|---|
default | string | Default indicates the default value for the services. |
desktop | boolean | Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false. |
ssh | string | SSH indicates the session mode used on SSH sessions. |