kubetypes

package
v1.78.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 11, 2024 License: BSD-3-Clause Imports: 1 Imported by: 0

Documentation

Overview

Package kubetypes contains types and constants related to the Tailscale Kubernetes Operator. These are split into a separate package for consumption of non-Kubernetes shared libraries and binaries. Be mindful of not increasing dependency size for those consumers when adding anything new here.

Index

Constants

View Source
const (
	// Hostinfo App values for the Tailscale Kubernetes Operator components.
	AppOperator          = "k8s-operator"
	AppAPIServerProxy    = "k8s-operator-proxy"
	AppIngressProxy      = "k8s-operator-ingress-proxy"
	AppIngressResource   = "k8s-operator-ingress-resource"
	AppEgressProxy       = "k8s-operator-egress-proxy"
	AppConnector         = "k8s-operator-connector-resource"
	AppProxyGroupEgress  = "k8s-operator-proxygroup-egress"
	AppProxyGroupIngress = "k8s-operator-proxygroup-ingress"

	// Clientmetrics for Tailscale Kubernetes Operator components
	MetricIngressProxyCount              = "k8s_ingress_proxies"   // L3
	MetricIngressResourceCount           = "k8s_ingress_resources" // L7
	MetricEgressProxyCount               = "k8s_egress_proxies"
	MetricConnectorResourceCount         = "k8s_connector_resources"
	MetricConnectorWithSubnetRouterCount = "k8s_connector_subnetrouter_resources"
	MetricConnectorWithExitNodeCount     = "k8s_connector_exitnode_resources"
	MetricConnectorWithAppConnectorCount = "k8s_connector_appconnector_resources"
	MetricNameserverCount                = "k8s_nameserver_resources"
	MetricRecorderCount                  = "k8s_recorder_resources"
	MetricEgressServiceCount             = "k8s_egress_service_resources"
	MetricProxyGroupEgressCount          = "k8s_proxygroup_egress_resources"
	MetricProxyGroupIngressCount         = "k8s_proxygroup_ingress_resources"

	// Keys that containerboot writes to state file that can be used to determine its state.
	// fields set in Tailscale state Secret. These are mostly used by the Tailscale Kubernetes operator to determine
	// the state of this tailscale device.
	KeyDeviceID   string = "device_id"   // node stable ID of the device
	KeyDeviceFQDN string = "device_fqdn" // device's tailnet hostname
	KeyDeviceIPs  string = "device_ips"  // device's tailnet IPs
	KeyPodUID     string = "pod_uid"     // Pod UID
	// KeyCapVer contains Tailscale capability version of this proxy instance.
	KeyCapVer string = "tailscale_capver"
	// KeyHTTPSEndpoint is a name of a field that can be set to the value of any HTTPS endpoint currently exposed by
	// this device to the tailnet. This is used by the Kubernetes operator Ingress proxy to communicate to the operator
	// that cluster workloads behind the Ingress can now be accessed via the given DNS name over HTTPS.
	KeyHTTPSEndpoint string = "https_endpoint"
	ValueNoHTTPS     string = "no-https"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ImpersonateRule

type ImpersonateRule struct {
	// Groups can be used to set a list of groups that a request to
	// Kubernetes API server should be impersonated as from. Groups in
	// Kubernetes only exist as subjects that RBAC rules refer to. Caller
	// can choose to use an existing group, such as system:masters, or
	// create RBAC for a new group.
	// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects
	Groups []string `json:"groups,omitempty"`
}

ImpersonateRule defines how a request from the tailnet identity matching 'src' of this grant should be impersonated.

type KubernetesCapRule

type KubernetesCapRule struct {
	// Impersonate is a list of rules that specify how to impersonate the caller
	// when proxying to the Kubernetes API.
	Impersonate *ImpersonateRule `json:"impersonate,omitempty"`
	// Recorders defines a tag of a tsrecorder instance(s) that a recording
	// of a 'kubectl exec' session, matching `src` of this grant, to an API
	// server proxy, matching `dst` of this grant, should be sent to.
	// This list must not contain more than one tag. The field
	// name matches the `Recorder` field with equal semantics for Tailscale
	// SSH session recorder. This field is set by users in ACL grants and is
	// then parsed by control, which resolves the tags and populates `RecorderAddrs“.
	// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
	Recorders []string `json:"recorder,omitempty"`
	// RecorderAddrs is a list of addresses that should be addresses of one
	// or more tsrecorder instance(s). If set, any `kubectl exec` session
	// from a client matching `src` of this grant to an API server proxy
	// matching `dst` of this grant will be recorded and the recording will
	// be sent to the tsrecorder. This field does not exist in the user
	// provided ACL grants - it is populated by control, which obtains the
	// addresses by resolving the tags provided via `Recorders` field.
	RecorderAddrs []netip.AddrPort `json:"recorderAddrs,omitempty"`
	// EnforceRecorder defines whether a kubectl exec session from a client
	// matching `src` to an API server proxy matching `dst` should fail
	// closed if it cannot be recorded (i.e if no recorder can be reached).
	// Default is to fail open.
	// The field name matches `EnforceRecorder` field with equal semantics for Tailscale SSH
	// session recorder.
	// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
	EnforceRecorder bool `json:"enforceRecorder,omitempty"`
}

KubernetesCapRule is a rule provided via PeerCapabilityKubernetes capability.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL