lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge f8356c9dee into 909e9eabe4

pull/7361/merge
Thomas 2023-06-19 11:53:20 -04:00 committed by GitHub
parent 909e9eabe4 f8356c9dee
commit e819c592a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
cmd/k8s-operator/manifests/operator.yaml
View File

@ -18,9 +18,9 @@ metadata:
name: proxies name: proxies
namespace: tailscale namespace: tailscale
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["*"] verbs: ["*"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
@ -28,9 +28,9 @@ metadata:
name: proxies name: proxies
namespace: tailscale namespace: tailscale
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: proxies name: proxies
namespace: tailscale namespace: tailscale
roleRef: roleRef:
kind: Role kind: Role
name: proxies name: proxies
@ -47,18 +47,18 @@ kind: ClusterRole
metadata: metadata:
name: tailscale-operator name: tailscale-operator
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["services", "services/status"] resources: ["services", "services/status"]
verbs: ["*"] verbs: ["*"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: tailscale-operator name: tailscale-operator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: operator name: operator
namespace: tailscale namespace: tailscale
roleRef: roleRef:
kind: ClusterRole kind: ClusterRole
name: tailscale-operator name: tailscale-operator
@ -70,12 +70,12 @@ metadata:
name: operator name: operator
namespace: tailscale namespace: tailscale
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["*"] verbs: ["*"]
- apiGroups: ["apps"] - apiGroups: ["apps"]
resources: ["statefulsets"] resources: ["statefulsets"]
verbs: ["*"] verbs: ["*"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
@ -83,9 +83,9 @@ metadata:
name: operator name: operator
namespace: tailscale namespace: tailscale
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: operator name: operator
namespace: tailscale namespace: tailscale
roleRef: roleRef:
kind: Role kind: Role
name: operator name: operator
@ -119,9 +119,11 @@ spec:
spec: spec:
serviceAccountName: operator serviceAccountName: operator
volumes: volumes:
- name: oauth - name: config
secret: emptyDir: {}
secretName: operator-oauth - name: oauth
secret:
secretName: operator-oauth
containers: containers:
- name: operator - name: operator
image: tailscale/k8s-operator:unstable image: tailscale/k8s-operator:unstable
@ -151,6 +153,20 @@ spec:
- name: AUTH_PROXY - name: AUTH_PROXY
value: "false" value: "false"
volumeMounts: volumeMounts:
- name: oauth - name: config
mountPath: /oauth mountPath: /.config
readOnly: true - name: oauth
mountPath: /oauth
readOnly: true
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
seccompProfile:
type: RuntimeDefault

15
cmd/k8s-operator/manifests/proxy.yaml
View File

@ -14,7 +14,10 @@ spec:
- name: sysctler - name: sysctler
image: busybox image: busybox
securityContext: securityContext:
privileged: true capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
command: ["/bin/sh"] command: ["/bin/sh"]
args: args:
- -c - -c
@ -35,3 +38,13 @@ spec:
capabilities: capabilities:
add: add:
- NET_ADMIN - NET_ADMIN
drop:
- ALL
allowPrivilegeEscalation: false
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
seccompProfile:
type: RuntimeDefault