cmd/k8s-operator,kube/kubeclient,docs/k8s: update rbac to emit events + small fixes (#14164)

This is a follow-up to #14112 where our internal kube client was updated
to allow it to emit Events - this updates our sample kube manifests
and tsrecorder manifest templates so they can benefit from this functionality.

Updates tailscale/tailscale#14080

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This commit is contained in:
Irbe Krumina 2024-11-20 14:22:34 +00:00 committed by GitHub
parent 303a4a1dfb
commit ebeb5da202
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 53 additions and 1 deletions

View File

@ -130,6 +130,15 @@ func tsrRole(tsr *tsapi.Recorder, namespace string) *rbacv1.Role {
fmt.Sprintf("%s-0", tsr.Name), // Contains the node state. fmt.Sprintf("%s-0", tsr.Name), // Contains the node state.
}, },
}, },
{
APIGroups: []string{""},
Resources: []string{"events"},
Verbs: []string{
"get",
"create",
"patch",
},
},
}, },
} }
} }
@ -203,6 +212,14 @@ func env(tsr *tsapi.Recorder) []corev1.EnvVar {
}, },
}, },
}, },
{
Name: "POD_UID",
ValueFrom: &corev1.EnvVarSource{
FieldRef: &corev1.ObjectFieldSelector{
FieldPath: "metadata.uid",
},
},
},
{ {
Name: "TS_STATE", Name: "TS_STATE",
Value: "kube:$(POD_NAME)", Value: "kube:$(POD_NAME)",

View File

@ -44,6 +44,14 @@ spec:
value: "{{TS_DEST_IP}}" value: "{{TS_DEST_IP}}"
- name: TS_AUTH_ONCE - name: TS_AUTH_ONCE
value: "true" value: "true"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
securityContext: securityContext:
capabilities: capabilities:
add: add:

View File

@ -13,3 +13,6 @@ rules:
resourceNames: ["{{TS_KUBE_SECRET}}"] resourceNames: ["{{TS_KUBE_SECRET}}"]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "update", "patch"] verbs: ["get", "update", "patch"]
- apiGroups: [""] # "" indicates the core API group
resources: ["events"]
verbs: ["get", "create", "patch"]

View File

@ -26,6 +26,14 @@ spec:
name: tailscale-auth name: tailscale-auth
key: TS_AUTHKEY key: TS_AUTHKEY
optional: true optional: true
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
securityContext: securityContext:
capabilities: capabilities:
add: add:

View File

@ -28,6 +28,14 @@ spec:
optional: true optional: true
- name: TS_ROUTES - name: TS_ROUTES
value: "{{TS_ROUTES}}" value: "{{TS_ROUTES}}"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
securityContext: securityContext:
capabilities: capabilities:
add: add:

View File

@ -27,3 +27,11 @@ spec:
name: tailscale-auth name: tailscale-auth
key: TS_AUTHKEY key: TS_AUTHKEY
optional: true optional: true
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid

View File

@ -134,7 +134,7 @@ func fakeKubeAPIRequest(t *testing.T, argSets []args) kubeAPIRequestFunc {
t.Errorf("[%d] got method %q, wants method %q", count, gotMethod, a.wantsMethod) t.Errorf("[%d] got method %q, wants method %q", count, gotMethod, a.wantsMethod)
} }
if gotUrl != a.wantsURL { if gotUrl != a.wantsURL {
t.Errorf("[%d] got URL %q, wants URL %q", count, gotMethod, a.wantsMethod) t.Errorf("[%d] got URL %q, wants URL %q", count, gotUrl, a.wantsURL)
} }
if d := cmp.Diff(gotIn, a.wantsIn); d != "" { if d := cmp.Diff(gotIn, a.wantsIn); d != "" {
t.Errorf("[%d] unexpected payload (-want + got):\n%s", count, d) t.Errorf("[%d] unexpected payload (-want + got):\n%s", count, d)