Skip to search

TeleportRole

resources.teleport.dev / v5

apiVersion: resources.teleport.dev/v5 kind: TeleportRole metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object
Role resource definition v5 from Teleport
allow object
Allow is the set of conditions evaluated to grant access.
account_assignments []object
AccountAssignments holds the list of account assignments affected by this condition.
account string
permission_set string
app_labels object
AppLabels is a map of labels used as part of the RBAC system.
app_labels_expression string
AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arns []string
AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identities []string
AzureIdentities is a list of Azure identities this role is allowed to assume.
beam_labels object
BeamLabels are used in the RBAC system to allow/deny access to beams.
beam_labels_expression string
BeamLabelsExpression is a predicate expression used to allow/deny access to beams.
cluster_labels object
ClusterLabels is a map of node labels (used to dynamically grant access to clusters).
cluster_labels_expression string
ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labels object
DatabaseLabels are used in RBAC system to allow/deny access to databases.
db_labels_expression string
DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_names []string
DatabaseNames is a list of database names this role is allowed to connect to.
db_permissions []object
DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
match object
Match is a list of object labels that must be matched for the permission to be granted.
permissions []string
Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...
db_roles []string
DatabaseRoles is a list of databases roles for automatic user creation.
db_service_labels object
DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.
db_service_labels_expression string
DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_users []string
DatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groups []string
DesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accounts []string
GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
github_permissions []object
GitHubPermissions defines GitHub integration related permissions.
orgs []string
group_labels object
GroupLabels is a map of labels used as part of the RBAC system.
group_labels_expression string
GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groups []string
HostGroups is a list of groups for created users to be added to
host_sudoers []string
HostSudoers is a list of entries to include in a users sudoer file
impersonate object
Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
roles []string
Roles is a list of resources this role is allowed to impersonate
users []string
Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
where string
Where specifies optional advanced matcher
join_sessions []object
JoinSessions specifies policies to allow users to join other sessions.
kinds []string
Kinds are the session kinds this policy applies to.
modes []string
Modes is a list of permitted participant modes for this policy.
name string
Name is the name of the policy.
roles []string
Roles is a list of roles that you can join the session of.
kubernetes_groups []string
KubeGroups is a list of kubernetes groups
kubernetes_labels object
KubernetesLabels is a map of kubernetes cluster labels used for RBAC.
kubernetes_labels_expression string
KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resources []object
KubernetesResources is the Kubernetes Resources this Role grants access to.
api_group string
APIGroup specifies the Kubernetes API group of the Kubernetes resource. It supports wildcards.
kind string
Kind specifies the Kubernetes Resource type.
name string
Name is the resource name. It supports wildcards.
namespace string
Namespace is the resource namespace. It supports wildcards.
verbs []string
Verbs are the allowed Kubernetes verbs for the following resource.
kubernetes_users []string
KubeUsers is an optional kubernetes users to impersonate
logins []string
Logins is a list of *nix system logins.
mcp object
MCPPermissions defines MCP servers related permissions.
tools []string
Tools defines the list of tools allowed or denied for this role. Each entry can be a literal string, a glob pattern (e.g. "prefix_*"), or a regular expression (must start with '^' and end with '$'). If the list is empty, no tools are allowed.
node_labels object
NodeLabels is a map of node labels (used to dynamically grant access to nodes).
node_labels_expression string
NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
request object
annotations object
Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `` style substitutions.
claims_to_roles []object
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
claim string
Claim is a claim name.
roles []string
Roles is a list of static teleport roles to match.
value string
Value is a claim value to match.
kubernetes_resources []object
kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources.
api_group string
APIGroup specifies the Kubernetes Resource API group.
kind string
kind specifies the Kubernetes Resource type.
max_duration string
MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
format: duration
reason object
Reason defines settings for the reason for the access provided by the user.
mode string
Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.
prompt string
Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.
roles []string
Roles is the name of roles which will match the request rule.
search_as_roles []string
SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewers []string
SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholds []object
Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
approve integer
Approve is the number of matching approvals needed for state-transition.
format: int32
deny integer
Deny is the number of denials needed for state-transition.
format: int32
filter string
Filter is an optional predicate used to determine which reviews count toward this threshold.
name string
Name is the optional human-readable name of the threshold.
require_session_join []object
RequireSessionJoin specifies policies for required users to start a session.
count integer
Count is the amount of people that need to be matched for this policy to be fulfilled.
format: int32
filter string
Filter is a predicate that determines what users count towards this policy.
kinds []string
Kinds are the session kinds this policy applies to.
modes []string
Modes is the list of modes that may be used to fulfill this policy.
name string
Name is the name of the policy.
on_leave string
OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.
review_requests object
ReviewRequests defines conditions for submitting access reviews.
claims_to_roles []object
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
claim string
Claim is a claim name.
roles []string
Roles is a list of static teleport roles to match.
value string
Value is a claim value to match.
preview_as_roles []string
PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
roles []string
Roles is the name of roles which may be reviewed.
where string
Where is an optional predicate which further limits which requests are reviewable.
rules []object
Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
actions []string
Actions specifies optional actions taken when this rule matches
resources []string
Resources is a list of resources
verbs []string
Verbs is a list of verbs
where string
Where specifies optional advanced matcher
spiffe []object
SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
dns_sans []string
DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sans []string
IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
path string
Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo/*/bar would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would match /svc/foo/baz/bar
windows_desktop_labels object
WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
windows_desktop_labels_expression string
WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_logins []string
WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
workload_identity_labels object
WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
workload_identity_labels_expression string
WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
deny object
Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.
account_assignments []object
AccountAssignments holds the list of account assignments affected by this condition.
account string
permission_set string
app_labels object
AppLabels is a map of labels used as part of the RBAC system.
app_labels_expression string
AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arns []string
AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identities []string
AzureIdentities is a list of Azure identities this role is allowed to assume.
beam_labels object
BeamLabels are used in the RBAC system to allow/deny access to beams.
beam_labels_expression string
BeamLabelsExpression is a predicate expression used to allow/deny access to beams.
cluster_labels object
ClusterLabels is a map of node labels (used to dynamically grant access to clusters).
cluster_labels_expression string
ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labels object
DatabaseLabels are used in RBAC system to allow/deny access to databases.
db_labels_expression string
DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_names []string
DatabaseNames is a list of database names this role is allowed to connect to.
db_permissions []object
DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
match object
Match is a list of object labels that must be matched for the permission to be granted.
permissions []string
Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...
db_roles []string
DatabaseRoles is a list of databases roles for automatic user creation.
db_service_labels object
DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.
db_service_labels_expression string
DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_users []string
DatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groups []string
DesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accounts []string
GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
github_permissions []object
GitHubPermissions defines GitHub integration related permissions.
orgs []string
group_labels object
GroupLabels is a map of labels used as part of the RBAC system.
group_labels_expression string
GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groups []string
HostGroups is a list of groups for created users to be added to
host_sudoers []string
HostSudoers is a list of entries to include in a users sudoer file
impersonate object
Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
roles []string
Roles is a list of resources this role is allowed to impersonate
users []string
Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
where string
Where specifies optional advanced matcher
join_sessions []object
JoinSessions specifies policies to allow users to join other sessions.
kinds []string
Kinds are the session kinds this policy applies to.
modes []string
Modes is a list of permitted participant modes for this policy.
name string
Name is the name of the policy.
roles []string
Roles is a list of roles that you can join the session of.
kubernetes_groups []string
KubeGroups is a list of kubernetes groups
kubernetes_labels object
KubernetesLabels is a map of kubernetes cluster labels used for RBAC.
kubernetes_labels_expression string
KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resources []object
KubernetesResources is the Kubernetes Resources this Role grants access to.
api_group string
APIGroup specifies the Kubernetes API group of the Kubernetes resource. It supports wildcards.
kind string
Kind specifies the Kubernetes Resource type.
name string
Name is the resource name. It supports wildcards.
namespace string
Namespace is the resource namespace. It supports wildcards.
verbs []string
Verbs are the allowed Kubernetes verbs for the following resource.
kubernetes_users []string
KubeUsers is an optional kubernetes users to impersonate
logins []string
Logins is a list of *nix system logins.
mcp object
MCPPermissions defines MCP servers related permissions.
tools []string
Tools defines the list of tools allowed or denied for this role. Each entry can be a literal string, a glob pattern (e.g. "prefix_*"), or a regular expression (must start with '^' and end with '$'). If the list is empty, no tools are allowed.
node_labels object
NodeLabels is a map of node labels (used to dynamically grant access to nodes).
node_labels_expression string
NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
request object
annotations object
Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `` style substitutions.
claims_to_roles []object
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
claim string
Claim is a claim name.
roles []string
Roles is a list of static teleport roles to match.
value string
Value is a claim value to match.
kubernetes_resources []object
kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind "kube_cluster" or any of its subresources like "namespaces". This field can be defined such that it prevents a user from requesting "kube_cluster" and enforce requesting any of its subresources.
api_group string
APIGroup specifies the Kubernetes Resource API group.
kind string
kind specifies the Kubernetes Resource type.
max_duration string
MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
format: duration
reason object
Reason defines settings for the reason for the access provided by the user.
mode string
Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.
prompt string
Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.
roles []string
Roles is the name of roles which will match the request rule.
search_as_roles []string
SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewers []string
SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholds []object
Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
approve integer
Approve is the number of matching approvals needed for state-transition.
format: int32
deny integer
Deny is the number of denials needed for state-transition.
format: int32
filter string
Filter is an optional predicate used to determine which reviews count toward this threshold.
name string
Name is the optional human-readable name of the threshold.
require_session_join []object
RequireSessionJoin specifies policies for required users to start a session.
count integer
Count is the amount of people that need to be matched for this policy to be fulfilled.
format: int32
filter string
Filter is a predicate that determines what users count towards this policy.
kinds []string
Kinds are the session kinds this policy applies to.
modes []string
Modes is the list of modes that may be used to fulfill this policy.
name string
Name is the name of the policy.
on_leave string
OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.
review_requests object
ReviewRequests defines conditions for submitting access reviews.
claims_to_roles []object
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
claim string
Claim is a claim name.
roles []string
Roles is a list of static teleport roles to match.
value string
Value is a claim value to match.
preview_as_roles []string
PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
roles []string
Roles is the name of roles which may be reviewed.
where string
Where is an optional predicate which further limits which requests are reviewable.
rules []object
Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
actions []string
Actions specifies optional actions taken when this rule matches
resources []string
Resources is a list of resources
verbs []string
Verbs is a list of verbs
where string
Where specifies optional advanced matcher
spiffe []object
SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
dns_sans []string
DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sans []string
IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
path string
Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo/*/bar would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would match /svc/foo/baz/bar
windows_desktop_labels object
WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
windows_desktop_labels_expression string
WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_logins []string
WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
workload_identity_labels object
WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
workload_identity_labels_expression string
WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
options object
Options is for OpenSSH options like agent forwarding.
cert_extensions []object
CertExtensions specifies the key/values
mode string | integer
Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension".
name string
Name specifies the key to be used in the cert extension.
type string | integer
Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh".
value string
Value specifies the value to be used in the cert extension.
cert_format string
CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH.
client_idle_timeout string
ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration.
format: duration
create_db_user boolean
CreateDatabaseUser enabled automatic database user creation.
create_db_user_mode string | integer
CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop".
create_desktop_user boolean
CreateDesktopUser allows users to be automatically created on a Windows desktop
create_host_user boolean
Deprecated: use CreateHostUserMode instead.
create_host_user_default_shell string
CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
create_host_user_mode string | integer
CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop".
desktop_clipboard boolean
DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.
desktop_directory_sharing boolean
DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true.
device_trust_mode string
DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode.
disconnect_expired_cert boolean
DisconnectExpiredCert sets disconnect clients on expired certificates.
enhanced_recording []string
BPF defines what events to record for the BPF-based session recorder.
forward_agent boolean
ForwardAgent is SSH agent forwarding.
idp object
IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
saml object
SAML are options related to the Teleport SAML IdP.
enabled boolean
Enabled is set to true if this option allows access to the Teleport SAML IdP.
lock string
Lock specifies the locking mode (strict|best_effort) to be applied with the role.
max_connections integer
MaxConnections defines the maximum number of concurrent connections a user may hold.
format: int64
max_kubernetes_connections integer
MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold.
format: int64
max_session_ttl string
MaxSessionTTL defines how long a SSH session can last for.
format: duration
max_sessions integer
MaxSessions defines the maximum number of concurrent sessions per connection.
format: int64
mfa_verification_interval string
MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
format: duration
permit_x11_forwarding boolean
PermitX11Forwarding authorizes use of X11 forwarding.
pin_source_ip boolean
PinSourceIP forces the same client IP for certificate generation and usage
port_forwarding boolean
Deprecated: Use SSHPortForwarding instead
record_session object
RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
default string
Default indicates the default value for the services.
desktop boolean
Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
ssh string
SSH indicates the session mode used on SSH sessions.
request_access string
RequestAccess defines the request strategy (optional|reason|always) where optional is the default.
request_prompt string
RequestPrompt is an optional message which tells users what they aught to request.
require_session_mfa string | integer
RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
ssh_file_copy boolean
SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
ssh_port_forwarding object
SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
local object
Allow local port forwarding.
enabled boolean
remote object
Allow remote port forwarding.
enabled boolean
web_terminal_clipboard_mode string | integer
WebTerminalClipboardMode determines clipboard behavior in the Web UI terminal. Valid values are "unrestricted" and "no-copy". Defaults to "unrestricted" if unspecified.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
teleportResourceID integer
format: int64

No matches. Try .spec.allow for an exact path