apiVersion: v1
kind: ServiceAccount
metadata:
  name: tailscale-operator
  namespace: tailscale
  labels:
    app.kubernetes.io/name: tailscale
    app.kubernetes.io/component: operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tailscale-operator
  labels:
    app.kubernetes.io/name: tailscale
    app.kubernetes.io/component: operator
rules:
- apiGroups: ['']
  resources: ['secrets', 'services', 'endpoints']
  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
- apiGroups: ['']
  resources: ['nodes']
  verbs: ['get', 'list', 'update', 'patch']
- apiGroups: ['apps']
  resources: ['daemonsets']
  verbs: ['get', 'list', 'watch']
- apiGroups: ['tailscale.com']
  resources: ['*']
  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
- apiGroups: ['coordination.k8s.io']
  resources: ['leases']
  verbs: ['get', 'create', 'update']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tailscale-operator
  labels:
    app.kubernetes.io/name: tailscale
    app.kubernetes.io/component: operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tailscale-operator
subjects:
- kind: ServiceAccount
  name: tailscale-operator
  namespace: tailscale