Tailscale on Kubernetes

Tailscale on Kubernetes

• Kubernetes 配置

  • cluster-cidr：定义了 Pod CIDR。
  • service-cluster-ip-range：定义了 Service CIDR。

  cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep -e "cluster-cidr" -e "service-cluster-ip-range"
  

• repo

  git clone <https://github.com/tailscale/tailscale.git>
  cd tailscale/docs/k8s
  

• Configure Role-Based Access Control

  export SA_NAME=tailscale
  export TS_KUBE_SECRET=tailscale-auth
  make rbac | kubectl apply -f-
  

  make rbac | kubectl delete -f-
  

• 【Subnet router】允许taiscale网络内设备借助子网路由访问Kubernetes的pod和service.

  先设置RBAC，再部署子网路由https://tailscale.com/kb/1185/kubernetes#subnet-router

  • makefile

  SERVICE_CIDR=10.20.0.0/16
  POD_CIDR=10.42.0.0/15
  export TS_ROUTES=$SERVICE_CIDR,$POD_CIDR
  
  make subnet-router | kubectl apply -f-
  # If not using an auth key, authenticate by grabbing the Login URL here:
  kubectl logs subnet-router
  

  # Get the Service IP
  INTERNAL_IP="$(kubectl get svc <SVC_NAME> -o=jsonpath='{.spec.clusterIP}')"
  # or, the Pod IP
  # INTERNAL_IP="$(kubectl get po <POD_NAME> -o=jsonpath='{.status.podIP}')"
  INTERNAL_PORT=8080
  curl http://$INTERNAL_IP:$INTERNAL_PORT
  

  make subnet-router | kubectl delete -f-