webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

k8s-operator,kube: allowing k8s api request events to be enabled via grants (#18393)

Browse Source 
Updates #35796

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
This commit is contained in:
Tom Meadows
2026-01-16 13:29:12 +00:00
committed by GitHub
parent 54d77898da
commit 1cc6f3282e
6 changed files with 118 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files
kube/kubetypes/grants.go
+9 -1
View File
@@ -38,8 +38,16 @@ type KubernetesCapRule struct {
// Default is to fail open.
// The field name matches `EnforceRecorder` field with equal semantics for Tailscale SSH
// session recorder.
// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-your-tailnet-policy-file
EnforceRecorder bool `json:"enforceRecorder,omitempty"`
// EnableEvents defines whether kubectl API request events (beta)
// should be recorded or not.
// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-your-tailnet-policy-file
EnableEvents bool `json:"enableEvents,omitempty"`
// EnableSessionRecordings defines whether kubectl sessions
// (e.g., exec, attach) should be recorded or not.
// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-your-tailnet-policy-file
EnableSessionRecordings bool `json:"enableSessionRecordings,omitempty"`
}
// ImpersonateRule defines how a request from the tailnet identity matching