From b0042e5510c54105f36f870fd9c5ee920bfd1496 Mon Sep 17 00:00:00 2001
From: gitea-admin <admin@local>
Date: Sat, 9 May 2026 19:03:18 +0000
Subject: [PATCH] feat: deploy Tailscale Operator for remote cluster access

---
 tailscale/rbac.yaml | 48 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 tailscale/rbac.yaml

diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml
new file mode 100644
index 0000000..8712bbd
--- /dev/null
+++ b/tailscale/rbac.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-operator
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+rules:
+- apiGroups: ['']
+  resources: ['secrets', 'services', 'endpoints']
+  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+- apiGroups: ['']
+  resources: ['nodes']
+  verbs: ['get', 'list', 'update', 'patch']
+- apiGroups: ['apps']
+  resources: ['daemonsets']
+  verbs: ['get', 'list', 'watch']
+- apiGroups: ['tailscale.com']
+  resources: ['*']
+  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+- apiGroups: ['coordination.k8s.io']
+  resources: ['leases']
+  verbs: ['get', 'create', 'update']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-operator
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tailscale-operator
+subjects:
+- kind: ServiceAccount
+  name: tailscale-operator
+  namespace: tailscale