Nesting trusted clusters

Hi all,

I’ve been trying to get a contrived example working with nested clusters; something like this:

main <-- child 1 <-- child 2 <-- child 3

I’ve been doing everything with docker-compose and I’ve set up the networking such that child 3 can only hit child 2, child 2 can only hit child 1 and child 1 can only hit main.

I’m able to set them all up with trusted clusters facing back up the tree, but it seems that nodes downstream don’t propagate beyond the first hop; so up at main, you only see child 1.

Is there a setting I’m missing somewhere?

Thanks!

A root cluster will only show its direct leaves, so I would expect to only see child 1 if you log into main. You would need to log into child 1 directly to see child 2 as a leaf, and log into child 2 directly to see child 3 as a leaf.

Essentially, what you’re describing isn’t a supported use case. Can I ask what you’re attempting to achieve with such a setup? You might be better off with a more traditional bastion host type approach.

Hey- thanks for the reply.

The use case is managing servers on different customer networks, some of which have multiple levels to their networks with firm restrictions on access- i.e. no one place you can put a management server that can reach everything.

Thanks for the advice, I’ll do some more reading!

If you’re able to make an outbound connection to just one port (like 443) using both HTTPS and SSH from those restricted nodes, then Teleport’s IoT mode might be able to help you.

https://gravitational.com/teleport/docs/admin-guide/#adding-a-node-located-behind-nat