kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: split out kube types (#13417)

Further split kube package into kube/{client,api,types}. This is so that consumers who only need constants/static types don't have to import the client and api bits. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-09-08 21:06:07 +03:00
parent ecd64f6ed9
commit d6dfb7f242
24 changed files with 143 additions and 122 deletions
@@ -0,0 +1,55 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package types contains types and constants related to the Tailscale
+// Kubernetes Operator.
+// These are split into a separate package for consumption of
+// non-Kubernetes shared libraries and binaries. Be mindful of not increasing
+// dependency size for those consumers when adding anything new here.
+package types
+
+import "net/netip"
+
+// KubernetesCapRule is a rule provided via PeerCapabilityKubernetes capability.
+type KubernetesCapRule struct {
+	// Impersonate is a list of rules that specify how to impersonate the caller
+	// when proxying to the Kubernetes API.
+	Impersonate *ImpersonateRule `json:"impersonate,omitempty"`
+	// Recorders defines a tag of a tsrecorder instance(s) that a recording
+	// of a 'kubectl exec' session, matching `src` of this grant, to an API
+	// server proxy, matching `dst` of this grant, should be sent to.
+	// This list must not contain more than one tag. The field
+	// name matches the `Recorder` field with equal semantics for Tailscale
+	// SSH session recorder. This field is set by users in ACL grants and is
+	// then parsed by control, which resolves the tags and populates `RecorderAddrs``.
+	// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
+	Recorders []string `json:"recorder,omitempty"`
+	// RecorderAddrs is a list of addresses that should be addresses of one
+	// or more tsrecorder instance(s). If set, any `kubectl exec` session
+	// from a client matching `src` of this grant to an API server proxy
+	// matching `dst` of this grant will be recorded and the recording will
+	// be sent to the tsrecorder. This field does not exist in the user
+	// provided ACL grants - it is populated by control, which obtains the
+	// addresses by resolving the tags provided via `Recorders` field.
+	RecorderAddrs []netip.AddrPort `json:"recorderAddrs,omitempty"`
+	// EnforceRecorder defines whether a kubectl exec session from a client
+	// matching `src` to an API server proxy matching `dst` should fail
+	// closed if it cannot be recorded (i.e if no recorder can be reached).
+	// Default is to fail open.
+	// The field name matches `EnforceRecorder` field with equal semantics for Tailscale SSH
+	// session recorder.
+	// https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-acls
+	EnforceRecorder bool `json:"enforceRecorder,omitempty"`
+}
+
+// ImpersonateRule defines how a request from the tailnet identity matching
+// 'src' of this grant should be impersonated.
+type ImpersonateRule struct {
+	// Groups can be used to set a list of groups that a request to
+	// Kubernetes API server should be impersonated as from. Groups in
+	// Kubernetes only exist as subjects that RBAC rules refer to. Caller
+	// can choose to use an existing group, such as system:masters, or
+	// create RBAC for a new group.
+	// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects
+	Groups []string `json:"groups,omitempty"`
+}
@@ -0,0 +1,23 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package types
+
+const (
+	// Hostinfo App values for the Tailscale Kubernetes Operator components.
+	AppOperator        = "k8s-operator"
+	AppAPIServerProxy  = "k8s-operator-proxy"
+	AppIngressProxy    = "k8s-operator-ingress-proxy"
+	AppIngressResource = "k8s-operator-ingress-resource"
+	AppEgressProxy     = "k8s-operator-egress-proxy"
+	AppConnector       = "k8s-operator-connector-resource"
+
+	// Clientmetrics for Tailscale Kubernetes Operator components
+	MetricIngressProxyCount              = "k8s_ingress_proxies"   // L3
+	MetricIngressResourceCount           = "k8s_ingress_resources" // L7
+	MetricEgressProxyCount               = "k8s_egress_proxies"
+	MetricConnectorResourceCount         = "k8s_connector_resources"
+	MetricConnectorWithSubnetRouterCount = "k8s_connector_subnetrouter_resources"
+	MetricConnectorWithExitNodeCount     = "k8s_connector_exitnode_resources"
+	MetricNameserverCount                = "k8s_nameserver_resources"
+)