Support multiple k8s clusters per a single teleport proxy instance

[awly]

Feature Request

Support multiple k8s clusters per a single teleport proxy instance.
The proxy would have a list of kubeconfigs for different clusters (or one kubeconfig with many clusters in it).
The client cert would indicate which k8s cluster that cert is valid for. This allows the proxy to pick the right destination k8s cluster and kubeconfig.

tsh would need some changes to allow switching between different k8s clusters/certs without re-logging into the proxy. This might mean issuing all the certs up front, or using existing SSH credentials to generate certs as needed.

Motivation

Today, a proxy supports a single kubeconfig, which means a single k8s cluster.
In order to access multiple k8s clusters through teleport, a user has to provision at least one proxy per k8s cluster. This wastes resources and complicates administration.

Who's it for?

OSS User, Pro, Enterprise

[drewwells]

Any updates on this?

[awly]

@drewwells this is scheduled for 5.0, which is a couple months away.
We're about to release 4.3 and also plan to make a 4.4 before 5.0.

[awly]

Multiple clusters per kubernetes_service are supported in 5.0
#4769 will make it easier to switch between them.
I'm also yet to write the docs for all of this.

Main tracking bug #3952