diff options
| author | Irbe Krumina <irbe@tailscale.com> | 2024-06-10 16:36:22 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-10 16:36:22 +0100 |
| commit | c3e2b7347baebe669c06690a8aa55497befadf13 (patch) | |
| tree | bc789fc4481e405ee873cd7bb96cd92cdb7fd69a /control/controlknobs/controlknobs.go | |
| parent | ba46495e11139be76cd166be420d21e9e8dd48e1 (diff) | |
| download | tailscale-c3e2b7347baebe669c06690a8aa55497befadf13.tar.xz tailscale-c3e2b7347baebe669c06690a8aa55497befadf13.zip | |
tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236)
This PR is in prep of adding logic to control to be able to parse
tailscale.com/cap/kubernetes grants in control:
- moves the type definition of PeerCapabilityKubernetes cap to a location
shared with control.
- update the Kubernetes cap rule definition with fields for granting
kubectl exec session recording capabilities.
- adds a convenience function to produce tailcfg.RawMessage from an
arbitrary cap rule and a test for it.
An example grant defined via ACLs:
"grants": [{
"src": ["tag:eng"],
"dst": ["tag:k8s-operator"],
"app": {
"tailscale.com/cap/kubernetes": [{
"recorder": ["tag:my-recorder"]
“enforceRecorder”: true
}],
},
}
]
This grant enforces `kubectl exec` sessions from tailnet clients,
matching `tag:eng` via API server proxy matching `tag:k8s-operator`
to be recorded and recording to be sent to a tsrecorder instance,
matching `tag:my-recorder`.
The type needs to be shared with control because we want
control to parse this cap and resolve tags to peer IPs.
Updates tailscale/corp#19821
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Diffstat (limited to 'control/controlknobs/controlknobs.go')
0 files changed, 0 insertions, 0 deletions
