Allow cluster admin revoke other intercepts

Signed-off-by: Phan Duc <phan.duc@moneyforward.co.jp>

Author: yuyuvn

CHANGELOG.yml

@@ -116,6 +116,11 @@ items:
           The Traffic Agent's retry interval when it establishes its watcher for intercepts is now configurable using the Helm chart value
           `agent.watchRetryInterval`. The default retry interval was also increased from 2 seconds to 10 seconds to improve resilience when
           connections to the traffic manager are lost.
+      - type: feature
+        title: Add ability for cluster admins to revoke other users' intercepts.
+        body: >-
+          The Traffic Manager now has a new API endpoint `RevokeIntercept` that can be used to revoke intercepts created by other users.
+          This endpoint is only accessible to cluster admins and requires authentication via a kubernetestoken and membership in the `system:masters` or `telepresence:admin` group.
   - version: 2.25.2
     date: 2025-12-26
     notes:

cmd/traffic/cmd/manager/service.go

@@ -882,6 +882,31 @@ func (s *service) RemoveIntercept(ctx context.Context, riReq *rpc.RemoveIntercep
 	return &empty.Empty{}, nil
 }
 
+// RevokeIntercept allows the manager to revoke any client's intercept by intercept ID.
+// This is an administrative operation that can revoke intercepts for any client.
+func (s *service) RevokeIntercept(ctx context.Context, riReq *rpc.RevokeInterceptRequest) (*empty.Empty, error) {
+	interceptID := riReq.InterceptId
+	dlog.Debugf(ctx, "Revoking intercept ID %s", interceptID)
+
+	// Get the intercept to verify it exists and to update metrics
+	intercept, ok := s.state.GetIntercept(interceptID)
+	if !ok {
+		return nil, status.Errorf(codes.NotFound, "Intercept with ID %q not found", interceptID)
+	}
+
+	// Get the client session from the intercept to update metrics
+	clientSessionID := tunnel.SessionID(intercept.ClientSession.SessionId)
+	if client := s.state.GetClient(clientSessionID); client != nil {
+		interceptName := intercept.Spec.Name
+		SetGauge(ctx, s.state.GetInterceptActiveStatus(), client.Name, client.InstallId, &interceptName, 0)
+	}
+
+	// Remove the intercept
+	s.state.RemoveIntercept(ctx, interceptID)
+	dlog.Infof(ctx, "Successfully revoked intercept ID %s", interceptID)
+	return &empty.Empty{}, nil
+}
+
 // GetIntercept gets an intercept info from intercept name.
 func (s *service) GetIntercept(ctx context.Context, request *rpc.GetInterceptRequest) (*rpc.InterceptInfo, error) {
 	interceptID, err := s.MakeInterceptID(ctx, request.GetSession().GetSessionId(), request.GetName())