You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tailscale/tailcfg
Irbe Krumina c3e2b7347b
tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236)
This PR is in prep of adding logic to control to be able to parse
tailscale.com/cap/kubernetes grants in control:
- moves the type definition of PeerCapabilityKubernetes cap to a location
shared with control.
- update the Kubernetes cap rule definition with fields for granting
kubectl exec session recording capabilities.
- adds a convenience function to produce tailcfg.RawMessage from an
arbitrary cap rule and a test for it.

An example grant defined via ACLs:
"grants": [{
      "src": ["tag:eng"],
      "dst": ["tag:k8s-operator"],
      "app": {
        "tailscale.com/cap/kubernetes": [{
            "recorder": ["tag:my-recorder"]
	    “enforceRecorder”: true
        }],
      },
    }
]
This grant enforces `kubectl exec` sessions from tailnet clients,
matching `tag:eng` via API server proxy matching `tag:k8s-operator`
to be recorded and recording to be sent to a tsrecorder instance,
matching `tag:my-recorder`.

The type needs to be shared with control because we want
control to parse this cap and resolve tags to peer IPs.

Updates tailscale/corp#19821

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
5 months ago
..
c2ntypes.go ipn/ipnlocal: add c2n method to check on TLS cert fetch status 1 year ago
derpmap.go all: make more tests pass/skip in airplane mode 7 months ago
proto_port_range.go tailcfg: implement text encoding for ProtoPortRange 1 year ago
proto_port_range_test.go tailcfg: implement text encoding for ProtoPortRange 1 year ago
tailcfg.go tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236) 5 months ago
tailcfg_clone.go tailcfg,all: add/plumb Node.IsJailed 7 months ago
tailcfg_test.go tailcfg,cmd/k8s-operator,kube: move Kubernetes cap to a location that can be shared with control (#12236) 5 months ago
tailcfg_view.go tailcfg,all: add/plumb Node.IsJailed 7 months ago
tka.go tailcfg: add RPC structs for /tka/affected-sigs 2 years ago