cmd/k8s-operator,kube/kubeclient,docs/k8s: update rbac to emit events + small fixes (#14164)

This is a follow-up to #14112 where our internal kube client was updated to allow it to emit Events - this updates our sample kube manifests and tsrecorder manifest templates so they can benefit from this functionality. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-08-11 21:27:31 +00:00 · 2024-11-20 14:22:34 +00:00
parent 303a4a1dfb
commit ebeb5da202
7 changed files with 53 additions and 1 deletions
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -44,6 +44,14 @@ spec:
      value: "{{TS_DEST_IP}}"
    - name: TS_AUTH_ONCE
      value: "true"
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_UID
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.uid
    securityContext:
      capabilities:
        add:
--- a/docs/k8s/role.yaml
+++ b/docs/k8s/role.yaml
@@ -13,3 +13,6 @@ rules:
  resourceNames: ["{{TS_KUBE_SECRET}}"]
  resources: ["secrets"]
  verbs: ["get", "update", "patch"]
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["events"]
+  verbs: ["get", "create", "patch"]
--- a/docs/k8s/sidecar.yaml
+++ b/docs/k8s/sidecar.yaml
@@ -26,6 +26,14 @@ spec:
          name: tailscale-auth
          key: TS_AUTHKEY
          optional: true
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_UID
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.uid
    securityContext:
      capabilities:
        add:
--- a/docs/k8s/subnet.yaml
+++ b/docs/k8s/subnet.yaml
@@ -28,6 +28,14 @@ spec:
          optional: true
    - name: TS_ROUTES
      value: "{{TS_ROUTES}}"
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_UID
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.uid
    securityContext:
      capabilities:
        add:
--- a/docs/k8s/userspace-sidecar.yaml
+++ b/docs/k8s/userspace-sidecar.yaml
@@ -27,3 +27,11 @@ spec:
          name: tailscale-auth
          key: TS_AUTHKEY
          optional: true
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_UID
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.uid