TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-01 14:02:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/k8s-operator: require namespace config ()

Browse Source 
Most users should not run into this because it's set in the helm chart
and the deploy manifest, but if namespace is not set we get confusing
authz errors because the kube client tries to fetch some namespaced resources
as though they're cluster-scoped and reports permission denied. Try to
detect namespace from the default projected volume, and otherwise fatal.

Fixes #cleanup

Change-Id: I64b34191e440b61204b9ad30bbfa117abbbe09c3

Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
This commit is contained in:
Tom Proctor 2025-01-16 11:15:36 +00:00 committed by GitHub
parent 00bd906797
commit 2d1f6f18cc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions

9
cmd/k8s-operator/operator.go

@ -88,6 +88,15 @@ func main() {
zlog := kzap.NewRaw(opts...).Sugar() zlog := kzap.NewRaw(opts...).Sugar()
logf.SetLogger(zapr.NewLogger(zlog.Desugar())) logf.SetLogger(zapr.NewLogger(zlog.Desugar()))
if tsNamespace == "" {
const namespaceFile = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
b, err := os.ReadFile(namespaceFile)
if err != nil {
zlog.Fatalf("Could not get operator namespace from OPERATOR_NAMESPACE environment variable or default projected volume: %v", err)
}
tsNamespace = strings.TrimSpace(string(b))
}
// The operator can run either as a plain operator or it can // The operator can run either as a plain operator or it can
// additionally act as api-server proxy // additionally act as api-server proxy
// https://tailscale.com/kb/1236/kubernetes-operator/?q=kubernetes#accessing-the-kubernetes-control-plane-using-an-api-server-proxy. // https://tailscale.com/kb/1236/kubernetes-operator/?q=kubernetes#accessing-the-kubernetes-control-plane-using-an-api-server-proxy.