k8s-operator,cmd/k8s-operator: define ProxyGroupPolicy CRD (#18614)

This commit adds a new custom resource definition to the kubernetes
operator named `ProxyGroupPolicy`. This resource is namespace scoped
and is used as an allow list for which `ProxyGroup` resources can be
used within its namespace.

The `spec` contains two fields, `ingress` and `egress`. These should
contain the names of `ProxyGroup` resources to denote which can be
used as values in the `tailscale.com/proxy-group` annotation within
`Service` and `Ingress` resources.

The intention is for these policies to be merged within a namespace and
produce a `ValidatingAdmissionPolicy` and `ValidatingAdmissionPolicyBinding`
for both ingress and egress that prevents users from using names of
`ProxyGroup` resources in those annotations.

Closes: https://github.com/tailscale/corp/issues/36829

Signed-off-by: David Bond <davidsbond93@gmail.com>

k8s-operator/apis/v1alpha1/register.go

@@ -69,6 +69,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ProxyGroupList{},
 		&Tailnet{},
 		&TailnetList{},
+		&ProxyGroupPolicy{},
+		&ProxyGroupPolicyList{},
 	)
 
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)

k8s-operator/apis/v1alpha1/types_proxygrouppolicy.go

@@ -0,0 +1,67 @@
+// Copyright (c) Tailscale Inc & contributors
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Code comments on these types should be treated as user facing documentation-
+// they will appear on the ProxyGroupPolicy CRD i.e. if someone runs kubectl explain tailnet.
+
+var ProxyGroupPolicyKind = "ProxyGroupPolicy"
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,shortName=pgp
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.conditions[?(@.type == "ProxyGroupPolicyReady")].reason`,description="Status of the deployed ProxyGroupPolicy resources."
+
+type ProxyGroupPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// Spec describes the desired state of the ProxyGroupPolicy.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec ProxyGroupPolicySpec `json:"spec"`
+
+	// Status describes the status of the ProxyGroupPolicy. This is set
+	// and managed by the Tailscale operator.
+	// +optional
+	Status ProxyGroupPolicyStatus `json:"status"`
+}
+
+// +kubebuilder:object:root=true
+
+type ProxyGroupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []ProxyGroupPolicy `json:"items"`
+}
+
+type ProxyGroupPolicySpec struct {
+	// Names of ProxyGroup resources that can be used by Ingress resources within this namespace. An empty list
+	// denotes that no ingress via ProxyGroups is allowed within this namespace.
+	// +optional
+	Ingress []string `json:"ingress,omitempty"`
+
+	// Names of ProxyGroup resources that can be used by Service resources within this namespace. An empty list
+	// denotes that no egress via ProxyGroups is allowed within this namespace.
+	// +optional
+	Egress []string `json:"egress,omitempty"`
+}
+
+type ProxyGroupPolicyStatus struct {
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions"`
+}
+
+// ProxyGroupPolicyReady is set to True if the ProxyGroupPolicy is available for use by operator workloads.
+const ProxyGroupPolicyReady ConditionType = "ProxyGroupPolicyReady"

k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go

@@ -832,6 +832,112 @@ func (in *ProxyGroupList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyGroupPolicy) DeepCopyInto(out *ProxyGroupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyGroupPolicy.
+func (in *ProxyGroupPolicy) DeepCopy() *ProxyGroupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyGroupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ProxyGroupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyGroupPolicyList) DeepCopyInto(out *ProxyGroupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ProxyGroupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyGroupPolicyList.
+func (in *ProxyGroupPolicyList) DeepCopy() *ProxyGroupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyGroupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ProxyGroupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyGroupPolicySpec) DeepCopyInto(out *ProxyGroupPolicySpec) {
+	*out = *in
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyGroupPolicySpec.
+func (in *ProxyGroupPolicySpec) DeepCopy() *ProxyGroupPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyGroupPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyGroupPolicyStatus) DeepCopyInto(out *ProxyGroupPolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyGroupPolicyStatus.
+func (in *ProxyGroupPolicyStatus) DeepCopy() *ProxyGroupPolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ProxyGroupPolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyGroupSpec) DeepCopyInto(out *ProxyGroupSpec) {
 	*out = *in