Skip to content

Commit

Permalink
feat(tailscale): use a proxyclass
Browse files Browse the repository at this point in the history
- Use a resource for tun
- Drop privileges in the security context
  • Loading branch information
jfroy committed Sep 12, 2024
1 parent b0907bc commit 4448dfe
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ metadata:
spec:
hostname: kantai-connector
exitNode: true
proxyClass: kernel-org-tun
subnetRouter:
advertiseRoutes:
- "10.10.0.0/16"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./connector.yaml
- ./proxyclass.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
apiVersion: tailscale.com/v1alpha1
kind: ProxyClass
metadata:
name: kernel-org-tun
spec:
statefulSet:
pod:
tailscaleContainer:
resources:
requests:
cpu: 10m
limits:
kernel.org/tun: 1
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
capabilities:
drop: ["ALL"]
add: ["NET_ADMIN", "NET_RAW"]
seccompProfile: { type: Unconfined }
tailscaleInitContainer:
securityContext:
privileged: true

0 comments on commit 4448dfe

Please sign in to comment.