mirror of
https://github.com/tailscale/tailscale.git
synced 2026-02-19 15:15:31 -05:00
a341eea00b
This commit adds a new custom resource definition to the kubernetes operator named `ProxyGroupPolicy`. This resource is namespace scoped and is used as an allow list for which `ProxyGroup` resources can be used within its namespace. The `spec` contains two fields, `ingress` and `egress`. These should contain the names of `ProxyGroup` resources to denote which can be used as values in the `tailscale.com/proxy-group` annotation within `Service` and `Ingress` resources. The intention is for these policies to be merged within a namespace and produce a `ValidatingAdmissionPolicy` and `ValidatingAdmissionPolicyBinding` for both ingress and egress that prevents users from using names of `ProxyGroup` resources in those annotations. Closes: https://github.com/tailscale/corp/issues/36829 Signed-off-by: David Bond <davidsbond93@gmail.com>
Tailscale Kubernetes operator deployment manifests
./cmd/k8s-operator/deploy contain various Tailscale Kubernetes operator deployment manifests.
Helm chart
./cmd/k8s-operator/deploy/chart contains Tailscale operator Helm chart templates.
The chart templates are also used to generate the static manifest, so developers must ensure that any changes applied to the chart have been propagated to the static manifest by running go generate tailscale.com/cmd/k8s-operator
Static manifests
./cmd/k8s-operator/deploy/manifests/operator.yaml is a static manifest for the operator generated from the Helm chart templates for the operator.