const (// Hostinfo App values for the Tailscale Kubernetes Operator components.AppOperator                = "k8s-operator"AppInProcessAPIServerProxy = "k8s-operator-proxy"AppIngressProxy            = "k8s-operator-ingress-proxy"AppIngressResource         = "k8s-operator-ingress-resource"AppEgressProxy             = "k8s-operator-egress-proxy"AppConnector               = "k8s-operator-connector-resource"AppProxyGroupEgress        = "k8s-operator-proxygroup-egress"AppProxyGroupIngress       = "k8s-operator-proxygroup-ingress"AppProxyGroupKubeAPIServer = "k8s-operator-proxygroup-kube-apiserver"// Clientmetrics for Tailscale Kubernetes Operator componentsMetricIngressProxyCount              = "k8s_ingress_proxies"// L3MetricIngressResourceCount           = "k8s_ingress_resources"// L7MetricIngressPGResourceCount         = "k8s_ingress_pg_resources"// L7 on ProxyGroupMetricServicePGResourceCount         = "k8s_service_pg_resources"// L3 on ProxyGroupMetricEgressProxyCount               = "k8s_egress_proxies"MetricConnectorResourceCount         = "k8s_connector_resources"MetricConnectorWithSubnetRouterCount = "k8s_connector_subnetrouter_resources"MetricConnectorWithExitNodeCount     = "k8s_connector_exitnode_resources"MetricConnectorWithAppConnectorCount = "k8s_connector_appconnector_resources"MetricNameserverCount                = "k8s_nameserver_resources"MetricRecorderCount                  = "k8s_recorder_resources"MetricEgressServiceCount             = "k8s_egress_service_resources"MetricProxyGroupEgressCount          = "k8s_proxygroup_egress_resources"MetricProxyGroupIngressCount         = "k8s_proxygroup_ingress_resources"MetricProxyGroupAPIServerCount       = "k8s_proxygroup_kube_apiserver_resources"// Keys that containerboot writes to state file that can be used to determine its state.// fields set in Tailscale state Secret. These are mostly used by the Tailscale Kubernetes operator to determine// the state of this tailscale device.KeyDeviceIDstring = "device_id"// node stable ID of the deviceKeyDeviceFQDNstring = "device_fqdn"// device's tailnet hostnameKeyDeviceIPsstring = "device_ips"// device's tailnet IPsKeyPodUIDstring = "pod_uid"// Pod UID// KeyCapVer contains Tailscale capability version of this proxy instance.KeyCapVerstring = "tailscale_capver"// KeyHTTPSEndpoint is a name of a field that can be set to the value of any HTTPS endpoint currently exposed by// this device to the tailnet. This is used by the Kubernetes operator Ingress proxy to communicate to the operator// that cluster workloads behind the Ingress can now be accessed via the given DNS name over HTTPS.KeyHTTPSEndpointstring = "https_endpoint"ValueNoHTTPSstring = "no-https"// Pod's IPv4 address header key as returned by containerboot health check endpoint.PodIPv4Headerstring = "Pod-IPv4"EgessServicesPreshutdownEP = "/internal-egress-services-preshutdown"LabelManaged    = "tailscale.com/managed"LabelSecretType = "tailscale.com/secret-type"// "config", "state" "certs"LabelSecretTypeConfig = "config"LabelSecretTypeState  = "state"LabelSecretTypeCerts  = "certs"KubeAPIServerConfigFile                     = "config.hujson"APIServerProxyModeAuthAPIServerProxyMode = "auth"APIServerProxyModeNoAuthAPIServerProxyMode = "noauth")

typeAPIServerProxyMode¶added inv1.86.0

type APIServerProxyModestring

APIServerProxyMode specifies whether the API server proxy will addimpersonation headers to requests based on the caller's Tailscale identity.May be "auth" or "noauth".

func (a *APIServerProxyMode) UnmarshalJSON(data []byte)error

typeImpersonateRule¶

type ImpersonateRule struct {// Groups can be used to set a list of groups that a request to// Kubernetes API server should be impersonated as from. Groups in// Kubernetes only exist as subjects that RBAC rules refer to. Caller// can choose to use an existing group, such as system:masters, or// create RBAC for a new group.//https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjectsGroups []string `json:"groups,omitempty"`}

ImpersonateRule defines how a request from the tailnet identity matching'src' of this grant should be impersonated.

typeKubernetesCapRule¶

type KubernetesCapRule struct {// Impersonate is a list of rules that specify how to impersonate the caller// when proxying to the Kubernetes API.Impersonate *ImpersonateRule `json:"impersonate,omitempty"`// Recorders defines a tag of a tsrecorder instance(s) that a recording// of a 'kubectl exec' session, matching `src` of this grant, to an API// server proxy, matching `dst` of this grant, should be sent to.// This list must not contain more than one tag. The field// name matches the `Recorder` field with equal semantics for Tailscale// SSH session recorder. This field is set by users in ACL grants and is// then parsed by control, which resolves the tags and populates `RecorderAddrs“.//https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-aclsRecorders []string `json:"recorder,omitempty"`// RecorderAddrs is a list of addresses that should be addresses of one// or more tsrecorder instance(s). If set, any `kubectl exec` session// from a client matching `src` of this grant to an API server proxy// matching `dst` of this grant will be recorded and the recording will// be sent to the tsrecorder. This field does not exist in the user// provided ACL grants - it is populated by control, which obtains the// addresses by resolving the tags provided via `Recorders` field.RecorderAddrs []netip.AddrPort `json:"recorderAddrs,omitempty"`// EnforceRecorder defines whether a kubectl exec session from a client// matching `src` to an API server proxy matching `dst` should fail// closed if it cannot be recorded (i.e if no recorder can be reached).// Default is to fail open.// The field name matches `EnforceRecorder` field with equal semantics for Tailscale SSH// session recorder.//https://tailscale.com/kb/1246/tailscale-ssh-session-recording#turn-on-session-recording-in-aclsEnforceRecorderbool `json:"enforceRecorder,omitempty"`}

KubernetesCapRule is a rule provided via PeerCapabilityKubernetes capability.