역할 리소스 참조
요약
인터랙티브 및 비인터랙티브 사용자(봇)는 하나 이상의 역할을 맡습니다. 역할은 데이터베이스, SSH 서버, Kubernetes 클러스터, 웹 서비스 및 애플리케이션, Windows 데스크탑에 대한 접근을 제어합니다. 현재 지원되는 역할 버전은 v3, v4, v5, v6, v7, v8로 총 6가지입니다.
인터랙티브 및 비인터랙티브 사용자(봇)는 하나 이상의 역할을 맡습니다.
역할은 데이터베이스, SSH 서버, Kubernetes 클러스터, 웹 서비스 및 애플리케이션, Windows 데스크탑에 대한 접근을 제어합니다.
kind: role
version: v8
metadata:
name: example
description: This is an example role.
spec:
# options specify connection, in case if user has multiple non-default
# conflicting options, teleport chooses the least permissive value.
options:
# max_session_ttl defines the TTL (time to live) of certificates
# issued to the users with this role.
max_session_ttl: 8h
# forward_agent controls whether SSH agent forwarding is allowed
forward_agent: true
# ssh_port_forwarding controls which TCP port forwarding modes are allowed over SSH. This replaces
# the deprecated port_forwarding field, which did not differentiate between remote and local
# port forwarding modes. If you have any existing roles that allow forwarding by enabling the
# legacy port_forwarding field then the forwarding controls configured in ssh_port_forwarding will be
# ignored.
ssh_port_forwarding:
# configures remote port forwarding behavior
remote:
enabled: true
# configures local port forwarding behavior
local:
enabled: true
# ssh_file_copy controls whether file copying (SCP/SFTP) is allowed.
# Defaults to true.
ssh_file_copy: false
# client_idle_timeout determines if SSH sessions to cluster nodes are
# forcefully terminated after no activity from a client (idle client).
# it overrides the global cluster setting. examples: '30m', '1h' or '1h30m'
client_idle_timeout: never
# Determines if the clients will be forcefully disconnected when their
# certificates expire in the middle of an active session.
# It overrides the global cluster setting.
disconnect_expired_cert: false
# max_sessions is the total number of session channels that can be established
# across a single connection. Setting it to 10 matches OpenSSH default behavior.
# (enterprise-only)
max_sessions: 10
# Defines which events are recorded by the BPF-based session recorder.
enhanced_recording:
- command
- disk
- network
# permit_x11_forwarding allows users to use X11 forwarding with openssh
# clients and servers through the proxy
permit_x11_forwarding: true
# device_trust_mode enforces authenticated device access for assigned user of this role.
device_trust_mode: optional|required|required-for-humans|off
# require_session_mfa require per-session MFA for any assigned user of this role
require_session_mfa: true
# mfa_verification_interval optionally defines the maximum duration that can elapse between successive MFA verifications.
# This variable is used to ensure that users are periodically prompted to verify their identity, enhancing
# security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives.
mfa_verification_interval: 1h
# lock sets locking mode for user of this role,
# valid values are 'strict' or 'best_effort'
lock: strict
# enterprise-only request_access field is 'optional', 'always' or 'reason'. If set to always or reason,
# it instructs tsh or the web UI clients to always create an Access Request. If it is
# set to 'reason', the user will be required to indicate why they are
# generating the Access Request.
request_access: reason
# the 'request_prompt' field can be used to tell the user what should
# be supplied in the request reason field.
request_prompt: Please provide your ticket ID
# enterprise-only max_connections field sets a limit of concurrent sessions within a
# cluster. This setting slows down Teleport performance because it has to track
# connections cluster-wide.
max_connections: 2
# limit number of concurrent Kubernetes sessions per user
max_kubernetes_connections: 1
# Define how Teleport deals with session recording failures, such as a full
# disk error. The value can be set to either 'best_effort' or 'strict'. If
# set to 'strict', the session will terminate immediately. If set to
# 'best_effort', the session won’t be terminated, and the recording will be
# disabled. The configuration is done per service (currently, only 'ssh' is
# supported).
record_session:
# Specify whether or not to record the user's desktop sessions.
# Desktop session recording is enabled if one or more of the user's
# roles has enabled recording. Defaults to true if unspecified.
# Desktop sessions will never be recorded if auth_service.session_recording
# is set to 'off' in teleport.yaml (Auth Service) or if the cluster's
# session_recording_config resource has set 'mode: off'.
desktop: true
# Optional: the default session recording mode to use when a
# protocol-specific mode is not set.
default: best_effort|strict
# Optional: Session recording mode for SSH sessions (Teleport Server
# Access). If not set, the value set on default will be used.
ssh: best_effort|strict
# Specify whether clipboard sharing should be allowed with the
# remote desktop (requires a supported browser or Teleport Connect).
# Defaults to true if unspecified.
# If one or more of the user's roles has disabled the clipboard, then it will be disabled.
desktop_clipboard: true
# Specify whether directory sharing should be allowed from the
# local machine to remote desktop (requires a supported browser or Teleport Connect).
# Defaults to true if unspecified.
# If one or more of the user's roles has disabled directory sharing, then it will be disabled.
desktop_directory_sharing: true
# Specify whether this role supports auto-provisioning of local Windows users.
create_desktop_user: true
# enterprise-only: when enabled, the source IP that was used to log in is embedded in the user
# certificates, preventing a compromised certificate from being used on another
# network. The default is false.
pin_source_ip: true
# Specify a list of names and associated values to be included in user SSH keys.
# The key type can only be 'ssh' and the mode can only be 'extension'.
# The name and value fields can be arbitrary strings and the value field
# supports variable interpolation.
cert_extensions:
- type: ssh
mode: extension
name: login@github.com
value: '{{ external.github_login }}'
# Controls whether this role supports auto-provisioning of SSH users.
# Options: keep (keep users at session end), insecure-drop (remove user on session end),
# and off (disable host user creation)
create_host_user_mode: keep
# Sets the default shell for auto-provisioned SSH users. An absolute path to a shell or a name
# reachable through the system PATH are both valid values. Only applies when
# create_host_user_mode is not set to off.
create_host_user_default_shell: bash
# Controls whether this role requires automatic database user provisioning.
# Options: off (disable database user auto-provisioning), keep (disables the
# user at session end, removing the roles and locking it), and
# best_effort_drop (try to drop the user at session end, if it doesn't
# succeed, fallback to disabling it).
create_db_user_mode: keep
# The allow section declares a list of resource/verb combinations that are
# allowed for the users of this role. By default, nothing is allowed.
allow:
# The logins array defines the OS/UNIX logins a user is allowed to use.
# both strings and template variables are supported in this field
logins: [root, '{{internal.logins}}']
# Windows logins a user is allowed to use for desktop sessions.
windows_desktop_logins: [Administrator, '{{internal.logins}}']
# node_labels: a user with this role will be allowed to connect to
# SSH nodes with labels matching below.
node_labels:
# literal strings:
'env': 'test'
# the wildcard ('*') means any node
'*': '*'
# a list of alternative options:
'region': ['us-west-1', 'eu-central-1']
# Regular expressions start with ^ and end with $.
# Teleport uses Go's regular expression syntax:
# https://github.com/google/re2/wiki/Syntax
# The list example above can be expressed as:
# 'region': '^us-west-1|eu-central-1$'
'reg': '^us-west-1|eu-central-1$'
# List of host groups the created user will be added to. Any that don't
# already exist are created. Only applies when create_host_user_mode
# is not 'off'.
host_groups: [ubuntu, nginx, other]
# List of entries to include in a temporary sudoers file created in
# `/etc/sudoers.d`. The records are removed on session close.
host_sudoers: [
# This line will allow the login user to run `systemctl restart nginx.service`
# as root without requiring a password. The sudoers entry will be prefixed
# with the logged in username.
"ALL = (root) NOPASSWD: /usr/bin/systemctl restart nginx.service"
]
# List of local Windows groups the created user will be added to.
# Any that don't already exist are created. Only applies when
# create_desktop_user is 'true'.
desktop_groups:
- developers
# to make the newly-created user an administrator
- Administrators
# IdP trait templating is also supported
- '{{external.desktop_groups}}'
# kubernetes_groups specifies Kubernetes groups a user with this role will assume.
# You can refer to a SAML/OIDC trait via the 'external' property bag.
# This allows you to specify Kubernetes group membership in an identity manager:
kubernetes_groups: ['system:masters', '{{external.trait_name}}']
# kubernetes_users is an optional field that specifies kubernetes users
# this role can assume.
kubernetes_users: ['IAM#{{external.foo}};']
# kubernetes_labels: a user with this role will be allowed to connect to
# k8s clusters with labels matching below.
kubernetes_labels:
# A user can only access prod environments
'env': 'prod'
# User can access any region in us-west, e.g us-west-1, us-west-2
'region': 'us-west-*'
# Regular expressions start with ^ and end with $.
# Teleport uses Go's regular expression syntax:
# https://github.com/google/re2/wiki/Syntax
# The list example above can be expressed as:
# 'region': '^us-west-1|eu-central-1$'
'cluster_name': '^us.*\.example\.com$'
# kubernetes_resources indicates the Kubernetes resources that a user with
# this role is allowed to access.
kubernetes_resources:
# The resource kind. Teleport currently supports:
# - * (all resources)
# - <arbitrary string> (Resource plural name, e.g. pods, deployments, cronjobs, mycustomresources)
- kind: '*'
# The resource name of the Kubernetes cluster in which to allow access
# to the resources you specify with 'name' and 'kind'.
api_group: '*'
# The name of the Kubernetes namespace in which to allow access the
# resources you specify with 'name' and 'kind'.
# The wildcard character '*' matches any sequence of characters for namespaced
# resource. If set, global resources will not match.
# If the value begins with '^' and ends with '$', the Kubernetes
# Service will treat it as a regular expression.
namespace: '*'
# The name of the resource to allow access to.
# The wildcard character '*' matches any sequence of characters.
# If the value begins with '^' and ends with '$', the Kubernetes
# Service will treat it as a regular expression.
name: '^nginx-[a-z0-9-]+$'
# The verbs that the user is allowed to perform on the resource.
# Teleport currently supports:
# - * (all verbs)
# - get
# - list
# - watch
# - create
# - update
# - patch
# - delete
# - deletecollection
# - exec - allows users to execute commands in a pod
# - portforward - allows users to forward ports from a pod
verbs: ['*']
# Database account names this role can connect as.
#
# Supports role templating with traits.
db_users: ['{{email.local(external.email)}}']
# Database names this role will be able to connect to. Database names are
# only enforced for PostgreSQL, MongoDB, and Cloud Spanner databases.
#
# Supports role templating with traits.
db_names: ['{{external.db_names}}']
# Label selectors for database instances this role has access to.
#
# Supports role templating with traits.
db_labels:
'env': '{{regexp.replace(external.env, "^(staging)$", "$1")}}'
# List of database roles to grant to the auto-provisioned user. Mutually
# exclusive with 'db_permissions'.
#
# Supports role templating with traits.
db_roles: ['{{external.db_roles}}']
# List of database permissions to grant to the auto-provisioned user.
# Mutually exclusive with 'db_roles'.
db_permissions:
- match:
object_kind: table
permissions:
- SELECT
- INSERT
- UPDATE
- DELETE
- TRUNCATE
- REFERENCES
- TRIGGER
# app_labels: a user with this role will be allowed to connect to
# applications with labels matching below.
app_labels:
# A user can only access prod environments
'env': 'prod'
# User can access any region in us-west, e.g us-west-1, us-west-2
'region': 'us-west-*'
# Regular expressions start with ^ and end with $.
# Teleport uses Go's regular expression syntax:
# https://github.com/google/re2/wiki/Syntax
# The list example above can be expressed as:
# 'region': '^us-west-1|eu-central-1$'
'cluster_name': '^us.*\.example\.com$'
# group_labels: a user with this role will be given permissions to the
# underlying user_groups. Services such as the Okta service may use these
# permissions to grant access to external services.
group_labels:
# A user is given group membership to production related groups.
'env': 'prod'
# cluster_labels: a user with this role will be allowed to connect to remote
# clusters with labels matching below.
cluster_labels:
'env': 'prod'
# workload_identity_labels: a user/bot with this role will be allowed to
# issue Workload Identities with labels matching below.
#
# Supports role templating with traits.
workload_identity_labels:
'env': 'prod'
'team': '{{external.team}}'
# node_labels_expression has the same purpose as node_labels but
# supports predicate expressions to configure custom logic.
# A user with this role will be allowed to access nodes if they are in the
# staging environment *or* if they belong to one of the user's own teams.
node_labels_expression: |
labels["env"] == "staging" ||
contains(user.spec.traits["teams"] , labels["team"])
# The below <kind>_labels_expression fields have the same purpose of the
# matching <kind>_labels fields, but support predicate expressions instead
# of label matchers.
app_labels_expression: 'labels["env"] == "staging"'
cluster_labels_expression: 'labels["env"] == "staging"'
kubernetes_labels_expression: 'labels["env"] == "staging"'
db_labels_expression: 'labels["env"] == "staging"'
db_service_labels_expression: 'labels["env"] == "staging"'
windows_desktop_labels_expression: 'labels["env"] == "staging"'
group_labels_expression: 'labels["env"] == "staging"'
workload_identity_labels_expression: 'labels["env"] == "staging"'
# aws_role_arns allows a user with this role to assume AWS roles when
# accessing AWS console using UI or AWS API using CLI
aws_role_arns:
- 'arn:aws:iam::1234567890:role/ec2-read-only'
- 'arn:aws:iam::1234567890:role/ec2-full-access'
- 'arn:aws:iam::0987654321:role/example-role'
# AWS account and permission set bindings for the Identity Center integration
account_assignments:
- # AWS identity center account ID
account: "<account_id>"
# name of the permission set in AWS
name: AdministratorAccess
# permission set ARN
permission_set: arn:aws:sso:::permissionSet/ssoins-1234/ps-5678 # permission set ARN
# impersonate allows a user with this role to issue certificates on behalf
# of other users and roles matching expressions below
impersonate:
users: ['*']
roles: ['jenkins']
# where is an optional where condition
# further limiting the scope for matching users and roles
where: >
contains(user.spec.traits["group"], impersonate_role.metadata.labels["group"]) &&
contains(user.spec.traits["group"], impersonate_user.metadata.labels["group"])
# review_requests allows a user holding this role
# to approve or deny Access Requests (enterprise-only)
review_requests:
# the reviewer can view and approve or deny access requests for any roles
# listed here
roles: ['dbadmin']
# the reviewer can preview details about resources accessible by any roles
# listed in preview_as_roles when reviewing Resource Access Requests
preview_as_roles: ['dbadmin']
# request allows a user user request roles matching
# expressions below
request:
# the 'roles' list can be a mixture of literals and wildcard matchers
roles: ['common', 'dev-*']
# 'search_as_roles' allows users to search for and request access to
# resources accessible by the listed roles (enterprise-only)
search_as_roles: ['access']
# 'kubernetes_resources' restricts what kinds of Kubernetes resources
# a user can request access to. In the below example, users can
# request only Kubernetes namespaces. Default (when nothing is defined) allows
# access requests to any Kubernetes resource or the entire cluster.
kubernetes_resources:
- kind: "namespace"
# 'reason' defines settings for the reason for the access provided by the user.
reason:
# 'mode' can be either "required" or "optional". Empty string is treated as
# "optional". If a role has the request reason mode set to "required", then reason
# is required for all Access Requests requesting roles or resources allowed by
# this role. It applies only to users who have this role assigned.
mode: "optional"
# 'prompt' is a custom message prompted to the user for the requested roles or resources searchable
# as other roles. This is only applied to the requested roles and resources specifying the prompt.
prompt: I am a reason prompt specific to a requested role or resource
# thresholds specifies minimum amount of approvers and deniers,
# defaults to 1 for both (enterprise-only)
thresholds:
# requires at least two qualifying approvers and at least one denier.
- approve: 2
deny: 1
# max_duration specifies the maximum duration for which a user can request
# access to a role. The duration can be specified in seconds (s), minutes
# (m), hours (h), or days (d), e.g. 4d, 10h, 30m, 60s.
# The maximum duration is 14 days.
max_duration: 7d
# the 'claims_to_roles' mapping works the same as it does in
# the OIDC connector, with the added benefit that the roles being mapped to
# can also be matchers.
#
# This example leverages Teleport's regular expression support, which allows
# for dynamic mapping from claims. The below mapping says that users with
# claims that match 'projects: product-(.*)' can request roles that match
# '$1-admin', where '$1' is the first capture group in the
# regular expression.
# Example: the 'projects: product-foo' claim allows a user to request the
# 'foo-admin' role
claims_to_roles:
- claim: 'projects'
# matches all group names with a leading 'product-'
value: '^product-(.*)$'
# generates a role name from the value capture
roles: ['$1-admin']
# Teleport can attach annotations to pending Access Requests. These
# annotations may be literals, or be variable interpolation expressions,
# effectively creating a means for propagating selected claims from an
# external identity provider to the plugin system.
annotations:
foo: ['bar']
groups: ['{{external.groups}}']
# Moderated Sessions policy that dictates requirements for starting a session.
require_session_join:
# Defines the name of the policy. The name serves only as an
# identifier in logs and for organisation/categorisation.
- name: Auditor oversight
# Specifies an RBAC predicate that is used to define
# which users count against the required user count of the policy.
filter: 'contains(user.spec.roles, 'auditor')'
# The different session kinds this policy applies to.
kinds: ['k8s', 'ssh']
# A list of session participant modes that a participant must have
# one of in order to count against the policy.
modes: ['moderator']
# The minimum amount of users that need to match the filter expression
# in order to satisfy the policy.
count: 1
# The action to take if a moderator leaves a session, causing the policy to no longer be satisfied.
# This may be either 'terminate' or 'pause'. An empty or unknown value will default to 'terminate'.
on_leave: 'terminate'
# Moderated Sessions policy that dictates the ability to join sessions
join_sessions:
# Defines the name of the policy. The name serves only as an
# identifier in logs and for organisation/categorisation.
- name: Auditor oversight
# Allows one to join sessions created by other users with these roles
roles : ['prod-access']
# The different session kinds this policy applies to.
kinds: ['k8s', 'ssh']
# The list of session participant modes the role may join the session as.
modes: ['moderator', 'observer', 'peer']
# spiffe is a list of SPIFFE IDs that the role holder is allowed to request
# SVIDs for. As long as the request matches one of the blocks within the
# spiffe list, the certificate will be issued.
spiffe:
# The path of the SPIFFE ID that can be requested. This field is
# required for each block. It must begin with a preceding slash and
# should not contain a trailing slash.
- path: "/svc/foo"
# IP SANs that the user can request be included in a SVID along with the
# SPIFFE ID in this block. This field is optional and if omitted,
# the user will not be able to request a SVID with IP SANs.
ip_sans: ["10.0.0.100/32"]
# DNS SANs that the user can request be included in a SVID along with
# the SPIFFE ID in this block. This field is optional and if omitted,
# the user will not be able to request a SVID with DNS SANs.
#
# The '*' wildcard character is supported to indicated one or more of
# any character. For example, '*.example.com' would match
# 'foo.example.com'.
dns_sans: ["foo.svc.example.com"]
# GitHub-related permissions used for proxying Git commands.
github_permissions:
# List of GitHub organizations the user has access to.
- orgs:
- my-org
# mcp: defines MCP servers related permissions.
mcp:
# tools: list of tools allowed for this role.
#
# No tools are allowed if not specified.
# Each entry can be a literal string, a glob pattern, or a regular
# expression (must start with '^' and end with '$'). A wildcard '*' allows
# all tools.
# This value field also supports variable interpolation.
tools:
- search-files
- slack_*
- ^(get|list|read).*$
- "{{internal.mcp_tools}}"
- "{{external.mcp_tools}}"
# rules allow a user holding this role to modify other resources
# matching the expressions below
# supported resources:
# role - role resource
# user - user resource
#
# auth_connector - any auth connector resource
# oidc - OIDC connector resource
# saml - connector resource
# github - GitHub connector resource
#
# trusted_cluster - Trusted cluster resource
# remote_cluster - remote cluster resource
#
# access_request - Access Request resource
# access_plugin_data - allows modifying Access Request plugin data
#
# session - session playback records
# session_tracker - an active session
# instance - a Teleport instance
# event - structured audit logging event
#
# workload_identity - config for Machine & Workload Identity SVIDS
# bot - config for Machine & Workload Identity bots
#
# lock - lock resource.
# network_restrictions - restrictions for SSH sessions
#
# auth_server - Auth Service resource
# proxy - Proxy Service resource
# node - SSH node resource
# app - application resource
# db - database resource
# kube_cluster - Kubernetes cluster resource
# token - provisioning token resource
# cert_authority - certificate authority resource
# git_server - Git server resource
#
# cluster_name - resource that contains the cluster name.
# cluster_config - resource that holds cluster level config
# cluster_auth_preference - type of authentication for this cluster
# session_recording_config - resource for session recording config
# cluster_audit_config - resource that holds cluster audit config
# cluster_networking_config - resource that holds cluster networking config
rules:
- resources: [role]
verbs: [list, create, read, update, delete]
- resources: [auth_connector]
verbs: [list, create, read, update, delete]
- resources: [session]
verbs: [list, read]
- resources: [trusted_cluster]
verbs: [list, create, read, update, delete]
- resources: [event]
verbs: [list, read]
- resources: [user]
verbs: [list, create, read, update, delete]
- resources: [token]
verbs: [list, create, read, update, delete]
# The deny section uses the identical format as the 'allow' section.
# The deny rules always override allow rules.
deny: {}
역할 버전#
현재 지원되는 역할 버전은 v3, v4, v5, v6, v7, v8로 총 6가지입니다.
버전에 따라 리소스에 적용되는 RBAC가 다를 수 있습니다.
kubernetes_resource#
Teleport 역할 리소스의 버전 5, 6, 7, 8은 Kubernetes 리소스에 접근할 때 서로 다른 동작을 합니다.
Kubernetes 접근 권한을 부여하지 않는 역할은 네 버전에서 동일하게 동작합니다.
역할 v5와 v6는 파드에 대한 작업만 제한할 수 있습니다(예: 파드 내 실행).
역할 v7은 일부 공통 리소스 종류에 대한 제한을 지원합니다(전체 목록은
kubernetes_resource 문서를 참조).
역할 v8은 CRD를 포함한 모든 리소스 종류에 대한 제한을 지원합니다. 또한 kind 필드의 형식이 변경되었습니다.
역할 v8은 Teleport v17 에이전트와 호환되지 않습니다. 사용자에게 v8 역할이 있는 경우, Teleport Kubernetes Service를 실행하는 v17 에이전트는 v8 역할 고유의 필드를 해석할 수 없어 사용자 접근을 조용히 거부할 수 있습니다. 역할 v8을 사용하기 전에 모든 에이전트를 v18으로 업그레이드하세요.
kubernetes_resource가 설정되지 않은 경우:
- 역할 v5, v7, v8은 기본적으로 모든 접근을 허용합니다.
- 역할 v6는 기본적으로 파드 실행을 차단합니다. 이는 사용자 경험 향상을 위해 역할 v7에서 되돌려졌습니다.
| 허용 규칙 | 역할 v5 | 역할 v6 | 역할 v7 | 역할 v8 |
|---|---|---|---|---|
kubernetes_groups: |
❌ 접근 불가 | ❌ 접근 불가 | ❌ 접근 불가 | ❌ 접근 불가 |
kubernetes_groups: |
✅ dev 클러스터 전체 접근 |
❌ 파드에서 실행 불가 ✅ secrets 등 다른 리소스 접근 가능 |
✅ dev 클러스터 전체 접근 |
✅ dev 클러스터 전체 접근 |
kubernetes_groups: |
✅ foo의 파드에서 실행 가능 ✅ 모든 네임스페이스의 secrets 접근 가능 ❌ 다른 네임스페이스에서 실행 불가 |
✅ foo의 파드에서 실행 가능 ✅ 모든 네임스페이스의 secrets 접근 가능 ❌ 다른 네임스페이스에서 실행 불가 |
✅ foo의 파드에서 실행 가능 ❌ 모든 네임스페이스의 secrets 접근 불가 ❌ 다른 네임스페이스에서 실행 불가 |
⚠️ 유효하지 않음, v8은 복수형 사용 |
kubernetes_groups: |
⚠️ 지원되지 않음 | ⚠️ 지원되지 않음 | ✅ foo의 파드에서 실행 가능 ✅ foo의 secrets 접근 가능 ❌ 다른 네임스페이스에서 실행 불가 ❌ 다른 네임스페이스의 secrets 접근 불가 ❌ foo의 configmaps 접근 불가 |
⚠️ 유효하지 않음, v8은 복수형 사용 |
kubernetes_groups: |
⚠️ 지원되지 않음 | ⚠️ 지원되지 않음 | ✅ 네임스페이스 foo 내 모든 리소스 포함 전체 접근 ❌ 다른 네임스페이스 접근 불가 ❌ 클러스터 전체 리소스 접근 불가 |
⚠️ 유효하지 않음, v8은 복수형 사용 |
kubernetes_groups: |
⚠️ 지원되지 않음 | ⚠️ 지원되지 않음 | ✅ 네임스페이스 foo 내 모든 리소스 포함 전체 접근 ❌ 다른 네임스페이스 접근 불가 ✅ 클러스터 전체 리소스 전체 접근 |
⚠️ 유효하지 않음, v8은 * kind에 api_group 필요 |
kubernetes_groups: |
⚠️ 지원되지 않음 | ⚠️ 지원되지 않음 | ✅ dev 클러스터 전체 접근 |
⚠️ 유효하지 않음, v8은 * kind에 api_group 필요 |
kubernetes_groups: |
⚠️ 지원되지 않음 | ⚠️ 지원되지 않음 | ⚠️ 지원되지 않음 | ✅ foo의 파드에서 실행 가능 ✅ foo의 deployments 접근 가능 ❌ 다른 네임스페이스에서 실행 불가 ❌ 다른 네임스페이스의 deployments 접근 불가 ❌ foo의 configmaps 접근 불가 |
saml_idp_service_provider#
SAML IdP 역할 옵션 spec.idp.saml.enabled: true/false는 역할 버전 7 이하에서만 지원됩니다.
역할 버전 8부터 saml_idp_service_provider 리소스에 RBAC가 적용되는 방식은 SAML IdP 참조를 확인하세요.