TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-23 09:06:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

k8s-operator/api-proxy: put kube api server events behind environment variable (#17550)

Browse Source 
This commit modifies the k8s-operator's api proxy implementation to only
enable forwarding of api requests to tsrecorder when an environment
variable is set.

This new environment variable is named `TS_EXPERIMENTAL_KUBE_API_EVENTS`.

Updates https://github.com/tailscale/corp/issues/32448

Signed-off-by: David Bond <davidsbond93@gmail.com>
This commit is contained in:
David Bond
2025-10-16 10:11:34 +01:00
committed by GitHub
parent e804b64358
commit 419fba40e0
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
k8s-operator/api-proxy/proxy.go
View File

@@ -28,6 +28,7 @@ import (
"k8s.io/client-go/transport" "k8s.io/client-go/transport"
"tailscale.com/client/local" "tailscale.com/client/local"
"tailscale.com/client/tailscale/apitype" "tailscale.com/client/tailscale/apitype"
"tailscale.com/envknob"
ksr "tailscale.com/k8s-operator/sessionrecording" ksr "tailscale.com/k8s-operator/sessionrecording"
"tailscale.com/kube/kubetypes" "tailscale.com/kube/kubetypes"
"tailscale.com/net/netx" "tailscale.com/net/netx"
@@ -96,6 +97,7 @@ func NewAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, ts *tsn
upstreamURL: u, upstreamURL: u,
ts: ts, ts: ts,
sendEventFunc: sessionrecording.SendEvent, sendEventFunc: sessionrecording.SendEvent,
eventsEnabled: envknob.Bool("TS_EXPERIMENTAL_KUBE_API_EVENTS"),
} }
ap.rp = &httputil.ReverseProxy{ ap.rp = &httputil.ReverseProxy{
Rewrite: func(pr *httputil.ProxyRequest) { Rewrite: func(pr *httputil.ProxyRequest) {
@@ -192,6 +194,9 @@ type APIServerProxy struct {
upstreamURL *url.URL upstreamURL *url.URL
sendEventFunc func(ap netip.AddrPort, event io.Reader, dial netx.DialFunc) error sendEventFunc func(ap netip.AddrPort, event io.Reader, dial netx.DialFunc) error
// Flag used to enable sending API requests as events to tsrecorder.
eventsEnabled bool
} }
// serveDefault is the default handler for Kubernetes API server requests. // serveDefault is the default handler for Kubernetes API server requests.
@@ -310,6 +315,10 @@ func (ap *APIServerProxy) sessionForProto(w http.ResponseWriter, r *http.Request
} }
func (ap *APIServerProxy) recordRequestAsEvent(req *http.Request, who *apitype.WhoIsResponse) error { func (ap *APIServerProxy) recordRequestAsEvent(req *http.Request, who *apitype.WhoIsResponse) error {
if !ap.eventsEnabled {
return nil
}
failOpen, addrs, err := determineRecorderConfig(who) failOpen, addrs, err := determineRecorderConfig(who)
if err != nil { if err != nil {
return fmt.Errorf("error trying to determine whether the kubernetes api request needs to be recorded: %w", err) return fmt.Errorf("error trying to determine whether the kubernetes api request needs to be recorded: %w", err)

1
k8s-operator/api-proxy/proxy_events_test.go
View File

@@ -61,6 +61,7 @@ func TestRecordRequestAsEvent(t *testing.T) {
log: zl.Sugar(), log: zl.Sugar(),
ts: &tsnet.Server{}, ts: &tsnet.Server{},
sendEventFunc: sender.Send, sendEventFunc: sender.Send,
eventsEnabled: true,
} }
defaultWho := &apitype.WhoIsResponse{ defaultWho := &apitype.WhoIsResponse{