feat: add Tailscale operator and DaemonSet #4
@@ -0,0 +1,56 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: tailscaled
|
||||
namespace: tailscale
|
||||
labels:
|
||||
app: tailscale
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: tailscale
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: tailscale
|
||||
spec:
|
||||
hostNetwork: true
|
||||
serviceAccountName: tailscale
|
||||
containers:
|
||||
- name: tailscale
|
||||
image: tailscale/tailscale:latest
|
||||
env:
|
||||
- name: TS_KUBE_SECRET
|
||||
value: "tailscale-auth"
|
||||
- name: TS_STATE_DIR
|
||||
value: "/var/lib/tailscale"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: tailscale-auth
|
||||
volumeMounts:
|
||||
- name: var-lib-tailscale
|
||||
mountPath: /var/lib/tailscale
|
||||
- name: tailscale-tmp
|
||||
mountPath: /tmp
|
||||
- name: dev-tun
|
||||
mountPath: /dev/net/tun
|
||||
readOnly: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
capabilities:
|
||||
add: ["NET_ADMIN", "NET_RAW"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 100Mi
|
||||
limits:
|
||||
memory: 200Mi
|
||||
volumes:
|
||||
- name: var-lib-tailscale
|
||||
persistentVolumeClaim:
|
||||
claimName: tailscale
|
||||
- name: tailscale-tmp
|
||||
emptyDir: {}
|
||||
- name: dev-tun
|
||||
hostPath:
|
||||
path: /dev/net/tun
|
||||
@@ -0,0 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: tailscale
|
||||
labels:
|
||||
app: tailscale
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: tailscale
|
||||
namespace: tailscale
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
@@ -0,0 +1,30 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: tailscale
|
||||
namespace: tailscale
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: tailscale
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services", "endpoints", "namespaces", "secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["tailnet.tailscale.com"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: tailscale
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: tailscale
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: tailscale
|
||||
namespace: tailscale
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: tailnet.tailscale.com/v1alpha1
|
||||
kind: Tailnet
|
||||
metadata:
|
||||
name: talos-cluster
|
||||
namespace: tailscale
|
||||
spec:
|
||||
tagExposes: []
|
||||
dnsMode: "Split"
|
||||
users:
|
||||
- name: cluster-admin
|
||||
selector:
|
||||
matchLabels:
|
||||
tailscale.com/managed: "true"
|
||||
Reference in New Issue
Block a user