examples/subnet-router.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tailscale
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale
data: {}
---
apiVersion: v1
kind: Secret
metadata:
name: tailscale-auth
stringData:
# Set to a Auth key for the desired tailnet generated in the Tailscale admin panel
TS_AUTH_KEY: <YOUR-TS-AUTH-KEY>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tailscale
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- tailscale
verbs:
- get
- update
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tailscale
subjects:
- kind: ServiceAccount
name: tailscale
roleRef:
kind: Role
name: tailscale
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tailscale-namespace-router
spec:
minReadySeconds: 15
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: tailscale-namespace-router
strategy:
type: Recreate
template:
metadata:
labels:
app: tailscale-namespace-router
spec:
containers:
- env:
- name: TS_KUBE_SECRET
value: tailscale
- name: TS_USERSPACE
value: "true"
- name: TS_AUTH_KEY
valueFrom:
secretKeyRef:
key: TS_AUTH_KEY
name: tailscale-auth
optional: true
- name: HOME
value: /home/tailscale
- name: TS_SOCKET
value: /var/run/tailscaled/tailscaled.sock
image: ghcr.io/tailscale/tailscale:latest
name: tailscale
resources:
requests:
cpu: 40m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /home/tailscale
name: home
- mountPath: /var/run/tailscaled
name: socket
- command:
- /usr/local/bin/tailscale
- --socket=/var/run/tailscaled/tailscaled.sock
- web
image: ghcr.io/tailscale/tailscale:latest
name: tailscale-web
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/tailscaled
name: socket
- image: ghcr.io/appuio/tailscale-service-observer:latest
env:
- name: TARGET_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
name: service-observer
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /home/tailscale
name: home
serviceAccountName: tailscale
volumes:
- emptyDir: {}
name: home
- emptyDir: {}
name: socket