k8s-operator,kube: remove enableSessionRecording from Kubernetes Cap Map (#18452)

* k8s-operator,kube: removing enableSessionRecordings option. It seems
like it is going to create a confusing user experience and it's going to
be a very niche use case, so we have decided to defer this for now.

Updates tailscale/corp#35796

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* k8s-operator: adding metric for env var deprecation

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

---------

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

k8s-operator/api-proxy/proxy.go

@@ -43,7 +43,9 @@ import (
 var (
 	// counterNumRequestsproxies counts the number of API server requests proxied via this proxy.
 	counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
-	whoIsKey                  = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
+	// NOTE: adding this metric so we can keep track of users during deprecation
+	counterExperimentalEventsVarUsed = clientmetric.NewCounter("ts_experimental_kube_api_events_var_used")
+	whoIsKey                         = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
 )
 
 const (
@@ -133,6 +135,7 @@ func (ap *APIServerProxy) Run(ctx context.Context) error {
 	}
 
 	if ap.eventsEnabled {
+		counterExperimentalEventsVarUsed.Add(1)
 		ap.log.Warnf("DEPRECATED: %q environment variable is deprecated, and will be removed in v1.96. See documentation for more detail.", eventsEnabledVar)
 	}
 
@@ -315,10 +318,6 @@ func (ap *APIServerProxy) sessionForProto(w http.ResponseWriter, r *http.Request
 		}
 	}
 
-	if !c.enableRecordings {
-		ap.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
-		return
-	}
 	ksr.CounterSessionRecordingsAttempted.Add(1) // at this point we know that users intended for this session to be recorded
 
 	wantsHeader := upgradeHeaderForProto[proto]
@@ -568,7 +567,6 @@ func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 type recorderConfig struct {
 	failOpen          bool
 	enableEvents      bool
-	enableRecordings  bool
 	recorderAddresses []netip.AddrPort
 }
 
@@ -582,7 +580,6 @@ func determineRecorderConfig(who *apitype.WhoIsResponse) (c recorderConfig, _ er
 
 	c.failOpen = true
 	c.enableEvents = false
-	c.enableRecordings = true
 	rules, err := tailcfg.UnmarshalCapJSON[kubetypes.KubernetesCapRule](who.CapMap, tailcfg.PeerCapabilityKubernetes)
 	if err != nil {
 		return c, fmt.Errorf("failed to unmarshal Kubernetes capability: %w", err)
@@ -605,9 +602,6 @@ func determineRecorderConfig(who *apitype.WhoIsResponse) (c recorderConfig, _ er
 		if rule.EnableEvents {
 			c.enableEvents = true
 		}
-		if rule.EnableSessionRecordings {
-			c.enableRecordings = true
-		}
 	}
 	return c, nil
 }

kube/kubetypes/grants.go

@@ -44,10 +44,6 @@ type KubernetesCapRule struct {
 	// should be recorded or not.
 	// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-your-tailnet-policy-file
 	EnableEvents bool `json:"enableEvents,omitempty"`
-	// EnableSessionRecordings defines whether kubectl sessions
-	// (e.g., exec, attach) should be recorded or not.
-	// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-your-tailnet-policy-file
-	EnableSessionRecordings bool `json:"enableSessionRecordings,omitempty"`
 }
 
 // ImpersonateRule defines how a request from the tailnet identity matching