Kubernetes group not applied

I’m trying to use Teleport against an Amazon EKS cluster. I am running Teleport on a stand-alone EC2 instance. I’ve configured it to use GitHub for authentication. I can successfully authenticate and start a session with the Teleport server and issue kubectl commands against the cluster, however, the Kubernetes group that I specified in my GitHub config is not applied. Instead I’m inheriting the permissions granted to the node through the instance profile assigned to the EC2 instance. Below is my config for GitHub:

kind: github
version: v3
metadata:
  # connector name that will be used with `tsh --auth=github login`
  name: github
spec:
  # client ID of Github OAuth app
  client_id: xxxxxxxxxxxxx
  # client secret of Github OAuth app
  client_secret: xxxxxxxxxxxxxxxxxxxxxx
  # connector display name that will be shown on web UI login screen
  display: Github
  # callback URL that will be called after successful authentication
  redirect_url: https://instance.compute-1.amazonaws.com:3080/v1/webapi/github/callback
  # mapping of org/team memberships onto allowed logins and roles
  teams_to_logins:
    - organization: jicowan-org # Github organization name
      team: teleport            # Github team name within that organization
      # allowed UNIX logins for team octocats/admins:
      logins:
        - ec2-user
      # list of Kubernetes groups this Github team is allowed to connect to
      kubernetes_groups: ["pod-reader"]

Can you run Teleport with --debug on the command line, capture the logs for the auth flow with Github and post them? It’d be good to see exactly what’s happening.

Also, what’s in your ~/.kube/config locally?

@gus I don’t have a role specified. It’s using the IAM role assigned to the EC2 instance that Teleport is running on. This role is mapped to the system:node RBAC group in Kubernetes. This is an EKS cluster which uses IAM for authentication. I had to tear down the proxy so I can’t access the logs. What does Teleport need to impersonate other roles?

Here’s an overview of the permissions that Teleport will need for impersonation: https://gravitational.com/teleport/docs/kubernetes_ssh/#impersonation