From 45d27fafd6ff11b296d017bbef8d84c59f7befd6 Mon Sep 17 00:00:00 2001 From: Irbe Krumina Date: Tue, 27 Feb 2024 14:51:53 +0000 Subject: [PATCH] cmd/k8s-operator,k8s-operator,go.{mod,sum},tstest/tools: add Tailscale Kubernetes operator API docs (#11246) Add logic to autogenerate CRD docs. .github/workflows/kubemanifests.yaml CI workflow will fail if the doc is out of date with regard to the current CRDs. Docs can be refreshed by running make kube-generate-all. Updates tailscale/tailscale#11023 Signed-off-by: Irbe Krumina --- cmd/k8s-operator/operator.go | 5 +- go.mod | 1 + go.sum | 2 + k8s-operator/api.md | 1644 ++++++++++++++++++++++++++++++++++ tstest/tools/tools.go | 1 + 5 files changed, 1652 insertions(+), 1 deletion(-) create mode 100644 k8s-operator/api.md diff --git a/cmd/k8s-operator/operator.go b/cmd/k8s-operator/operator.go index 236c83ad8..c9749ccb4 100644 --- a/cmd/k8s-operator/operator.go +++ b/cmd/k8s-operator/operator.go @@ -47,9 +47,12 @@ import ( // Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart. //go:generate go run tailscale.com/cmd/k8s-operator/generate staticmanifests -// Generate Connector CustomResourceDefinition yaml from its Go types. +// Generate Connector and ProxyClass CustomResourceDefinition yamls from their Go types. //go:generate go run sigs.k8s.io/controller-tools/cmd/controller-gen crd schemapatch:manifests=./deploy/crds output:dir=./deploy/crds paths=../../k8s-operator/apis/... +// Generate CRD docs from the yamls +//go:generate go run fybrik.io/crdoc --resources=./deploy/crds --output=../../k8s-operator/api.md + func main() { // Required to use our client API. We're fine with the instability since the // client lives in the same repo as this code. diff --git a/go.mod b/go.mod index 01fe1ec6e..f5cec945c 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.22.0 require ( filippo.io/mkcert v1.4.4 + fybrik.io/crdoc v0.6.3 github.com/akutz/memconn v0.1.0 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa github.com/andybalholm/brotli v1.1.0 diff --git a/go.sum b/go.sum index ff07e515f..34fe4c8ad 100644 --- a/go.sum +++ b/go.sum @@ -46,6 +46,8 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc= filippo.io/mkcert v1.4.4/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA= +fybrik.io/crdoc v0.6.3 h1:jNNAVINu8up5vrLa0jrV7z7HSlyHF/6lNOrAtrXwYlI= +fybrik.io/crdoc v0.6.3/go.mod h1:kvZRt7VAzOyrmDpIqREtcKAVFSJYEBoAyniYebsJGtQ= github.com/Abirdcfly/dupword v0.0.11 h1:z6v8rMETchZXUIuHxYNmlUAuKuB21PeaSymTed16wgU= github.com/Abirdcfly/dupword v0.0.11/go.mod h1:wH8mVGuf3CP5fsBTkfWwwwKTjDnVVCxtU8d8rgeVYXA= github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w= diff --git a/k8s-operator/api.md b/k8s-operator/api.md new file mode 100644 index 000000000..e2cd47c25 --- /dev/null +++ b/k8s-operator/api.md @@ -0,0 +1,1644 @@ +# API Reference + +Packages: + +- [tailscale.com/v1alpha1](#tailscalecomv1alpha1) + +# tailscale.com/v1alpha1 + +Resource Types: + +- [Connector](#connector) + +- [ProxyClass](#proxyclass) + + + + +## Connector +[↩ Parent](#tailscalecomv1alpha1 ) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
apiVersionstringtailscale.com/v1alpha1true
kindstringConnectortrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject + ConnectorSpec describes the desired Tailscale component.
+
+ Validations:
  • has(self.subnetRouter) || self.exitNode == true: A Connector needs to be either an exit node or a subnet router, or both.
    • +     		true
    statusobject + ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
    +     		false
    + + +### Connector.spec +[↩ Parent](#connector) + + + +ConnectorSpec describes the desired Tailscale component. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    exitNodeboolean + ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
    +     		false
    hostnamestring + Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to -connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
    +     		false
    proxyClassstring + ProxyClass is the name of the ProxyClass custom resource that contains configuration options that should be applied to the resources created for this Connector. If unset, the operator will create resources with the default configuration.
    +     		false
    subnetRouterobject + SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
    +     		false
    tags[]string + Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
    +     		false
    + + +### Connector.spec.subnetRouter +[↩ Parent](#connectorspec) + + + +SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/ + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    advertiseRoutes[]string + AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
    +     		true
    + + +### Connector.status +[↩ Parent](#connector) + + + +ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions[]object + List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
    +     		false
    isExitNodeboolean + IsExitNode is set to true if the Connector acts as an exit node.
    +     		false
    subnetRoutesstring + SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
    +     		false
    + + +### Connector.status.conditions[index] +[↩ Parent](#connectorstatus) + + + +ConnectorCondition contains condition information for a Connector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    statusstring + Status of the condition, one of ('True', 'False', 'Unknown').
    +     		true
    typestring + Type of the condition, known values are (`SubnetRouterReady`).
    +     		true
    lastTransitionTimestring + LastTransitionTime is the timestamp corresponding to the last status change of this condition.
    +
    + Format: date-time
    +     		false
    messagestring + Message is a human readable description of the details of the last transition, complementing reason.
    +     		false
    observedGenerationinteger + If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
    +
    + Format: int64
    +     		false
    reasonstring + Reason is a brief machine readable explanation for the condition's last transition.
    +     		false
    + +## ProxyClass +[↩ Parent](#tailscalecomv1alpha1 ) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    apiVersionstringtailscale.com/v1alpha1true
    kindstringProxyClasstrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject +
    +     		true
    statusobject +
    +     		false
    + + +### ProxyClass.spec +[↩ Parent](#proxyclass) + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    statefulSetobject + Proxy's StatefulSet spec.
    +     		true
    + + +### ProxyClass.spec.statefulSet +[↩ Parent](#proxyclassspec) + + + +Proxy's StatefulSet spec. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    annotationsmap[string]string + Annotations that will be added to the StatefulSet created for the proxy. Any Annotations specified here will be merged with the default annotations applied to the StatefulSet by the Tailscale Kubernetes operator as well as any other annotations that might have been applied by other actors. Annotations must be valid Kubernetes annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
    +     		false
    labelsmap[string]string + Labels that will be added to the StatefulSet created for the proxy. Any labels specified here will be merged with the default labels applied to the StatefulSet by the Tailscale Kubernetes operator as well as any other labels that might have been applied by other actors. Label keys and values must be valid Kubernetes label keys and values. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
    +     		false
    podobject + Configuration for the proxy Pod.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod +[↩ Parent](#proxyclassspecstatefulset) + + + +Configuration for the proxy Pod. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    annotationsmap[string]string + Annotations that will be added to the proxy Pod. Any annotations specified here will be merged with the default annotations applied to the Pod by the Tailscale Kubernetes operator. Annotations must be valid Kubernetes annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
    +     		false
    imagePullSecrets[]object + Proxy Pod's image pull Secrets. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
    +     		false
    labelsmap[string]string + Labels that will be added to the proxy Pod. Any labels specified here will be merged with the default labels applied to the Pod by the Tailscale Kubernetes operator. Label keys and values must be valid Kubernetes label keys and values. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
    +     		false
    nodeNamestring + Proxy Pod's node name. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
    +     		false
    nodeSelectormap[string]string + Proxy Pod's node selector. By default Tailscale Kubernetes operator does not apply any node selector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
    +     		false
    securityContextobject + Proxy Pod's security context. By default Tailscale Kubernetes operator does not apply any Pod security context. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2
    +     		false
    tailscaleContainerobject + Configuration for the proxy container running tailscale.
    +     		false
    tailscaleInitContainerobject + Configuration for the proxy init container that enables forwarding.
    +     		false
    tolerations[]object + Proxy Pod's tolerations. By default Tailscale Kubernetes operator does not apply any tolerations. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.imagePullSecrets[index] +[↩ Parent](#proxyclassspecstatefulsetpod) + + + +LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.securityContext +[↩ Parent](#proxyclassspecstatefulsetpod) + + + +Proxy Pod's security context. By default Tailscale Kubernetes operator does not apply any Pod security context. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    fsGroupinteger + A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: + 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- + If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    fsGroupChangePolicystring + fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    runAsGroupinteger + The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    runAsNonRootboolean + Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    +     		false
    runAsUserinteger + The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    seLinuxOptionsobject + The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    seccompProfileobject + The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    supplementalGroups[]integer + A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    sysctls[]object + Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    windowsOptionsobject + The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.securityContext.seLinuxOptions +[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext) + + + +The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    levelstring + Level is SELinux level label that applies to the container.
    +     		false
    rolestring + Role is a SELinux role label that applies to the container.
    +     		false
    typestring + Type is a SELinux type label that applies to the container.
    +     		false
    userstring + User is a SELinux user label that applies to the container.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.securityContext.seccompProfile +[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext) + + + +The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    typestring + type indicates which kind of seccomp profile will be applied. Valid options are: + Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
    +     		true
    localhostProfilestring + localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.securityContext.sysctls[index] +[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext) + + + +Sysctl defines a kernel parameter to be set + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name of a property to set
    +     		true
    valuestring + Value of a property to set
    +     		true
    + + +### ProxyClass.spec.statefulSet.pod.securityContext.windowsOptions +[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext) + + + +The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    gmsaCredentialSpecstring + GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
    +     		false
    gmsaCredentialSpecNamestring + GMSACredentialSpecName is the name of the GMSA credential spec to use.
    +     		false
    hostProcessboolean + HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
    +     		false
    runAsUserNamestring + The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer +[↩ Parent](#proxyclassspecstatefulsetpod) + + + +Configuration for the proxy container running tailscale. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    resourcesobject + Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
    +     		false
    securityContextobject + Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets 'privileged: true' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.resources +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainer) + + + +Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    claims[]object + Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. + This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers.
    +     		false
    limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
    +     		false
    requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.resources.claims[index] +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainerresources) + + + +ResourceClaim references one entry in PodSpec.ResourceClaims. + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
    +     		true
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainer) + + + +Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets 'privileged: true' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    allowPrivilegeEscalationboolean + AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
    +     		false
    capabilitiesobject + The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    privilegedboolean + Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    procMountstring + procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    readOnlyRootFilesystemboolean + Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    runAsGroupinteger + The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    runAsNonRootboolean + Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    +     		false
    runAsUserinteger + The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    seLinuxOptionsobject + The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    seccompProfileobject + The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    windowsOptionsobject + The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.capabilities +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext) + + + +The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    add[]string + Added capabilities
    +     		false
    drop[]string + Removed capabilities
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.seLinuxOptions +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext) + + + +The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    levelstring + Level is SELinux level label that applies to the container.
    +     		false
    rolestring + Role is a SELinux role label that applies to the container.
    +     		false
    typestring + Type is a SELinux type label that applies to the container.
    +     		false
    userstring + User is a SELinux user label that applies to the container.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.seccompProfile +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext) + + + +The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    typestring + type indicates which kind of seccomp profile will be applied. Valid options are: + Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
    +     		true
    localhostProfilestring + localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.windowsOptions +[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext) + + + +The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    gmsaCredentialSpecstring + GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
    +     		false
    gmsaCredentialSpecNamestring + GMSACredentialSpecName is the name of the GMSA credential spec to use.
    +     		false
    hostProcessboolean + HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
    +     		false
    runAsUserNamestring + The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer +[↩ Parent](#proxyclassspecstatefulsetpod) + + + +Configuration for the proxy init container that enables forwarding. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    resourcesobject + Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
    +     		false
    securityContextobject + Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets 'privileged: true' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.resources +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainer) + + + +Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    claims[]object + Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. + This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. + This field is immutable. It can only be set for containers.
    +     		false
    limitsmap[string]int or string + Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
    +     		false
    requestsmap[string]int or string + Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.resources.claims[index] +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainerresources) + + + +ResourceClaim references one entry in PodSpec.ResourceClaims. + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
    +     		true
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainer) + + + +Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets 'privileged: true' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    allowPrivilegeEscalationboolean + AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
    +     		false
    capabilitiesobject + The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    privilegedboolean + Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    procMountstring + procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    readOnlyRootFilesystemboolean + Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    runAsGroupinteger + The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    runAsNonRootboolean + Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    +     		false
    runAsUserinteger + The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
    +
    + Format: int64
    +     		false
    seLinuxOptionsobject + The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    seccompProfileobject + The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
    +     		false
    windowsOptionsobject + The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.capabilities +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext) + + + +The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    add[]string + Added capabilities
    +     		false
    drop[]string + Removed capabilities
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.seLinuxOptions +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext) + + + +The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    levelstring + Level is SELinux level label that applies to the container.
    +     		false
    rolestring + Role is a SELinux role label that applies to the container.
    +     		false
    typestring + Type is a SELinux type label that applies to the container.
    +     		false
    userstring + User is a SELinux user label that applies to the container.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.seccompProfile +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext) + + + +The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    typestring + type indicates which kind of seccomp profile will be applied. Valid options are: + Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.
    +     		true
    localhostProfilestring + localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.windowsOptions +[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext) + + + +The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    gmsaCredentialSpecstring + GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
    +     		false
    gmsaCredentialSpecNamestring + GMSACredentialSpecName is the name of the GMSA credential spec to use.
    +     		false
    hostProcessboolean + HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
    +     		false
    runAsUserNamestring + The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    +     		false
    + + +### ProxyClass.spec.statefulSet.pod.tolerations[index] +[↩ Parent](#proxyclassspecstatefulsetpod) + + + +The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    effectstring + Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
    +     		false
    keystring + Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
    +     		false
    operatorstring + Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
    +     		false
    tolerationSecondsinteger + TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
    +
    + Format: int64
    +     		false
    valuestring + Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
    +     		false
    + + +### ProxyClass.status +[↩ Parent](#proxyclass) + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions[]object + List of status conditions to indicate the status of the ProxyClass. Known condition types are `ProxyClassReady`.
    +     		false
    + + +### ProxyClass.status.conditions[index] +[↩ Parent](#proxyclassstatus) + + + +ConnectorCondition contains condition information for a Connector. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    statusstring + Status of the condition, one of ('True', 'False', 'Unknown').
    +     		true
    typestring + Type of the condition, known values are (`SubnetRouterReady`).
    +     		true
    lastTransitionTimestring + LastTransitionTime is the timestamp corresponding to the last status change of this condition.
    +
    + Format: date-time
    +     		false
    messagestring + Message is a human readable description of the details of the last transition, complementing reason.
    +     		false
    observedGenerationinteger + If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
    +
    + Format: int64
    +     		false
    reasonstring + Reason is a brief machine readable explanation for the condition's last transition.
    +     		false
    diff --git a/tstest/tools/tools.go b/tstest/tools/tools.go index 3dda6e763..07f8370e9 100644 --- a/tstest/tools/tools.go +++ b/tstest/tools/tools.go @@ -9,6 +9,7 @@ package tools import ( + _ "fybrik.io/crdoc" _ "github.com/tailscale/mkctr" _ "honnef.co/go/tools/cmd/staticcheck" _ "sigs.k8s.io/controller-tools/cmd/controller-gen"