archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

k8s-operator/api-proxy: put kube api server events behind environment variable (#17550)

Browse Source 
This commit modifies the k8s-operator's api proxy implementation to only
enable forwarding of api requests to tsrecorder when an environment
variable is set.

This new environment variable is named `TS_EXPERIMENTAL_KUBE_API_EVENTS`.

Updates https://github.com/tailscale/corp/issues/32448

Signed-off-by: David Bond <davidsbond93@gmail.com>
pull/17558/head
David Bond 2 months ago committed by GitHub
parent e804b64358
commit 419fba40e0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File

9
k8s-operator/api-proxy/proxy.go
Unescape Escape View File

@ -28,6 +28,7 @@ import (
"k8s.io/client-go/transport" "k8s.io/client-go/transport"
"tailscale.com/client/local" "tailscale.com/client/local"
"tailscale.com/client/tailscale/apitype" "tailscale.com/client/tailscale/apitype"
"tailscale.com/envknob"
ksr "tailscale.com/k8s-operator/sessionrecording" ksr "tailscale.com/k8s-operator/sessionrecording"
"tailscale.com/kube/kubetypes" "tailscale.com/kube/kubetypes"
"tailscale.com/net/netx" "tailscale.com/net/netx"
@ -96,6 +97,7 @@ func NewAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, ts *tsn
upstreamURL: u, upstreamURL: u,
ts: ts, ts: ts,
sendEventFunc: sessionrecording.SendEvent, sendEventFunc: sessionrecording.SendEvent,
eventsEnabled: envknob.Bool("TS_EXPERIMENTAL_KUBE_API_EVENTS"),
} }
ap.rp = &httputil.ReverseProxy{ ap.rp = &httputil.ReverseProxy{
Rewrite: func(pr *httputil.ProxyRequest) { Rewrite: func(pr *httputil.ProxyRequest) {
@ -192,6 +194,9 @@ type APIServerProxy struct {
upstreamURL *url.URL upstreamURL *url.URL
sendEventFunc func(ap netip.AddrPort, event io.Reader, dial netx.DialFunc) error sendEventFunc func(ap netip.AddrPort, event io.Reader, dial netx.DialFunc) error
// Flag used to enable sending API requests as events to tsrecorder.
eventsEnabled bool
} }
// serveDefault is the default handler for Kubernetes API server requests. // serveDefault is the default handler for Kubernetes API server requests.
@ -310,6 +315,10 @@ func (ap *APIServerProxy) sessionForProto(w http.ResponseWriter, r *http.Request
} }
func (ap *APIServerProxy) recordRequestAsEvent(req *http.Request, who *apitype.WhoIsResponse) error { func (ap *APIServerProxy) recordRequestAsEvent(req *http.Request, who *apitype.WhoIsResponse) error {
if !ap.eventsEnabled {
return nil
}
failOpen, addrs, err := determineRecorderConfig(who) failOpen, addrs, err := determineRecorderConfig(who)
if err != nil { if err != nil {
return fmt.Errorf("error trying to determine whether the kubernetes api request needs to be recorded: %w", err) return fmt.Errorf("error trying to determine whether the kubernetes api request needs to be recorded: %w", err)

1
k8s-operator/api-proxy/proxy_events_test.go
Unescape Escape View File

@ -61,6 +61,7 @@ func TestRecordRequestAsEvent(t *testing.T) {
log: zl.Sugar(), log: zl.Sugar(),
ts: &tsnet.Server{}, ts: &tsnet.Server{},
sendEventFunc: sender.Send, sendEventFunc: sender.Send,
eventsEnabled: true,
} }
defaultWho := &apitype.WhoIsResponse{ defaultWho := &apitype.WhoIsResponse{

Write Preview
Loading…
Cancel
Save