k8s-operator,cmd/k8s-operator: define ProxyGroupPolicy CRD (#18614)

This commit adds a new custom resource definition to the kubernetes
operator named `ProxyGroupPolicy`. This resource is namespace scoped
and is used as an allow list for which `ProxyGroup` resources can be
used within its namespace.

The `spec` contains two fields, `ingress` and `egress`. These should
contain the names of `ProxyGroup` resources to denote which can be
used as values in the `tailscale.com/proxy-group` annotation within
`Service` and `Ingress` resources.

The intention is for these policies to be merged within a namespace and
produce a `ValidatingAdmissionPolicy` and `ValidatingAdmissionPolicyBinding`
for both ingress and egress that prevents users from using names of
`ProxyGroup` resources in those annotations.

Closes: https://github.com/tailscale/corp/issues/36829

Signed-off-by: David Bond <davidsbond93@gmail.com>

This commit is contained in:

David Bond

2026-02-13 16:04:34 +00:00

committed by

GitHub

parent d468870310

commit a341eea00b

5 changed files with 391 additions and 0 deletions

									
										k8s-operator/apis/v1alpha1/register.go
									
		+2
		
												View File
												
				@@ -69,6 +69,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {

						&ProxyGroupList{},

						&Tailnet{},

						&TailnetList{},

						&ProxyGroupPolicy{},

						&ProxyGroupPolicyList{},

					)

					metav1.AddToGroupVersion(scheme, SchemeGroupVersion)