How to share kubernetes groups between trusted clusters

In case if teleport connects multiple kubernetes clusters,
there is a way to send the kubernetes groups coming from the roles
of the main cluster to the remote cluster:

For example, main cluster can have a user
with a role ‘main’ and kubernetes groups:

kube_groups: ['system:masters']

and SSH logins:

logins: ['root']

Remote cluster can choose to map
this ‘main’ cluster to it’s own:
‘remote-admin’ cluster in the trusted cluster config:

role_map:
  - remote: 'main'
    local: 'remote-admin'

The role ‘remote-admin’ of the remote cluster
can now be templated to use the main cluster role main
logins and kubernetes_groups using variables:

logins: ['{{internal.logins}}']
kubernetes_groups: ['{{internal.kubernetes_groups}}']

This is possible because teleport now encodes
both values in X509 certificate metadata
and remote cluster passes these values as ‘internal’ traits
to the template engine.

Does this work for OSS (i.e. with Github connector) or only for Enterprise?

I’ve not tried it, but it looks like this is RBAC… so I would guess that it’s only for enterprise? https://gravitational.com/teleport/docs/trustedclusters/#rbac

@gus @benarent I think that isn’t possible. I tried to add the role resource file on the “east” cluster and I could:

root@teleport-6dbcf847c7-948js:/# cat <<EOF > role.yaml
> kind: role
> version: v3
> metadata:
>   name: local-admin
> spec:
>   allow:
>     node_labels:
>       '*': '*'
>   deny:
>     node_labels:
>       "environment": "production"
> EOF

root@teleport-6dbcf847c7-948js:/# tctl create role.yaml 
error: creating resources of type "role" is not supported

So, I think that you should update the docs with this information. Only Enterprise users could use the feature with k8s multi-cluster env.