diff --git a/kubernetes/apps/tailscale/tailscale-operator/connector/connector.yaml b/kubernetes/apps/tailscale/tailscale-operator/connector/connector.yaml index 83bacfce8..74f8534bd 100644 --- a/kubernetes/apps/tailscale/tailscale-operator/connector/connector.yaml +++ b/kubernetes/apps/tailscale/tailscale-operator/connector/connector.yaml @@ -6,6 +6,7 @@ metadata: spec: hostname: kantai-connector exitNode: true + proxyClass: kernel-org-tun subnetRouter: advertiseRoutes: - "10.10.0.0/16" diff --git a/kubernetes/apps/tailscale/tailscale-operator/connector/kustomization.yaml b/kubernetes/apps/tailscale/tailscale-operator/connector/kustomization.yaml index 3603039fe..a910192c0 100644 --- a/kubernetes/apps/tailscale/tailscale-operator/connector/kustomization.yaml +++ b/kubernetes/apps/tailscale/tailscale-operator/connector/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./connector.yaml + - ./proxyclass.yaml diff --git a/kubernetes/apps/tailscale/tailscale-operator/connector/proxyclass.yaml b/kubernetes/apps/tailscale/tailscale-operator/connector/proxyclass.yaml new file mode 100644 index 000000000..636ae66e5 --- /dev/null +++ b/kubernetes/apps/tailscale/tailscale-operator/connector/proxyclass.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: tailscale.com/v1alpha1 +kind: ProxyClass +metadata: + name: kernel-org-tun +spec: + statefulSet: + pod: + tailscaleContainer: + resources: + requests: + cpu: 10m + limits: + kernel.org/tun: 1 + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 + capabilities: + drop: ["ALL"] + add: ["NET_ADMIN", "NET_RAW"] + seccompProfile: { type: Unconfined } + tailscaleInitContainer: + securityContext: + privileged: true