tailscale/cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml

# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause

# If old setting used, enable both old (operator) and new (ProxyGroup) workflows.
# If new setting used, enable only new workflow.
{{ if or (eq .Values.apiServerProxyConfig.mode "true")
  (eq .Values.apiServerProxyConfig.allowImpersonation "true") }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-apiserver-auth-proxy
  namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tailscale-auth-proxy
rules:
- apiGroups: [""]
  resources: ["users", "groups"]
  verbs: ["impersonate"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tailscale-auth-proxy
subjects:
{{- if eq .Values.apiServerProxyConfig.mode "true" }}
- kind: ServiceAccount
  name: operator
  namespace: {{ .Release.Namespace }}
{{- end }}
- kind: ServiceAccount
  name: kube-apiserver-auth-proxy
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: tailscale-auth-proxy
  apiGroup: rbac.authorization.k8s.io
{{ end }}
cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-02-03 14:47:52 -08:00			`# Copyright (c) Tailscale Inc & AUTHORS`
			`# SPDX-License-Identifier: BSD-3-Clause`

cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266) Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> 2025-07-09 09:21:56 +01:00			`# If old setting used, enable both old (operator) and new (ProxyGroup) workflows.`
			`# If new setting used, enable only new workflow.`
			`{{ if or (eq .Values.apiServerProxyConfig.mode "true")`
			`(eq .Values.apiServerProxyConfig.allowImpersonation "true") }}`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: kube-apiserver-auth-proxy`
			`namespace: {{ .Release.Namespace }}`
			`---`
cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-02-03 14:47:52 -08:00			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: tailscale-auth-proxy`
			`rules:`
			`- apiGroups: [""]`
cmd/k8s-operator: make auth proxy pass tags as Impersonate-Group We were not handling tags at all, pass them through as Impersonate-Group headers. And use the FQDN for tagged nodes as Impersonate-User. Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-03-13 08:48:09 -07:00			`resources: ["users", "groups"]`
cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-02-03 14:47:52 -08:00			`verbs: ["impersonate"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: tailscale-auth-proxy`
			`subjects:`
cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266) Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> 2025-07-09 09:21:56 +01:00			`{{- if eq .Values.apiServerProxyConfig.mode "true" }}`
cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-02-03 14:47:52 -08:00			`- kind: ServiceAccount`
			`name: operator`
cmd/k8s-operator: allow to install operator via helm (#9920) Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com> 2023-10-30 18:18:09 +00:00			`namespace: {{ .Release.Namespace }}`
cmd/{k8s-operator,k8s-proxy}: add kube-apiserver ProxyGroup type (#16266) Adds a new k8s-proxy command to convert operator's in-process proxy to a separately deployable type of ProxyGroup: kube-apiserver. k8s-proxy reads in a new config file written by the operator, modelled on tailscaled's conffile but with some modifications to ensure multiple versions of the config can co-exist within a file. This should make it much easier to support reading that config file from a Kube Secret with a stable file name. To avoid needing to give the operator ClusterRole{,Binding} permissions, the helm chart now optionally deploys a new static ServiceAccount for the API Server proxy to use if in auth mode. Proxies deployed by kube-apiserver ProxyGroups currently work the same as the operator's in-process proxy. They do not yet leverage Tailscale Services for presenting a single HA DNS name. Updates #13358 Change-Id: Ib6ead69b2173c5e1929f3c13fb48a9a5362195d8 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> 2025-07-09 09:21:56 +01:00			`{{- end }}`
			`- kind: ServiceAccount`
			`name: kube-apiserver-auth-proxy`
			`namespace: {{ .Release.Namespace }}`
cmd/k8s-operator: add support for running an auth proxy Updates #5055 Signed-off-by: Maisem Ali <maisem@tailscale.com> 2023-02-03 14:47:52 -08:00			`roleRef:`
			`kind: ClusterRole`
			`name: tailscale-auth-proxy`
cmd/k8s-operator: allow to install operator via helm (#9920) Initial helm manifests. Updates tailscale/tailscale#9222 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com> 2023-10-30 18:18:09 +00:00			`apiGroup: rbac.authorization.k8s.io`
			`{{ end }}`