mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-09 09:33:42 +00:00
c3e2b7347b
This PR is in prep of adding logic to control to be able to parse tailscale.com/cap/kubernetes grants in control: - moves the type definition of PeerCapabilityKubernetes cap to a location shared with control. - update the Kubernetes cap rule definition with fields for granting kubectl exec session recording capabilities. - adds a convenience function to produce tailcfg.RawMessage from an arbitrary cap rule and a test for it. An example grant defined via ACLs: "grants": [{ "src": ["tag:eng"], "dst": ["tag:k8s-operator"], "app": { "tailscale.com/cap/kubernetes": [{ "recorder": ["tag:my-recorder"] “enforceRecorder”: true }], }, } ] This grant enforces `kubectl exec` sessions from tailnet clients, matching `tag:eng` via API server proxy matching `tag:k8s-operator` to be recorded and recording to be sent to a tsrecorder instance, matching `tag:my-recorder`. The type needs to be shared with control because we want control to parse this cap and resolve tags to peer IPs. Updates tailscale/corp#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
45 lines
2.2 KiB
Go
45 lines
2.2 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
// Package kube provides a client to interact with Kubernetes.
|
|
// This package is Tailscale-internal and not meant for external consumption.
|
|
// Further, the API should not be considered stable.
|
|
package kube
|
|
|
|
// KubernetesCapRule is a rule provided via PeerCapabilityKubernetes capability.
|
|
type KubernetesCapRule struct {
|
|
// Impersonate is a list of rules that specify how to impersonate the caller
|
|
// when proxying to the Kubernetes API.
|
|
Impersonate *ImpersonateRule `json:"impersonate,omitempty"`
|
|
// Recorders defines a tag that should resolve to a tsrecorder
|
|
// instance(s). If set, any `kubectl exec` session from a client
|
|
// matching `src` of this grant to an API server proxy matching `dst` of
|
|
// this grant will be recorded and the recording will be sent to the
|
|
// tsrecorder.
|
|
// This list must not contain more than one tag.
|
|
// The field name matches the `Recorder` field with equal semantics for Tailscale SSH
|
|
// session recorder.
|
|
// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
|
|
Recorders []string `json:"recorder,omitempty"`
|
|
// EnforceRecorder defines whether a kubectl exec session from a client
|
|
// matching `src` to an API server proxy matching `dst` should fail
|
|
// closed if it cannot be recorded (i.e if no recoder can be reached).
|
|
// Default is to fail open.
|
|
// The field name matches `EnforceRecorder` field with equal semantics for Tailscale SSH
|
|
// session recorder.
|
|
// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
|
|
EnforceRecorder bool `json:"enforceRecorder,omitempty"`
|
|
}
|
|
|
|
// ImpersonateRule defines how a request from the tailnet identity matching
|
|
// 'src' of this grant should be impersonated.
|
|
type ImpersonateRule struct {
|
|
// Groups can be used to set a list of groups that a request to
|
|
// Kubernetes API server should be impersonated as from. Groups in
|
|
// Kubernetes only exist as subjects that RBAC rules refer to. Caller
|
|
// can choose to use an existing group, such as system:masters, or
|
|
// create RBAC for a new group.
|
|
// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects
|
|
Groups []string `json:"groups,omitempty"`
|
|
}
|