Support cli revoke command and allow config admin groups via env

Signed-off-by: Phan Duc <phan.duc@moneyforward.co.jp>

Author: yuyuvn

CHANGELOG.yml

@@ -136,7 +136,7 @@ items:
         title: Add ability for cluster admins to revoke other users' intercepts.
         body: >-
           The Traffic Manager now has a new API endpoint `RevokeIntercept` that can be used to revoke intercepts created by other users.
-          This endpoint is only accessible to cluster admins and requires authentication via a kubernetestoken and membership in the `system:masters` or `telepresence:admin` group.
+          This endpoint is only accessible to cluster admins and requires authentication via a kubernetestoken and membership in the `system:masters` or `telepresence:admin` or `kubeadm:cluster-admins` group.
   - version: 2.25.2
     date: 2025-12-26
     notes:

cmd/traffic/cmd/manager/managerutil/envconfig.go

@@ -56,6 +56,7 @@ type Env struct {
 	AgentImagePullPolicy       string                      `env:"AGENT_IMAGE_PULL_POLICY,       parser=string,         default="`
 	AgentImagePullSecrets      []core.LocalObjectReference `env:"AGENT_IMAGE_PULL_SECRETS,      parser=json-local-refs,default="`
 	AgentInjectPolicy          agentconfig.InjectPolicy    `env:"AGENT_INJECT_POLICY,           parser=enable-policy,  default=Never"`
+	AgentK8sAdminGroups        []string                    `env:"AGENT_K8S_ADMIN_GROUPS,        parser=split-trim,    default=system:masters"`
 	AgentLogLevel              string                      `env:"AGENT_LOG_LEVEL,               parser=logLevel,       defaultFrom=LogLevel"`
 	AgentPort                  uint16                      `env:"AGENT_PORT,                    parser=port-number,    default=0"`
 	AgentEnableH2cProbing      bool                        `env:"AGENT_ENABLE_H2C_PROBING,      parser=bool,           default=false"`

cmd/traffic/cmd/manager/revoke_intercept_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/datawire/dlib/dgroup"
 	"github.com/datawire/dlib/dlog"
 	rpc "github.com/telepresenceio/telepresence/rpc/v2/manager"
+	"github.com/telepresenceio/telepresence/v2/cmd/traffic/cmd/manager/managerutil"
 	"github.com/telepresenceio/telepresence/v2/cmd/traffic/cmd/manager/state"
 	"github.com/telepresenceio/telepresence/v2/pkg/k8sapi"
 )
@@ -50,6 +51,16 @@ func TestRevokeIntercept_Authentication(t *testing.T) {
 			wantErr:       true,
 			errMessage:    "not found",
 		},
+		{
+			name:          "authorized user with kubeadm:cluster-admins",
+			token:         "valid-kubeadm-token",
+			authenticated: true,
+			username:      "kubeadm-admin",
+			groups:        []string{"system:authenticated", "kubeadm:cluster-admins"},
+			wantCode:      codes.NotFound, // Will fail on intercept lookup, but auth passes
+			wantErr:       true,
+			errMessage:    "not found",
+		},
 		{
 			name:          "unauthorized user - not in allowed groups",
 			token:         "valid-user-token",
@@ -58,7 +69,7 @@ func TestRevokeIntercept_Authentication(t *testing.T) {
 			groups:        []string{"system:authenticated", "developers"},
 			wantCode:      codes.PermissionDenied,
 			wantErr:       true,
-			errMessage:    "user must be a member of telepresence:admin or system:masters group",
+			errMessage:    "user must be a member of one of the following groups",
 		},
 		{
 			name:          "unauthenticated token",
@@ -81,11 +92,11 @@ func TestRevokeIntercept_Authentication(t *testing.T) {
 			errMessage:    "authentication failed",
 		},
 		{
-			name:          "user with both groups",
+			name:          "user with multiple admin groups",
 			token:         "super-admin-token",
 			authenticated: true,
 			username:      "super-admin",
-			groups:        []string{"system:authenticated", "system:masters", "telepresence:admin"},
+			groups:        []string{"system:authenticated", "system:masters", "telepresence:admin", "kubeadm:cluster-admins"},
 			wantCode:      codes.NotFound, // Will fail on intercept lookup, but auth passes
 			wantErr:       true,
 			errMessage:    "not found",
@@ -123,6 +134,12 @@ func TestRevokeIntercept_Authentication(t *testing.T) {
 			// Set up context with fake K8s client
 			ctx = k8sapi.WithK8sInterface(ctx, fakeClient)
 
+			// Set up environment with default admin groups
+			env := &managerutil.Env{
+				AgentK8sAdminGroups: []string{"system:masters", "telepresence:admin", "kubeadm:cluster-admins"},
+			}
+			ctx = managerutil.WithEnv(ctx, env)
+
 			// Create a minimal service instance
 			g := dgroup.NewGroup(ctx, dgroup.GroupConfig{})
 			svc := &service{
@@ -176,6 +193,12 @@ func TestRevokeIntercept_SuccessfulRevocation(t *testing.T) {
 	// Set up context with fake K8s client
 	ctx = k8sapi.WithK8sInterface(ctx, fakeClient)
 
+	// Set up environment with default admin groups
+	env := &managerutil.Env{
+		AgentK8sAdminGroups: []string{"system:masters"},
+	}
+	ctx = managerutil.WithEnv(ctx, env)
+
 	// Create a service instance with state
 	g := dgroup.NewGroup(ctx, dgroup.GroupConfig{})
 	svc := &service{
@@ -229,7 +252,7 @@ func TestRevokeIntercept_SuccessfulRevocation(t *testing.T) {
 }
 
 func TestRevokeIntercept_OnlySystemMasters(t *testing.T) {
-	// This test specifically verifies that ONLY system:masters (or telepresence:admin) can revoke
+	// This test specifically verifies that ONLY configured admin groups can revoke
 	unauthorizedGroups := [][]string{
 		{"system:authenticated"},
 		{"system:authenticated", "developers"},
@@ -261,6 +284,12 @@ func TestRevokeIntercept_OnlySystemMasters(t *testing.T) {
 
 			ctx = k8sapi.WithK8sInterface(ctx, fakeClient)
 
+			// Set up environment with default admin groups
+			env := &managerutil.Env{
+				AgentK8sAdminGroups: []string{"system:masters", "telepresence:admin", "kubeadm:cluster-admins"},
+			}
+			ctx = managerutil.WithEnv(ctx, env)
+
 			g := dgroup.NewGroup(ctx, dgroup.GroupConfig{})
 			svc := &service{
 				state: state.NewState(ctx, g),
@@ -277,9 +306,59 @@ func TestRevokeIntercept_OnlySystemMasters(t *testing.T) {
 			st, ok := status.FromError(err)
 			require.True(t, ok)
 			assert.Equal(t, codes.PermissionDenied, st.Code())
-			assert.Contains(t, st.Message(), "user must be a member of telepresence:admin or system:masters group")
+			assert.Contains(t, st.Message(), "user must be a member of one of the following groups")
 
 			t.Logf("Correctly denied access for groups: %v", groups)
 		})
 	}
 }
+
+func TestRevokeIntercept_CustomAdminGroups(t *testing.T) {
+	// Test with custom admin groups from environment
+	ctx := dlog.NewTestContext(t, true)
+
+	fakeClient := fake.NewClientset()
+	fakeClient.PrependReactor("create", "tokenreviews", func(action k8stesting.Action) (bool, runtime.Object, error) {
+		createAction := action.(k8stesting.CreateAction)
+		tr := createAction.GetObject().(*authv1.TokenReview)
+
+		// Return authenticated user with test-admin service account
+		tr.Status = authv1.TokenReviewStatus{
+			Authenticated: true,
+			User: authv1.UserInfo{
+				Username: "system:serviceaccount:ambassador:test-admin",
+				Groups:   []string{"system:serviceaccounts", "system:serviceaccounts:ambassador", "system:authenticated"},
+			},
+		}
+
+		return true, tr, nil
+	})
+
+	ctx = k8sapi.WithK8sInterface(ctx, fakeClient)
+
+	// Set up environment with custom admin groups including the service account
+	env := &managerutil.Env{
+		AgentK8sAdminGroups: []string{"system:masters", "system:serviceaccount:ambassador:test-admin"},
+	}
+	ctx = managerutil.WithEnv(ctx, env)
+
+	g := dgroup.NewGroup(ctx, dgroup.GroupConfig{})
+	svc := &service{
+		state: state.NewState(ctx, g),
+	}
+
+	req := &rpc.RevokeInterceptRequest{
+		InterceptId: "test:intercept",
+		Token:       "test-token",
+	}
+
+	_, err := svc.RevokeIntercept(ctx, req)
+
+	// Should get NotFound (auth passed, but intercept doesn't exist) instead of PermissionDenied
+	require.Error(t, err)
+	st, ok := status.FromError(err)
+	require.True(t, ok)
+	// Auth should pass, so we get NotFound instead of PermissionDenied
+	assert.Equal(t, codes.NotFound, st.Code(), "Expected NotFound since auth passed but intercept doesn't exist")
+	t.Logf("Successfully verified that custom admin group (system:serviceaccount:ambassador:test-admin) is allowed")
+}

cmd/traffic/cmd/manager/service.go

@@ -885,19 +885,33 @@ func (s *service) RemoveIntercept(ctx context.Context, riReq *rpc.RemoveIntercep
 
 // RevokeIntercept allows the manager to revoke any client's intercept by intercept ID.
 // This is an administrative operation that can revoke intercepts for any client.
-// Requires authentication via token and membership in system:telepresence-admin group.
+// Requires authentication via token and membership in one of the groups specified
+// by the AGENT_K8S_ADMIN_GROUPS environment variable (default: system:masters).
 func (s *service) RevokeIntercept(ctx context.Context, riReq *rpc.RevokeInterceptRequest) (*empty.Empty, error) {
 	// Verify the authentication token
-	tokenResult, error := k8sapi.VerifyToken(ctx, riReq.Token)
-	if error != nil {
-		dlog.Warnf(ctx, "Authentication failed for RevokeIntercept: %v", error)
+	tokenResult, err := k8sapi.VerifyToken(ctx, riReq.Token)
+	if err != nil {
+		dlog.Warnf(ctx, "Authentication failed for RevokeIntercept: %v", err)
 		return nil, status.Errorf(codes.PermissionDenied, "authentication failed")
 	}
 
-	// Check if user belongs to system:telepresence-admin group
-	if !(tokenResult.IsMemberOfGroup("telepresence:admin") || tokenResult.IsMemberOfGroup("system:masters")) {
-		dlog.Warnf(ctx, "User %s is not a member of telepresence:admin or system:masters group", tokenResult.Username)
-		return nil, status.Errorf(codes.PermissionDenied, "user must be a member of telepresence:admin or system:masters group")
+	// Check if user belongs to one of the allowed admin groups
+	allowedGroups := managerutil.GetEnv(ctx).AgentK8sAdminGroups
+	if len(allowedGroups) == 0 {
+		// Default to system:masters if not configured
+		allowedGroups = []string{"system:masters"}
+	}
+	isAuthorized := false
+	for _, group := range allowedGroups {
+		if tokenResult.IsMemberOfGroup(group) {
+			isAuthorized = true
+			break
+		}
+	}
+	if !isAuthorized {
+		groupsStr := strings.Join(allowedGroups, ", ")
+		dlog.Warnf(ctx, "User %s is not a member of any allowed admin groups: %s", tokenResult.Username, groupsStr)
+		return nil, status.Errorf(codes.PermissionDenied, "user must be a member of one of the following groups: %s", groupsStr)
 	}
 
 	dlog.Infof(ctx, "Authorized to revoke intercepts")

docs/reference/cli/telepresence.md

@@ -56,6 +56,7 @@ recommended) which in turn may result in a password prompt.
 | [mcp](telepresence_mcp) | MCP server management |
 | [quit](telepresence_quit) | Tell telepresence daemons to quit |
 | [replace](telepresence_replace) | Replace a container |
+| [revoke](telepresence_revoke) | Revoke an intercept by intercept ID. The intercept ID must be in the format <session_id>:<intercept_name> |
 | [serve](telepresence_serve) | Start the browser on a remote service |
 | [status](telepresence_status) | Show connectivity status |
 | [uninstall](telepresence_uninstall) | Uninstall telepresence agents |
@@ -69,7 +70,7 @@ recommended) which in turn may result in a password prompt.
 
 ### Global Flags:
 ```
-      --config string     Path to the Telepresence configuration file (default "$HOME/Library/Application Support/telepresence/config.yml")
+      --config string     Path to the Telepresence configuration file (default "$HOME/.config/telepresence/config.yml")
       --output string     Set the output format, supported values are 'json', 'yaml', and 'default' (default "default")
       --progress string   Set type of progress output (auto, tty, plain, json, quiet) (default "auto")
       --use string        Match expression that uniquely identifies the daemon container

docs/reference/cli/telepresence_completion.md

@@ -66,7 +66,7 @@ To load completions:
 
 ### Global Flags:
 ```
-      --config string     Path to the Telepresence configuration file (default "$HOME/Library/Application Support/telepresence/config.yml")
+      --config string     Path to the Telepresence configuration file (default "$HOME/.config/telepresence/config.yml")
       --output string     Set the output format, supported values are 'json', 'yaml', and 'default' (default "default")
       --progress string   Set type of progress output (auto, tty, plain, json, quiet) (default "auto")
       --use string        Match expression that uniquely identifies the daemon container

docs/reference/cli/telepresence_compose.md

@@ -66,7 +66,7 @@ Define and run multi-container applications with Telepresence and Docker
 
 ### Global Flags:
 ```
-      --config string     Path to the Telepresence configuration file (default "$HOME/Library/Application Support/telepresence/config.yml")
+      --config string     Path to the Telepresence configuration file (default "$HOME/.config/telepresence/config.yml")
       --output string     Set the output format, supported values are 'json', 'yaml', and 'default' (default "default")
       --progress string   Set type of progress output (auto, tty, plain, json, quiet) (default "auto")
       --use string        Match expression that uniquely identifies the daemon container

docs/reference/cli/telepresence_compose_attach.md

@@ -35,7 +35,7 @@ Attach local standard input, output, and error streams to a service's running co
 
 ### Global Flags:
 ```
-      --config string     Path to the Telepresence configuration file (default "$HOME/Library/Application Support/telepresence/config.yml")
+      --config string     Path to the Telepresence configuration file (default "$HOME/.config/telepresence/config.yml")
       --output string     Set the output format, supported values are 'json', 'yaml', and 'default' (default "default")
       --progress string   Set type of progress output (auto, tty, plain, json, quiet) (default "auto")
       --use string        Match expression that uniquely identifies the daemon container

docs/reference/cli/telepresence_compose_bridge.md

@@ -32,7 +32,7 @@ Convert compose files into another model
 
 ### Global Flags:
 ```
-      --config string     Path to the Telepresence configuration file (default "$HOME/Library/Application Support/telepresence/config.yml")
+      --config string     Path to the Telepresence configuration file (default "$HOME/.config/telepresence/config.yml")
       --output string     Set the output format, supported values are 'json', 'yaml', and 'default' (default "default")
       --progress string   Set type of progress output (auto, tty, plain, json, quiet) (default "auto")
       --use string        Match expression that uniquely identifies the daemon container

docs/reference/cli/telepresence_compose_build.md

@@ -44,7 +44,7 @@ Build or rebuild services
 
 ### Global Flags:
 ```
-      --config string     Path to the Telepresence configuration file (default "$HOME/Library/Application Support/telepresence/config.yml")
+      --config string     Path to the Telepresence configuration file (default "$HOME/.config/telepresence/config.yml")
       --output string     Set the output format, supported values are 'json', 'yaml', and 'default' (default "default")
       --progress string   Set type of progress output (auto, tty, plain, json, quiet) (default "auto")
       --use string        Match expression that uniquely identifies the daemon container