mirror of
				https://github.com/tailscale/tailscale.git
				synced 2025-10-26 22:01:09 +01:00 
			
		
		
		
	We were previously relying on unintended behaviour by runc where all containers where by default given read/write/mknod permissions for tun devices. This behaviour was removed in https://github.com/opencontainers/runc/pull/3468 and released in runc 1.2. Containerd container runtime, used by Docker and majority of Kubernetes distributions bumped runc to 1.2 in 1.7.24 https://github.com/containerd/containerd/releases/tag/v1.7.24 thus breaking our reference tun mode Tailscale Kubernetes manifests and Kubernetes operator proxies. This PR changes the all Kubernetes container configs that run Tailscale in tun mode to privileged. This should not be a breaking change because all these containers would run in a Pod that already has a privileged init container. Updates tailscale/tailscale#14256 Updates tailscale/tailscale#10814 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
		
			
				
	
	
		
			41 lines
		
	
	
		
			944 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			41 lines
		
	
	
		
			944 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # Copyright (c) Tailscale Inc & AUTHORS
 | |
| # SPDX-License-Identifier: BSD-3-Clause
 | |
| apiVersion: v1
 | |
| kind: Pod
 | |
| metadata:
 | |
|   name: subnet-router
 | |
|   labels:
 | |
|     app: tailscale
 | |
| spec:
 | |
|   serviceAccountName: "{{SA_NAME}}"
 | |
|   containers:
 | |
|   - name: tailscale
 | |
|     imagePullPolicy: Always
 | |
|     image: "ghcr.io/tailscale/tailscale:latest"
 | |
|     env:
 | |
|     # Store the state in a k8s secret
 | |
|     - name: TS_KUBE_SECRET
 | |
|       value: "{{TS_KUBE_SECRET}}"
 | |
|     - name: TS_USERSPACE
 | |
|       value: "false"
 | |
|     - name: TS_DEBUG_FIREWALL_MODE
 | |
|       value: auto
 | |
|     - name: TS_AUTHKEY
 | |
|       valueFrom:
 | |
|         secretKeyRef:
 | |
|           name: tailscale-auth
 | |
|           key: TS_AUTHKEY
 | |
|           optional: true
 | |
|     - name: TS_ROUTES
 | |
|       value: "{{TS_ROUTES}}"
 | |
|     - name: POD_NAME
 | |
|       valueFrom:
 | |
|         fieldRef:
 | |
|           fieldPath: metadata.name
 | |
|     - name: POD_UID
 | |
|       valueFrom:
 | |
|         fieldRef:
 | |
|           fieldPath: metadata.uid
 | |
|     securityContext:
 | |
|       privileged: true
 |