diff --git a/cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml b/cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml
index 71c54bad4..ad0a6fb66 100644
--- a/cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/apiserverproxy-rbac.yaml
@@ -1,10 +1,10 @@
# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause
-# If deprecated setting used, enable both legacy and new workflows.
+# If old setting used, enable both old (operator) and new (ProxyGroup) workflows.
# If new setting used, enable only new workflow.
{{ if or (eq .Values.apiServerProxyConfig.mode "true")
- (eq .Values.apiServerProxyConfig.authEnabled "true") }}
+ (eq .Values.apiServerProxyConfig.allowImpersonation "true") }}
apiVersion: v1
kind: ServiceAccount
metadata:
diff --git a/cmd/k8s-operator/deploy/chart/values.yaml b/cmd/k8s-operator/deploy/chart/values.yaml
index c5a0fcd8b..3776a5b51 100644
--- a/cmd/k8s-operator/deploy/chart/values.yaml
+++ b/cmd/k8s-operator/deploy/chart/values.yaml
@@ -111,13 +111,15 @@ proxyConfig:
# Kubernetes API server.
# https://tailscale.com/kb/1437/kubernetes-operator-api-server-proxy
apiServerProxyConfig:
- # Set to "true" to enable the ClusterRole permissions required for the API
- # server proxy to impersonate groups and users based on tailnet ACL grants.
- # Required to deploy ProxyGroups of type "kube-apiserver" in auth mode.
- authEnabled: "false" # "true", "false"
+ # Set to "true" to create the ClusterRole permissions required for the API
+ # server proxy's auth mode. In auth mode, the API server proxy impersonates
+ # groups and users based on tailnet ACL grants. Required for ProxyGroups of
+ # type "kube-apiserver" running in auth mode.
+ allowImpersonation: "false" # "true", "false"
# If true or noauth, the operator will run an in-process API server proxy.
- # Deprecated: use apiServerProxyConfig.authEnabled instead.
+ # You can deploy a ProxyGroup of type "kube-apiserver" to run a high
+ # availability set of API server proxies instead.
mode: "false" # "true", "false", "noauth"
imagePullSecrets: []
diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
index 8bd983cc4..06c847925 100644
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxygroups.yaml
@@ -77,18 +77,22 @@ spec:
must not start with a dash and must be between 1 and 62 characters long.
type: string
pattern: ^[a-z0-9][a-z0-9-]{0,61}$
- kubeAPIServerConfig:
+ kubeAPIServer:
description: |-
- KubeAPIServerConfig contains configuration specific to the kube-apiserver
+ KubeAPIServer contains configuration specific to the kube-apiserver
ProxyGroup type. This field is only used when Type is set to "kube-apiserver".
type: object
properties:
- authMode:
+ mode:
description: |-
- AuthMode enables auth mode for the API Server proxy. In auth mode,
- requests from the tailnet proxied over to the Kubernetes API server
- are additionally impersonated using the sender's tailnet identity.
- type: boolean
+ Mode to run the API server proxy in. Supported modes are auth and noauth.
+ In auth mode, requests from the tailnet proxied over to the Kubernetes
+ API server are additionally impersonated using the sender's tailnet identity.
+ If not specified, defaults to auth mode.
+ type: string
+ enum:
+ - auth
+ - noauth
proxyClass:
description: |-
ProxyClass is the name of the ProxyClass custom resource that contains
diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml
index 6ec32abf2..e9374ee3c 100644
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -2904,17 +2904,21 @@ spec:
must not start with a dash and must be between 1 and 62 characters long.
pattern: ^[a-z0-9][a-z0-9-]{0,61}$
type: string
- kubeAPIServerConfig:
+ kubeAPIServer:
description: |-
- KubeAPIServerConfig contains configuration specific to the kube-apiserver
+ KubeAPIServer contains configuration specific to the kube-apiserver
ProxyGroup type. This field is only used when Type is set to "kube-apiserver".
properties:
- authMode:
+ mode:
description: |-
- AuthMode enables auth mode for the API Server proxy. In auth mode,
- requests from the tailnet proxied over to the Kubernetes API server
- are additionally impersonated using the sender's tailnet identity.
- type: boolean
+ Mode to run the API server proxy in. Supported modes are auth and noauth.
+ In auth mode, requests from the tailnet proxied over to the Kubernetes
+ API server are additionally impersonated using the sender's tailnet identity.
+ If not specified, defaults to auth mode.
+ enum:
+ - auth
+ - noauth
+ type: string
type: object
proxyClass:
description: |-
diff --git a/cmd/k8s-operator/operator.go b/cmd/k8s-operator/operator.go
index 2fb6c2a61..f245599e7 100644
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -26,6 +26,7 @@ import (
networkingv1 "k8s.io/api/networking/v1"
rbacv1 "k8s.io/api/rbac/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+ apiequality "k8s.io/apimachinery/pkg/api/equality"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
klabels "k8s.io/apimachinery/pkg/labels"
@@ -632,13 +633,14 @@ func runReconcilers(opts reconcilerOpts) {
ownedByProxyGroupFilter := handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &tsapi.ProxyGroup{})
proxyClassFilterForProxyGroup := handler.EnqueueRequestsFromMapFunc(proxyClassHandlerForProxyGroup(mgr.GetClient(), startlog))
nodeFilterForProxyGroup := handler.EnqueueRequestsFromMapFunc(nodeHandlerForProxyGroup(mgr.GetClient(), opts.defaultProxyClass, startlog))
+ saFilterForProxyGroup := handler.EnqueueRequestsFromMapFunc(serviceAccountHandlerForProxyGroup(mgr.GetClient(), startlog))
err = builder.ControllerManagedBy(mgr).
For(&tsapi.ProxyGroup{}).
Named("proxygroup-reconciler").
Watches(&corev1.Service{}, ownedByProxyGroupFilter).
Watches(&appsv1.StatefulSet{}, ownedByProxyGroupFilter).
Watches(&corev1.ConfigMap{}, ownedByProxyGroupFilter).
- Watches(&corev1.ServiceAccount{}, ownedByProxyGroupFilter).
+ Watches(&corev1.ServiceAccount{}, saFilterForProxyGroup).
Watches(&corev1.Secret{}, ownedByProxyGroupFilter).
Watches(&rbacv1.Role{}, ownedByProxyGroupFilter).
Watches(&rbacv1.RoleBinding{}, ownedByProxyGroupFilter).
@@ -1002,8 +1004,8 @@ func nodeHandlerForProxyGroup(cl client.Client, defaultProxyClass string, logger
}
// proxyClassHandlerForProxyGroup returns a handler that, for a given ProxyClass,
-// returns a list of reconcile requests for all Connectors that have
-// .spec.proxyClass set.
+// returns a list of reconcile requests for all ProxyGroups that have
+// .spec.proxyClass set to that ProxyClass.
func proxyClassHandlerForProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
return func(ctx context.Context, o client.Object) []reconcile.Request {
pgList := new(tsapi.ProxyGroupList)
@@ -1022,6 +1024,37 @@ func proxyClassHandlerForProxyGroup(cl client.Client, logger *zap.SugaredLogger)
}
}
+// serviceAccountHandlerForProxyGroup returns a handler that, for a given ServiceAccount,
+// returns a list of reconcile requests for all ProxyGroups that use that ServiceAccount.
+// For most ProxyGroups, this will be a dedicated ServiceAccount owned by a specific
+// ProxyGroup. But for kube-apiserver ProxyGroups running in auth mode, they use a shared
+// static ServiceAccount named "kube-apiserver-auth-proxy".
+func serviceAccountHandlerForProxyGroup(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+ return func(ctx context.Context, o client.Object) []reconcile.Request {
+ pgList := new(tsapi.ProxyGroupList)
+ if err := cl.List(ctx, pgList); err != nil {
+ logger.Debugf("error listing ProxyGroups for ServiceAccount: %v", err)
+ return nil
+ }
+ reqs := make([]reconcile.Request, 0)
+ saName := o.GetName()
+ for _, pg := range pgList.Items {
+ if saName == authAPIServerProxySAName && isAuthAPIServerProxy(&pg) {
+ reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&pg)})
+ }
+ expectedOwner := pgOwnerReference(&pg)[0]
+ saOwnerRefs := o.GetOwnerReferences()
+ for _, ref := range saOwnerRefs {
+ if apiequality.Semantic.DeepEqual(ref, expectedOwner) {
+ reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&pg)})
+ break
+ }
+ }
+ }
+ return reqs
+ }
+}
+
// serviceHandlerForIngress returns a handler for Service events for ingress
// reconciler that ensures that if the Service associated with an event is of
// interest to the reconciler, the associated Ingress(es) gets be reconciled.
diff --git a/cmd/k8s-operator/proxygroup.go b/cmd/k8s-operator/proxygroup.go
index 28535a67d..51d61c55e 100644
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -50,6 +50,7 @@ import (
const (
reasonProxyGroupCreationFailed = "ProxyGroupCreationFailed"
reasonProxyGroupReady = "ProxyGroupReady"
+ reasonProxyGroupAvailable = "ProxyGroupAvailable"
reasonProxyGroupCreating = "ProxyGroupCreating"
reasonProxyGroupInvalid = "ProxyGroupInvalid"
@@ -209,7 +210,9 @@ func (r *ProxyGroupReconciler) validate(ctx context.Context, pg *tsapi.ProxyGrou
sa := &corev1.ServiceAccount{}
if err := r.Get(ctx, types.NamespacedName{Namespace: r.tsNamespace, Name: authAPIServerProxySAName}, sa); err != nil {
if apierrors.IsNotFound(err) {
- return fmt.Errorf("the ServiceAccount %q used for the API server proxy in auth mode does not exist but should have been created during operator installation", authAPIServerProxySAName)
+ return fmt.Errorf("the ServiceAccount %q used for the API server proxy in auth mode does not exist but "+
+ "should have been created during operator installation; use apiServerProxyConfig.allowImpersonation=true "+
+ "in the helm chart, or authproxy-rbac.yaml from the static manifests", authAPIServerProxySAName)
}
return fmt.Errorf("error validating that ServiceAccount %q exists: %w", authAPIServerProxySAName, err)
@@ -423,7 +426,7 @@ func (r *ProxyGroupReconciler) maybeUpdateStatus(ctx context.Context, logger *za
if len(devices) > 0 {
status = metav1.ConditionTrue
if len(devices) == desiredReplicas {
- reason = reasonProxyGroupReady
+ reason = reasonProxyGroupAvailable
}
}
tsoperator.SetProxyGroupCondition(pg, tsapi.ProxyGroupAvailable, status, reason, message, 0, r.clock, logger)
diff --git a/cmd/k8s-operator/proxygroup_specs.go b/cmd/k8s-operator/proxygroup_specs.go
index 2f040d5a8..fe98dec25 100644
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@@ -481,10 +481,14 @@ func pgServiceAccountName(pg *tsapi.ProxyGroup) string {
}
func isAuthAPIServerProxy(pg *tsapi.ProxyGroup) bool {
- return pg.Spec.Type == tsapi.ProxyGroupTypeKubernetesAPIServer &&
- pg.Spec.KubeAPIServerConfig != nil &&
- pg.Spec.KubeAPIServerConfig.AuthMode != nil &&
- *pg.Spec.KubeAPIServerConfig.AuthMode
+ if pg.Spec.Type != tsapi.ProxyGroupTypeKubernetesAPIServer {
+ return false
+ }
+
+ // The default is auth mode.
+ return pg.Spec.KubeAPIServer == nil ||
+ pg.Spec.KubeAPIServer.Mode == nil ||
+ *pg.Spec.KubeAPIServer.Mode == tsapi.APIServerProxyModeAuth
}
func pgStateSecrets(pg *tsapi.ProxyGroup, namespace string) (secrets []*corev1.Secret) {
diff --git a/k8s-operator/api.md b/k8s-operator/api.md
index ee715e795..cd713f054 100644
--- a/k8s-operator/api.md
+++ b/k8s-operator/api.md
@@ -21,6 +21,21 @@
+#### APIServerProxyMode
+
+_Underlying type:_ _string_
+
+
+
+_Validation:_
+- Enum: [auth noauth]
+- Type: string
+
+_Appears in:_
+- [KubeAPIServerConfig](#kubeapiserverconfig)
+
+
+
#### AppConnector
@@ -326,7 +341,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `authMode` _boolean_ | AuthMode enables auth mode for the API Server proxy. In auth mode,
requests from the tailnet proxied over to the Kubernetes API server
are additionally impersonated using the sender's tailnet identity. | | |
+| `mode` _[APIServerProxyMode](#apiserverproxymode)_ | Mode to run the API server proxy in. Supported modes are auth and noauth.
In auth mode, requests from the tailnet proxied over to the Kubernetes
API server are additionally impersonated using the sender's tailnet identity.
If not specified, defaults to auth mode. | | Enum: [auth noauth]
Type: string
|
#### LabelValue
@@ -659,7 +674,7 @@ _Appears in:_
| `replicas` _integer_ | Replicas specifies how many replicas to create the StatefulSet with.
Defaults to 2. | | Minimum: 0
|
| `hostnamePrefix` _[HostnamePrefix](#hostnameprefix)_ | HostnamePrefix is the hostname prefix to use for tailnet devices created
by the ProxyGroup. Each device will have the integer number from its
StatefulSet pod appended to this prefix to form the full hostname.
HostnamePrefix can contain lower case letters, numbers and dashes, it
must not start with a dash and must be between 1 and 62 characters long. | | Pattern: `^[a-z0-9][a-z0-9-]{0,61}$`
Type: string
|
| `proxyClass` _string_ | ProxyClass is the name of the ProxyClass custom resource that contains
configuration options that should be applied to the resources created
for this ProxyGroup. If unset, and there is no default ProxyClass
configured, the operator will create resources with the default
configuration. | | |
-| `kubeAPIServerConfig` _[KubeAPIServerConfig](#kubeapiserverconfig)_ | KubeAPIServerConfig contains configuration specific to the kube-apiserver
ProxyGroup type. This field is only used when Type is set to "kube-apiserver". | | |
+| `kubeAPIServer` _[KubeAPIServerConfig](#kubeapiserverconfig)_ | KubeAPIServer contains configuration specific to the kube-apiserver
ProxyGroup type. This field is only used when Type is set to "kube-apiserver". | | |
#### ProxyGroupStatus
diff --git a/k8s-operator/apis/v1alpha1/types_proxygroup.go b/k8s-operator/apis/v1alpha1/types_proxygroup.go
index a7f8076e2..ad5b11361 100644
--- a/k8s-operator/apis/v1alpha1/types_proxygroup.go
+++ b/k8s-operator/apis/v1alpha1/types_proxygroup.go
@@ -85,10 +85,10 @@ type ProxyGroupSpec struct {
// +optional
ProxyClass string `json:"proxyClass,omitempty"`
- // KubeAPIServerConfig contains configuration specific to the kube-apiserver
+ // KubeAPIServer contains configuration specific to the kube-apiserver
// ProxyGroup type. This field is only used when Type is set to "kube-apiserver".
// +optional
- KubeAPIServerConfig *KubeAPIServerConfig `json:"kubeAPIServerConfig,omitempty"`
+ KubeAPIServer *KubeAPIServerConfig `json:"kubeAPIServer,omitempty"`
}
type ProxyGroupStatus struct {
@@ -136,15 +136,25 @@ const (
ProxyGroupTypeKubernetesAPIServer ProxyGroupType = "kube-apiserver"
)
+// +kubebuilder:validation:Type=string
+// +kubebuilder:validation:Enum=auth;noauth
+type APIServerProxyMode string
+
+const (
+ APIServerProxyModeAuth APIServerProxyMode = "auth"
+ APIServerProxyModeNoAuth APIServerProxyMode = "noauth"
+)
+
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Pattern=`^[a-z0-9][a-z0-9-]{0,61}$`
type HostnamePrefix string
// KubeAPIServerConfig contains configuration specific to the kube-apiserver ProxyGroup type.
type KubeAPIServerConfig struct {
- // AuthMode enables auth mode for the API Server proxy. In auth mode,
- // requests from the tailnet proxied over to the Kubernetes API server
- // are additionally impersonated using the sender's tailnet identity.
+ // Mode to run the API server proxy in. Supported modes are auth and noauth.
+ // In auth mode, requests from the tailnet proxied over to the Kubernetes
+ // API server are additionally impersonated using the sender's tailnet identity.
+ // If not specified, defaults to auth mode.
// +optional
- AuthMode *bool `json:"authMode,omitempty"`
+ Mode *APIServerProxyMode `json:"mode,omitempty"`
}
diff --git a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
index b43a887db..32adbd680 100644
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -319,9 +319,9 @@ func (in *Env) DeepCopy() *Env {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
*out = *in
- if in.AuthMode != nil {
- in, out := &in.AuthMode, &out.AuthMode
- *out = new(bool)
+ if in.Mode != nil {
+ in, out := &in.Mode, &out.Mode
+ *out = new(APIServerProxyMode)
**out = **in
}
}
@@ -751,8 +751,8 @@ func (in *ProxyGroupSpec) DeepCopyInto(out *ProxyGroupSpec) {
*out = new(int32)
**out = **in
}
- if in.KubeAPIServerConfig != nil {
- in, out := &in.KubeAPIServerConfig, &out.KubeAPIServerConfig
+ if in.KubeAPIServer != nil {
+ in, out := &in.KubeAPIServer, &out.KubeAPIServer
*out = new(KubeAPIServerConfig)
(*in).DeepCopyInto(*out)
}