mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-26 02:29:28 +00:00 
			
		
		
		
	 19b31ac9a6
			
		
	
	19b31ac9a6
	
	
	
		
			
			cmd/k8s-operator: optionally update dnsrecords Configmap with DNS records for proxies. This commit adds functionality to automatically populate DNS records for the in-cluster ts.net nameserver to allow cluster workloads to resolve MagicDNS names associated with operator's proxies. The records are created as follows: * For tailscale Ingress proxies there will be a record mapping the MagicDNS name of the Ingress device and each proxy Pod's IP address. * For cluster egress proxies, configured via tailscale.com/tailnet-fqdn annotation, there will be a record for each proxy Pod, mapping the MagicDNS name of the exposed tailnet workload to the proxy Pod's IP. No records will be created for any other proxy types. Records will only be created if users have configured the operator to deploy an in-cluster ts.net nameserver by applying tailscale.com/v1alpha1.DNSConfig. It is user's responsibility to add the ts.net nameserver as a stub nameserver for ts.net DNS names. https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns#upstream_nameservers See also https://github.com/tailscale/tailscale/pull/11017 Updates tailscale/tailscale#10499 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
		
			
				
	
	
		
			73 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			73 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # Copyright (c) Tailscale Inc & AUTHORS
 | |
| # SPDX-License-Identifier: BSD-3-Clause
 | |
| 
 | |
| apiVersion: v1
 | |
| kind: ServiceAccount
 | |
| metadata:
 | |
|   name: operator
 | |
|   namespace: {{ .Release.Namespace }}
 | |
| ---
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: ClusterRole
 | |
| metadata:
 | |
|   name: tailscale-operator
 | |
| rules:
 | |
| - apiGroups: [""]
 | |
|   resources: ["events", "services", "services/status"]
 | |
|   verbs: ["*"]
 | |
| - apiGroups: ["networking.k8s.io"]
 | |
|   resources: ["ingresses", "ingresses/status"]
 | |
|   verbs: ["*"]
 | |
| - apiGroups: ["networking.k8s.io"]
 | |
|   resources: ["ingressclasses"]
 | |
|   verbs: ["get", "list", "watch"]
 | |
| - apiGroups: ["tailscale.com"]
 | |
|   resources: ["connectors", "connectors/status", "proxyclasses", "proxyclasses/status"]
 | |
|   verbs: ["get", "list", "watch", "update"]
 | |
| - apiGroups: ["tailscale.com"]
 | |
|   resources: ["dnsconfigs", "dnsconfigs/status"]
 | |
|   verbs: ["get", "list", "watch", "update"]
 | |
| ---
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: ClusterRoleBinding
 | |
| metadata:
 | |
|   name: tailscale-operator
 | |
| subjects:
 | |
| - kind: ServiceAccount
 | |
|   name: operator
 | |
|   namespace: {{ .Release.Namespace }}
 | |
| roleRef:
 | |
|   kind: ClusterRole
 | |
|   name: tailscale-operator
 | |
|   apiGroup: rbac.authorization.k8s.io
 | |
| ---
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: Role
 | |
| metadata:
 | |
|   name: operator
 | |
|   namespace: {{ .Release.Namespace }}
 | |
| rules:
 | |
| - apiGroups: [""]
 | |
|   resources: ["secrets", "serviceaccounts", "configmaps"]
 | |
|   verbs: ["*"]
 | |
| - apiGroups: ["apps"]
 | |
|   resources: ["statefulsets", "deployments"]
 | |
|   verbs: ["*"]
 | |
| - apiGroups: ["discovery.k8s.io"]
 | |
|   resources: ["endpointslices"]
 | |
|   verbs: ["get", "list", "watch"]
 | |
| ---
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: RoleBinding
 | |
| metadata:
 | |
|   name: operator
 | |
|   namespace: {{ .Release.Namespace }}
 | |
| subjects:
 | |
| - kind: ServiceAccount
 | |
|   name: operator
 | |
|   namespace: {{ .Release.Namespace }}
 | |
| roleRef:
 | |
|   kind: Role
 | |
|   name: operator
 | |
|   apiGroup: rbac.authorization.k8s.io
 |