summaryrefslogtreecommitdiffhomepage
path: root/control/controlknobs/controlknobs.go
diff options
context:
space:
mode:
authorIrbe Krumina <irbe@tailscale.com>2024-06-10 16:36:22 +0100
committerGitHub <noreply@github.com>2024-06-10 16:36:22 +0100
commitc3e2b7347baebe669c06690a8aa55497befadf13 (patch)
treebc789fc4481e405ee873cd7bb96cd92cdb7fd69a /control/controlknobs/controlknobs.go
parentba46495e11139be76cd166be420d21e9e8dd48e1 (diff)
downloadtailscale-c3e2b7347baebe669c06690a8aa55497befadf13.tar.xz
tailscale-c3e2b7347baebe669c06690a8aa55497befadf13.zip
tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236)
This PR is in prep of adding logic to control to be able to parse tailscale.com/cap/kubernetes grants in control: - moves the type definition of PeerCapabilityKubernetes cap to a location shared with control. - update the Kubernetes cap rule definition with fields for granting kubectl exec session recording capabilities. - adds a convenience function to produce tailcfg.RawMessage from an arbitrary cap rule and a test for it. An example grant defined via ACLs: "grants": [{ "src": ["tag:eng"], "dst": ["tag:k8s-operator"], "app": { "tailscale.com/cap/kubernetes": [{ "recorder": ["tag:my-recorder"] “enforceRecorder”: true }], }, } ] This grant enforces `kubectl exec` sessions from tailnet clients, matching `tag:eng` via API server proxy matching `tag:k8s-operator` to be recorded and recording to be sent to a tsrecorder instance, matching `tag:my-recorder`. The type needs to be shared with control because we want control to parse this cap and resolve tags to peer IPs. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Diffstat (limited to 'control/controlknobs/controlknobs.go')
0 files changed, 0 insertions, 0 deletions