How to share kubernetes groups between trusted clusters


In case if teleport connects multiple kubernetes clusters,
there is a way to send the kubernetes groups coming from the roles
of the main cluster to the remote cluster:

For example, main cluster can have a user
with a role ‘main’ and kubernetes groups:

kube_groups: ['system:masters']

and SSH logins:

logins: ['root']

Remote cluster can choose to map
this ‘main’ cluster to it’s own:
‘remote-admin’ cluster in the trusted cluster config:

  - remote: 'main'
    local: 'remote-admin'

The role ‘remote-admin’ of the remote cluster
can now be templated to use the main cluster role main
logins and kubernetes_groups using variables:

logins: ['{{internal.logins}}']
kubernetes_groups: ['{{internal.kubernetes_groups}}']

This is possible because teleport now encodes
both values in X509 certificate metadata
and remote cluster passes these values as ‘internal’ traits
to the template engine.