tailscale/cmd/k8s-operator/deploy/manifests/authproxy-rbac.yaml

# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-apiserver-auth-proxy
  namespace: tailscale
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tailscale-auth-proxy
rules:
- apiGroups: [""]
  resources: ["users", "groups"]
  verbs: ["impersonate"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tailscale-auth-proxy
subjects:
- kind: ServiceAccount
  name: operator
  namespace: tailscale
- kind: ServiceAccount
  name: kube-apiserver-auth-proxy
  namespace: tailscale
roleRef:
  kind: ClusterRole
  name: tailscale-auth-proxy
  apiGroup: rbac.authorization.k8s.io