TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-07 05:13:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/k8s-operator: add a kubernetes operator.

Browse Source 
This was initially developed in a separate repo, but for build/release
reasons and because go module management limits the damage of importing
k8s things now, moving it into this repo.

At time of commit, the operator enables exposing services over tailscale,
with the 'tailscale' loadBalancerClass. It also currently requires an
unreleased feature to access the Tailscale API, so is not usable yet.

Updates #502.

Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
David Anderson
2022-12-12 11:15:34 -08:00
committed by Dave Anderson
parent 47002d93a3
commit b2d4abf25a
5 changed files with 911 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
cmd/k8s-operator/manifests/operator.yaml Normal file
View File

@@ -0,0 +1,114 @@
# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
apiVersion: v1
kind: ServiceAccount
metadata:
name: proxies
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: proxies
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: proxies
subjects:
- kind: ServiceAccount
name: proxies
roleRef:
kind: Role
name: proxies
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tailscale-operator
rules:
- apiGroups: [""]
resources: ["services", "services/status"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tailscale-operator
subjects:
- kind: ServiceAccount
name: operator
namespace: default
roleRef:
kind: ClusterRole
name: tailscale-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: operator
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: operator
subjects:
- kind: ServiceAccount
name: operator
roleRef:
kind: Role
name: operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tailscale-operator
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: tailscale-operator
template:
metadata:
labels:
app: tailscale-operator
spec:
serviceAccountName: operator
containers:
- name: tailscale-operator
image: tailscale/k8s-operator:latest
resources:
requests:
cpu: 500m
memory: 100Mi
env:
- name: OPERATOR_HOSTNAME
value: tailscale-operator
- name: OPERATOR_SECRET
value: tailscale-operator
- name: PROXY_IMAGE
value: tailscale/tailscale:latest
- name: PROXY_TAGS
value: tag:k8s

37
cmd/k8s-operator/manifests/proxy.yaml Normal file
View File

@@ -0,0 +1,37 @@
# This file is not a complete manifest, it's a skeleton that the operator embeds
# at build time and then uses to construct Tailscale proxy pods.
apiVersion: apps/v1
kind: StatefulSet
metadata:
spec:
replicas: 1
template:
metadata:
deletionGracePeriodSeconds: 10
spec:
serviceAccountName: proxies
initContainers:
- name: sysctler
image: busybox
securityContext:
privileged: true
command: ["/bin/sh"]
args:
- -c
- sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
resources:
requests:
cpu: 1m
memory: 1Mi
containers:
- name: tailscale
imagePullPolicy: Always
env:
- name: TS_USERSPACE
value: "false"
- name: TS_AUTH_ONCE
value: "true"
securityContext:
capabilities:
add:
- NET_ADMIN