mirror of
https://github.com/tailscale/tailscale.git
synced 2025-08-07 14:47:21 +02:00
c3e2b7347b
This PR is in prep of adding logic to control to be able to parse
tailscale.com/cap/kubernetes grants in control:
- moves the type definition of PeerCapabilityKubernetes cap to a location
shared with control.
- update the Kubernetes cap rule definition with fields for granting
kubectl exec session recording capabilities.
- adds a convenience function to produce tailcfg.RawMessage from an
arbitrary cap rule and a test for it.
An example grant defined via ACLs:
"grants": [{
"src": ["tag:eng"],
"dst": ["tag:k8s-operator"],
"app": {
"tailscale.com/cap/kubernetes": [{
"recorder": ["tag:my-recorder"]
“enforceRecorder”: true
}],
},
}
]
This grant enforces `kubectl exec` sessions from tailnet clients,
matching `tag:eng` via API server proxy matching `tag:k8s-operator`
to be recorded and recording to be sent to a tsrecorder instance,
matching `tag:my-recorder`.
The type needs to be shared with control because we want
control to parse this cap and resolve tags to peer IPs.
Updates tailscale/corp#19821
Signed-off-by: Irbe Krumina <irbe@tailscale.com>
|
||
|---|---|---|
| .. | ||
| deploy | ||
| generate | ||
| connector_test.go | ||
| connector.go | ||
| dnsrecords_test.go | ||
| dnsrecords.go | ||
| ingress_test.go | ||
| ingress.go | ||
| nameserver_test.go | ||
| nameserver.go | ||
| operator_test.go | ||
| operator.go | ||
| proxy_test.go | ||
| proxy.go | ||
| proxyclass_test.go | ||
| proxyclass.go | ||
| sts_test.go | ||
| sts.go | ||
| svc.go | ||
| testutils_test.go | ||