unable to see/list RDS databases exposed via teleport-kube-agents

[dmitry-mightydevops]

1. So i have teleport-cluster and teleport-kube-agent running on the same EKS cluster per this post
2. both teleport and teleport-agent run with IAM role having proper policy

I login via github SSO connector

tsh login --proxy=teleport.project.net:443 --auth=github

➜ tsh clusters
Cluster Name            Status Cluster Type Labels Selected 
----------------------- ------ ------------ ------ -------- 
teleport.project.net online root                *        

➜ tsh kube ls 
Kube Cluster Name       Labels Selected 
----------------------- ------ -------- 
teleport.project.net                 
project-prod-eks                        

➜ tsh db ls  
Name Description Allowed Users Labels Connect 
---- ----------- ------------- ------ ------- 

➜ tctl db ls              
Host Name Protocol URI  Labels Version 
---- ---- -------- ---  ------ ------- 

➜ tsh kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
teleport-0                        1/1     Running   0          8m6s
teleport-auth-6c8d4d7d49-t2rm9    2/2     Running   0          27m
teleport-proxy-6497d88f87-n4nt8   1/1     Running   0          44h

logs of the teleport-0 (agent):

➜ klo teleport-0
2023-10-06T21:34:31Z INFO             Starting Teleport v14.0.2 with a config file located at "/etc/teleport/teleport.yaml" common/teleport.go:588
2023-10-06T21:34:31Z INFO [PROC:1]    Service diag is creating new listener on 0.0.0.0:3000. pid:8.1 service/signals.go:247
2023-10-06T21:34:31Z INFO [DIAG:1]    Starting diagnostic service on 0.0.0.0:3000. pid:8.1 service/service.go:3136
2023-10-06T21:34:31Z WARN [CLOUDLABE] Could not fetch EC2 instance's tags, please ensure 'allow instance tags in metadata' is enabled on the instance. labels/cloud.go:140
2023-10-06T21:34:31Z INFO [PROC:1]    Connecting to the cluster teleport.project.net with TLS client certificate. pid:8.1 service/connect.go:208
2023-10-06T21:34:31Z INFO [PROC:1]    Connecting to the cluster teleport.project.net with TLS client certificate. pid:8.1 service/connect.go:208
2023-10-06T21:34:31Z INFO [PROC:1]    Connecting to the cluster teleport.project.net with TLS client certificate. pid:8.1 service/connect.go:208
2023-10-06T21:34:31Z INFO [PROC:1]    Connecting to the cluster teleport.project.net with TLS client certificate. pid:8.1 service/connect.go:208
2023-10-06T21:34:31Z INFO [PROC:1]    Connecting to the cluster teleport.project.net with TLS client certificate. pid:8.1 service/connect.go:208
2023-10-06T21:34:31Z INFO [PROC:1]    Instance: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:8.1 service/connect.go:92
2023-10-06T21:34:31Z INFO [UPLOAD:1]  starting upload completer service pid:8.1 service/service.go:2853
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [INSTANCE:] Successfully registered instance client. pid:8.1 service/service.go:2447
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/streaming. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/streaming/default. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [PROC:1]    Reusing Instance client for Db. additionalSystemRoles=[Kube Db App Discovery] pid:8.1 service/connect.go:1057
2023-10-06T21:34:31Z INFO [PROC:1]    Reusing Instance client for App. additionalSystemRoles=[Kube Db App Discovery] pid:8.1 service/connect.go:1057
2023-10-06T21:34:31Z INFO [PROC:1]    Reusing Instance client for Kube. additionalSystemRoles=[Kube Db App Discovery] pid:8.1 service/connect.go:1057
2023-10-06T21:34:31Z INFO [PROC:1]    Reusing Instance client for Discovery. additionalSystemRoles=[Kube Db App Discovery] pid:8.1 service/connect.go:1057
2023-10-06T21:34:31Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted/default. pid:8.1 service/service.go:2869
2023-10-06T21:34:31Z INFO [UPLOAD]    uploader will scan /var/lib/teleport/log/upload/streaming/default every 5s filesessions/fileasync.go:192
2023-10-06T21:34:31Z INFO [UPLOAD:1:] upload completer will run every 5m0s events/complete.go:143
2023-10-06T21:34:31Z INFO [PROC:1]    Db: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:8.1 service/connect.go:92
2023-10-06T21:34:31Z INFO [PROC:1]    Kube: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:8.1 service/connect.go:92
2023-10-06T21:34:31Z INFO [PROC:1]    App: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:8.1 service/connect.go:92
2023-10-06T21:34:31Z INFO [PROC:1]    Discovery: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true Assist:true DeviceTrust:<> AccessRequests:<>  pid:8.1 service/connect.go:92
2023-10-06T21:34:31Z INFO [DISCOVERY] Cache "discovery" first init succeeded. cache/cache.go:893
2023-10-06T21:34:31Z INFO [DISCOVERY] Discovery service has successfully started pid:8.1 service/discovery.go:93
2023-10-06T21:34:31Z INFO [DISCOVERY] Starting watcher. kind:app pid:8.1 common/watcher.go:104
2023-10-06T21:34:31Z INFO [APP:SERVI] Cache "apps" first init succeeded. cache/cache.go:893
2023-10-06T21:34:31Z INFO [APP:SERVI] All applications successfully started. pid:8.1 service/service.go:5367
2023-10-06T21:34:31Z INFO [DB:SERVIC] Cache "db" first init succeeded. cache/cache.go:893
2023-10-06T21:34:31Z INFO [APP:SERVI] app argo-cd-argocd-server-http-argo-cd-project-prod-eks matches, creating. services/reconciler.go:148
2023-10-06T21:34:31Z INFO [APP:SERVI] app prometheus-prometheus-reloader-web-prometheus-project-prod-eks matches, creating. services/reconciler.go:148
2023-10-06T21:34:31Z INFO [APP:SERVI] app prometheus-alertmanager-http-web-prometheus-project-prod-eks matches, creating. services/reconciler.go:148
2023-10-06T21:34:31Z INFO [IAM]       Started IAM configurator service. cloud/iam.go:121
2023-10-06T21:34:31Z INFO [WATCHER:C] Starting watcher. common/watcher.go:104
2023-10-06T21:34:31Z INFO [KUBERNETE] Cache "kube" first init succeeded. cache/cache.go:893
2023-10-06T21:34:31Z INFO [KUBERNETE] Started reverse tunnel client. pid:8.1 service/kubernetes.go:148
2023-10-06T21:34:31Z INFO [KUBERNETE] Starting Kube service via proxy reverse tunnel. pid:8.1 service/kubernetes.go:252
2023-10-06T21:34:31Z INFO [PROC:1]    The new service has started successfully. Starting syncing rotation status with period 10m0s. pid:8.1 service/connect.go:684
2023-10-06T21:34:32Z INFO [DB:SERVIC] db project-prod-backend-postgres-rds-us-east-1-303629721857 matches, creating. services/reconciler.go:148
2023-10-06T21:34:32Z INFO [DB:SERVIC] Database "project-prod-backend-postgres-rds-us-east-1-303629721857" CA updated. db/ca.go:260

But I don't see anything in GUI (just 2 clusters) nor via tctl or tsh

✗  tsh status          
> Profile URL:        https://teleport.project.net:443
  Logged in as:       dmitry-mightydevops
  Cluster:            teleport.project.net
  Roles:              administrators
  Logins:             administrators
  Kubernetes:         enabled
  Kubernetes groups:  system:masters
  Valid until:        2023-10-06 21:43:41 -0500 CDT [valid for 5h6m0s]
  Extensions:         login-ip, permit-port-forwarding, permit-pty, private-key-policy

my role applied via teleport-operator:

apiVersion: resources.teleport.dev/v6
kind: TeleportRole
metadata:
  name: administrators
spec:
  allow:
    logins:
      - 'administrators'
    kubernetes_groups:
      - 'system:masters'
    node_labels:
      '*': '*'
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
      - kind: pod
        name: '*'
        namespace: 'ops'
        verbs:
        - '*'
    app_labels:
      '*': '*'
    db_service_labels:
      '*': '*'
    db_labels:
      '*': '*'
    db_users: ["*"]
    db_names: ["*"]


    rules:
    - resources:
      - user
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - role
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - oidc
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - saml
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - github
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - oidc_request
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - saml_request
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - github_request
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_audit_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_auth_preference
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - auth_connector
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_name
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_networking_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - session_recording_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - ui_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - trusted_cluster
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - remote_cluster
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - token
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - connection_diagnostic
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - db
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - database_certificate
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - installer
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - device
      verbs:
      - list
      - create
      - read
      - update
      - delete
      - create_enroll_token
      - enroll
    - resources:
      - db_service
      verbs:
      - list
      - read
    - resources:
      - instance
      verbs:
      - list
      - read
    - resources:
      - login_rule
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - saml_idp_service_provider
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - user_group
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - plugin
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - okta_import_rule
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - okta_assignment
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - assistant
      verbs:
      - list
      - create
      - read
      - update
      - delete
      - use
    - resources:
      - lock
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - integration
      verbs:
      - list
      - create
      - read
      - update
      - delete
      - use
    - resources:
      - billing
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_alert
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - access_list
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - node
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources: [app]
      verbs: [list, create, read, update, delete]
    - resources: [session]
      verbs: [list, read]
  options:
    max_session_ttl: 8h
    client_idle_timeout: 30m
    ssh_file_copy: false
    disconnect_expired_cert: true
    enhanced_recording:
      - command
      - network
    require_session_mfa: 'yes'
    lock: strict
    record_session:
      default: strict
      desktop: false

what am I missing?

[webvictim]

Run tctl get db_service and tctl get db_server against your cluster - what do you see?

[dmitry-mightydevops]

@webvictim

using local tctl after tsh login

➜ tsh login --proxy=teleport.project.net:443 --auth=github                                  
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:34525/e713d1fa-e124-4c9f-95db-0feda6190eb2
> Profile URL:        https://teleport.project.net:443
  Logged in as:       dmitry-mightydevops
  Cluster:            teleport.project.net
  Roles:              administrators
  Logins:             administrators
  Kubernetes:         enabled
  Kubernetes groups:  system:masters
  Valid until:        2023-10-11 04:52:24 -0500 CDT [valid for 8h0m0s]
  Extensions:         login-ip, permit-port-forwarding, permit-pty, private-key-policy

Did you know? Teleport Connect offers the power of tsh in a desktop app.
Learn more at https://goteleport.com/docs/connect-your-client/teleport-connect/

➜ tctl get db_service | wc
      0       0       0

➜ tctl get db_server | wc 
      0       0       0

if run against agent pod (teleport-0):

➜ kgpo
NAME                              READY   STATUS    RESTARTS   AGE
teleport-0                        1/1     Running   0          4d4h
teleport-auth-6c8d4d7d49-t2rm9    2/2     Running   0          4d4h
teleport-proxy-6497d88f87-n4nt8   1/1     Running   0          6d

✗  k exec -ti teleport-0 -- tctl get db_service                                                                                  
ERROR: Could not load Teleport host UUID file at /var/lib/teleport/host_uuid. Please make sure that Teleport is up and running prior to using tctl.
lstat /var/lib/teleport/host_uuid: no such file or directory

command terminated with exit code 1

✗  k exec -ti teleport-0 -- tctl get db_server 
ERROR: Could not load Teleport host UUID file at /var/lib/teleport/host_uuid. Please make sure that Teleport is up and running prior to using tctl.
lstat /var/lib/teleport/host_uuid: no such file or directory

command terminated with exit code 1

if run against teleport-auth pod:

✗  k exec -ti teleport-auth-6c8d4d7d49-t2rm9 -- tctl get db_service
Defaulted container "teleport" out of: teleport, operator
kind: db_service
metadata:
  expires: "2023-10-11T02:06:26Z"
  id: 1696628071717071093
  name: f03526de-dc86-49b2-99f3-f1c798261484
spec:
  resources: null
version: v1

➜ k exec -ti teleport-auth-6c8d4d7d49-t2rm9 -- tctl get db_server 
Defaulted container "teleport" out of: teleport, operator
kind: db_server
metadata:
  expires: "2023-10-11T02:06:52Z"
  id: 1696628086526007343
  name: project-prod-backend-postgres-rds-us-east-1-111111111111
spec:
  database:
    kind: db
    metadata:
      description: RDS instance in us-east-1
      labels:
        account-id: "111111111111"
        client: project
        component: backend
        created_at: 06/12/2023
        endpoint-type: instance
        engine: postgres
        engine-version: "15.3"
        environment: prod
        owner: Saritasa
        project: project
        region: us-east-1
        repo: [email protected]:organization/project-infra-aws
        teleport.dev/cloud: AWS
        teleport.dev/origin: cloud
        teleport.internal/discovered-name: project-prod-backend-postgres
        terraform: "true"
      name: project-prod-backend-postgres-rds-us-east-1-111111111111
    spec:
      ad:
        domain: ""
        spn: ""
      aws:
        account_id: "111111111111"
        elasticache: {}
        iam_policy_status: IAM_POLICY_STATUS_UNSPECIFIED
        memorydb: {}
        opensearch: {}
        rds:
          iam_auth: true
          instance_id: project-prod-backend-postgres
          resource_id: db-RCDLL3GFPHFRFKNCO2PT7FD5MM
        rdsproxy: {}
        redshift: {}
        redshift_serverless: {}
        region: us-east-1
        secret_store: {}
      azure:
        redis: {}
      gcp: {}
      mongo_atlas: {}
      mysql: {}
      oracle:
        audit_user: ""
      protocol: postgres
      tls:
        mode: 0
      uri: project-prod-backend-postgres.chipb2whnj74.us-east-1.rds.amazonaws.com:5432
    status:
      aws:
        account_id: "111111111111"
        elasticache: {}
        iam_policy_status: IAM_POLICY_STATUS_FAILED
        memorydb: {}
        opensearch: {}
        rds:
          iam_auth: true
          instance_id: project-prod-backend-postgres
          resource_id: db-RCDLL3GFPHFRFKNCO2PT7FD5MM
        rdsproxy: {}
        redshift: {}
        redshift_serverless: {}
        region: us-east-1
        secret_store: {}
      azure:
        redis: {}
      ca_cert: |
        -----BEGIN CERTIFICATE-----
        MIIEBjCCAu6gAwIBAgIJAMc0ZzaSUK51MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIEBzCCAu+gAwIBAgICJVUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNVBAYTAlVT
        MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIID/zCCAuegAwIBAgIRAPVSMfFitmM5PhmbaOFoGfUwDQYJKoZIhvcNAQELBQAw
        gZcxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ
        bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTEwMC4GA1UEAwwn
        ....
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIF/jCCA+agAwIBAgIQaRHaEqqacXN20e8zZJtmDDANBgkqhkiG9w0BAQwFADCB
        lzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIICrjCCAjSgAwIBAgIRAPAlEk8VJPmEzVRRaWvTh2AwCgYIKoZIzj0EAwMwgZYx
        CzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMu
        ...
        -----END CERTIFICATE-----
      mysql: {}
    version: v3
  host_id: f03526de-dc86-49b2-99f3-f1c798261484
  hostname: teleport-0
  rotation:
    current_id: ""
    last_rotated: "0001-01-01T00:00:00Z"
    schedule:
      standby: "0001-01-01T00:00:00Z"
      update_clients: "0001-01-01T00:00:00Z"
      update_servers: "0001-01-01T00:00:00Z"
    started: "0001-01-01T00:00:00Z"
  version: 14.0.2
version: v3

[webvictim]

Add list and read permissions to the db_server resource to your role and I suspect things may work.

[dmitry-mightydevops]

@webvictim I have that already applied via teleport-operator:

verified in GUI management/roles - and I see no DBs in the GUI.

also logout/login - still only see kubernetes clusters, and nothing else.

Expect to see - apps and DBs that got discovered in the teleport-kube-agent

[webvictim]

I didn't see db_server in the administrators role above which is why I asked. If you don't have that permission, running tctl db ls as your own user won't show any results.

Whenever you can't see a database, it's generally a permissions problem. I don't see a reason why your role shouldn't work, though. The database seems to be registered with the backend.

[dmitry-mightydevops]

yes @webvictim I added db_server - later after you mentioned it, but it had no effect at all.
and tctl db ls gives me this:

➜ tsh login --proxy=teleport.projectapp.net:443 --auth=github                                  
> Profile URL:        https://teleport.projectapp.net:443
  Logged in as:       dmitry-mightydevops
  Cluster:            teleport.projectapp.net
  Roles:              administrators
  Logins:             administrators
  Kubernetes:         enabled
  Kubernetes groups:  system:masters
  Valid until:        2023-10-12 00:38:17 -0500 CDT [valid for 7h57m0s]
  Extensions:         login-ip, permit-port-forwarding, permit-pty, private-key-policy


on ☸ project-prod-eks (teleport) ~/Projects 
➜ tctl db ls                                                 
Host Name Protocol URI  Labels Version 
---- ---- -------- ---  ------ ------- 

on ☸ project-prod-eks (teleport) ~/Projects 
➜ k exec -ti teleport-auth-6c8d4d7d49-t2rm9 -- tctl db ls
Defaulted container "teleport" out of: teleport, operator
Host       Name                          Protocol URI                                                Labels                                                                                                                                            Version 
---------- ----------------------------- -------- -------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------- ------- 
teleport-0 project-prod-backend-postgres postgres project-prod-backend-postgres.chipb2whnj74.us-e... account-id=303629721857,client=project,component=backend,created_at=06/12/2023,endpoint-type=instance,engine-version=... 14.0.2  

but in gui no DBs :(

[webvictim]

Could you also humour me and share the output of tctl get role/administrators please? I'm wondering whether maybe the role as seen in the operator isn't being provisioned exactly the same way in the Teleport backend.

[dmitry-mightydevops]

@webvictim I was travelling, sorry for the delayed resp. Here you go:

➜  tctl get role/administrators
kind: role
metadata:
  id: 1697057548423187701
  labels:
    teleport.dev/origin: kubernetes
  name: administrators
spec:
  allow:
    kubernetes_groups:
    - system:masters
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
    - kind: pod
      name: '*'
      namespace: ops
      verbs:
      - '*'
    logins:
    - administrators
    node_labels:
      '*': '*'
    rules:
    - resources:
      - user
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - role
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - oidc
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - saml
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - github
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - oidc_request
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - saml_request
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - github_request
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_audit_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_auth_preference
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - auth_connector
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_name
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_networking_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - session_recording_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - ui_config
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - trusted_cluster
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - remote_cluster
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - token
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - connection_diagnostic
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - db
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - database_certificate
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - installer
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - device
      verbs:
      - list
      - create
      - read
      - update
      - delete
      - create_enroll_token
      - enroll
    - resources:
      - db_service
      - db_server
      verbs:
      - list
      - read
    - resources:
      - instance
      verbs:
      - list
      - read
    - resources:
      - login_rule
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - saml_idp_service_provider
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - user_group
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - plugin
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - okta_import_rule
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - okta_assignment
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - assistant
      verbs:
      - list
      - create
      - read
      - update
      - delete
      - use
    - resources:
      - lock
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - integration
      verbs:
      - list
      - create
      - read
      - update
      - delete
      - use
    - resources:
      - billing
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - cluster_alert
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - access_list
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - node
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - app
      verbs:
      - list
      - create
      - read
      - update
      - delete
    - resources:
      - session
      verbs:
      - list
      - read
  deny: {}
  options:
    cert_format: standard
    client_idle_timeout: 30m0s
    create_db_user: false
    create_desktop_user: false
    desktop_clipboard: true
    desktop_directory_sharing: true
    disconnect_expired_cert: true
    enhanced_recording:
    - command
    - network
    forward_agent: false
    idp:
      saml:
        enabled: true
    lock: strict
    max_session_ttl: 8h0m0s
    pin_source_ip: false
    port_forwarding: true
    record_session:
      default: strict
      desktop: false
    require_session_mfa: true
    ssh_file_copy: false
version: v5

[dmitry-mightydevops]

One thing to note - I create the role via kubernetes operator and it created version: v5 of the role, not version: v6 as defined in the yaml manifest for the role that I applied via kubectl apply -f ...

apiVersion: resources.teleport.dev/v6
kind: TeleportRole
metadata:
  name: administrators
...

[dmitry-mightydevops]

so it's definitely the problem with the teleport operator because if I apply the role this way:

➜ POD=$(kubectl get pods  -n teleport --no-headers -o="custom-columns=NAME:.metadata.name" --selector=app.kubernetes.io/component="auth")

➜ kubectl exec -i ${POD?} -- tctl create -f < ./todo/teleport/role-v7.yaml 
Defaulted container "teleport" out of: teleport, operator
role 'administrators' has been created

with the role defined as v7:

kind: role
version: v7
metadata:
  name: administrators
spec:
  allow:
    logins:
      - administrators
    kubernetes_groups:
      - system:masters
    node_labels:
      '*': '*'
    kubernetes_labels:
      '*': '*'
    kubernetes_resources:
      - kind: pod
        name: '*'
        namespace: ops
        verbs:
          - '*'
    app_labels:
      '*': '*'
    db_service_labels:
      '*': '*'
    db_labels:
      '*': '*'
    db_users: ["*"]
    db_names: ["*"]
    rules:
      - resources:
          - access_list
          - app
          - assistant
          - auth_connector
          - billing
          - cluster_alert
          - cluster_audit_config
          - cluster_auth_preference
          - cluster_name
          - cluster_networking_config
          - connection_diagnostic
          - database_certificate
          - db
          - github
          - github_request
          - installer
          - integration
          - lock
          - login_rule
          - node
          - oidc
          - oidc_request
          - okta_assignment
          - okta_import_rule
          - plugin
          - remote_cluster
          - role
          - saml
          - saml_idp_service_provider
          - saml_request
          - session
          - session_recording_config
          - token
          - trusted_cluster
          - ui_config
          - user
          - user_group
        verbs:
          - create
          - delete
          - list
          - read
          - update
          - use
      - resources:
          - device
        verbs:
          - create
          - create_enroll_token
          - delete
          - enroll
          - list
          - read
          - update
      - resources:
          - db_service
          - db_server
        verbs:
          - list
          - read
          - use
      - resources:
          - instance
        verbs:
          - list
          - read
          - use
      - resources:
          - session
        verbs:
          - list
          - read
  options:
    max_session_ttl: 8h
    client_idle_timeout: 30m
    ssh_file_copy: false
    disconnect_expired_cert: true
    enhanced_recording:
      - command
      - network
    require_session_mfa: 'yes'
    lock: strict
    record_session:
      default: strict
      desktop: false

everything worked and I see immediately the resources via discovery:

[webvictim]

The v5 issue is a known one that we're hoping to fix next quarter: #27938

There is a big issue for tracking improvements to the operator here: #29480

In the meantime, all I can advise is that you apply your roles using YAML or Terraform instead. Sorry!