mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 04:55:31 +00:00
cmd/k8s-operator,kube/kubeclient,docs/k8s: update rbac to emit events + small fixes (#14164)
This is a follow-up to #14112 where our internal kube client was updated to allow it to emit Events - this updates our sample kube manifests and tsrecorder manifest templates so they can benefit from this functionality. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
This commit is contained in:
parent
303a4a1dfb
commit
ebeb5da202
@ -130,6 +130,15 @@ func tsrRole(tsr *tsapi.Recorder, namespace string) *rbacv1.Role {
|
|||||||
fmt.Sprintf("%s-0", tsr.Name), // Contains the node state.
|
fmt.Sprintf("%s-0", tsr.Name), // Contains the node state.
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"events"},
|
||||||
|
Verbs: []string{
|
||||||
|
"get",
|
||||||
|
"create",
|
||||||
|
"patch",
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -203,6 +212,14 @@ func env(tsr *tsapi.Recorder) []corev1.EnvVar {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Name: "POD_UID",
|
||||||
|
ValueFrom: &corev1.EnvVarSource{
|
||||||
|
FieldRef: &corev1.ObjectFieldSelector{
|
||||||
|
FieldPath: "metadata.uid",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
Name: "TS_STATE",
|
Name: "TS_STATE",
|
||||||
Value: "kube:$(POD_NAME)",
|
Value: "kube:$(POD_NAME)",
|
||||||
|
@ -44,6 +44,14 @@ spec:
|
|||||||
value: "{{TS_DEST_IP}}"
|
value: "{{TS_DEST_IP}}"
|
||||||
- name: TS_AUTH_ONCE
|
- name: TS_AUTH_ONCE
|
||||||
value: "true"
|
value: "true"
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_UID
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.uid
|
||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
|
@ -13,3 +13,6 @@ rules:
|
|||||||
resourceNames: ["{{TS_KUBE_SECRET}}"]
|
resourceNames: ["{{TS_KUBE_SECRET}}"]
|
||||||
resources: ["secrets"]
|
resources: ["secrets"]
|
||||||
verbs: ["get", "update", "patch"]
|
verbs: ["get", "update", "patch"]
|
||||||
|
- apiGroups: [""] # "" indicates the core API group
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["get", "create", "patch"]
|
||||||
|
@ -26,6 +26,14 @@ spec:
|
|||||||
name: tailscale-auth
|
name: tailscale-auth
|
||||||
key: TS_AUTHKEY
|
key: TS_AUTHKEY
|
||||||
optional: true
|
optional: true
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_UID
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.uid
|
||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
|
@ -28,6 +28,14 @@ spec:
|
|||||||
optional: true
|
optional: true
|
||||||
- name: TS_ROUTES
|
- name: TS_ROUTES
|
||||||
value: "{{TS_ROUTES}}"
|
value: "{{TS_ROUTES}}"
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_UID
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.uid
|
||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
|
@ -27,3 +27,11 @@ spec:
|
|||||||
name: tailscale-auth
|
name: tailscale-auth
|
||||||
key: TS_AUTHKEY
|
key: TS_AUTHKEY
|
||||||
optional: true
|
optional: true
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_UID
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.uid
|
||||||
|
@ -134,7 +134,7 @@ func fakeKubeAPIRequest(t *testing.T, argSets []args) kubeAPIRequestFunc {
|
|||||||
t.Errorf("[%d] got method %q, wants method %q", count, gotMethod, a.wantsMethod)
|
t.Errorf("[%d] got method %q, wants method %q", count, gotMethod, a.wantsMethod)
|
||||||
}
|
}
|
||||||
if gotUrl != a.wantsURL {
|
if gotUrl != a.wantsURL {
|
||||||
t.Errorf("[%d] got URL %q, wants URL %q", count, gotMethod, a.wantsMethod)
|
t.Errorf("[%d] got URL %q, wants URL %q", count, gotUrl, a.wantsURL)
|
||||||
}
|
}
|
||||||
if d := cmp.Diff(gotIn, a.wantsIn); d != "" {
|
if d := cmp.Diff(gotIn, a.wantsIn); d != "" {
|
||||||
t.Errorf("[%d] unexpected payload (-want + got):\n%s", count, d)
|
t.Errorf("[%d] unexpected payload (-want + got):\n%s", count, d)
|
||||||
|
Loading…
Reference in New Issue
Block a user