tailcfg,cmd/k8s-operator: moves tailscale.com/cap/kubernetes peer cap to tailcfg (#12235)

This is done in preparation for adding kubectl session recording rules to this capability grant that will need to be unmarshalled by control, so will also need to be in a shared location. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-08-11 21:27:31 +00:00 · 2024-06-04 18:31:37 +01:00
parent d636407f14
commit 82576190a7
3 changed files with 15 additions and 6 deletions
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -1375,6 +1375,12 @@ const (
 	// PeerCapabilityTaildriveSharer indicates that a peer has the ability to
 	// share folders with us.
 	PeerCapabilityTaildriveSharer PeerCapability = "tailscale.com/cap/drive-sharer"
+
+	// PeerCapabilityKubernetes grants a peer Kubernetes-specific
+	// capabilities, such as the ability to impersonate specific Tailscale
+	// user groups as Kubernetes user groups. This capability is read by
+	// peers that are Tailscale Kubernetes operator instances.
+	PeerCapabilityKubernetes PeerCapability = "tailscale.com/cap/kubernetes"
 )

 // NodeCapMap is a map of capabilities to their optional values. It is valid for