lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge f8356c9dee into 909e9eabe4

pull/7361/merge
Thomas 2023-06-19 11:53:20 -04:00 committed by GitHub
parent 909e9eabe4 f8356c9dee
commit e819c592a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
cmd/k8s-operator/manifests/operator.yaml
View File

@ -18,7 +18,7 @@ metadata:
name: proxies name: proxies
namespace: tailscale namespace: tailscale
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["*"] verbs: ["*"]
--- ---
@ -28,7 +28,7 @@ metadata:
name: proxies name: proxies
namespace: tailscale namespace: tailscale
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: proxies name: proxies
namespace: tailscale namespace: tailscale
roleRef: roleRef:
@ -47,7 +47,7 @@ kind: ClusterRole
metadata: metadata:
name: tailscale-operator name: tailscale-operator
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["services", "services/status"] resources: ["services", "services/status"]
verbs: ["*"] verbs: ["*"]
--- ---
@ -56,7 +56,7 @@ kind: ClusterRoleBinding
metadata: metadata:
name: tailscale-operator name: tailscale-operator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: operator name: operator
namespace: tailscale namespace: tailscale
roleRef: roleRef:
@ -70,10 +70,10 @@ metadata:
name: operator name: operator
namespace: tailscale namespace: tailscale
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["*"] verbs: ["*"]
- apiGroups: ["apps"] - apiGroups: ["apps"]
resources: ["statefulsets"] resources: ["statefulsets"]
verbs: ["*"] verbs: ["*"]
--- ---
@ -83,7 +83,7 @@ metadata:
name: operator name: operator
namespace: tailscale namespace: tailscale
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: operator name: operator
namespace: tailscale namespace: tailscale
roleRef: roleRef:
@ -119,6 +119,8 @@ spec:
spec: spec:
serviceAccountName: operator serviceAccountName: operator
volumes: volumes:
- name: config
emptyDir: {}
- name: oauth - name: oauth
secret: secret:
secretName: operator-oauth secretName: operator-oauth
@ -151,6 +153,20 @@ spec:
- name: AUTH_PROXY - name: AUTH_PROXY
value: "false" value: "false"
volumeMounts: volumeMounts:
- name: config
mountPath: /.config
- name: oauth - name: oauth
mountPath: /oauth mountPath: /oauth
readOnly: true readOnly: true
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
seccompProfile:
type: RuntimeDefault

15
cmd/k8s-operator/manifests/proxy.yaml
View File

@ -14,7 +14,10 @@ spec:
- name: sysctler - name: sysctler
image: busybox image: busybox
securityContext: securityContext:
privileged: true capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
command: ["/bin/sh"] command: ["/bin/sh"]
args: args:
- -c - -c
@ -35,3 +38,13 @@ spec:
capabilities: capabilities:
add: add:
- NET_ADMIN - NET_ADMIN
drop:
- ALL
allowPrivilegeEscalation: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
seccompProfile:
type: RuntimeDefault