From cb030a0bb4315a6d2aa1db9e340026f91606925a Mon Sep 17 00:00:00 2001 From: Robert Date: Sat, 16 Oct 2021 15:17:36 -0700 Subject: [PATCH] docs/k8s: add example about setting up a subnet router Signed-off-by: Robert Co-authored-by: Maisem Ali <3953239+maisem@users.noreply.github.com> --- docs/k8s/Makefile | 4 ++++ docs/k8s/README.md | 37 +++++++++++++++++++++++++++++++++++++ docs/k8s/subnet.yaml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 docs/k8s/subnet.yaml diff --git a/docs/k8s/Makefile b/docs/k8s/Makefile index abb664484..580164739 100644 --- a/docs/k8s/Makefile +++ b/docs/k8s/Makefile @@ -32,3 +32,7 @@ userspace-sidecar: proxy: @kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0 @sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{DEST_IP}};$(DEST_IP);g" | kubectl create -f- + +subnet-router: + @kubectl delete -f subnet.yaml --ignore-not-found --grace-period=0 + @sed -e "s;{{KUBE_SECRET}};$(KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{IMAGE_TAG}};$(IMAGE_TAG);g" | sed -e "s;{{ROUTES}};$(ROUTES);g" | kubectl create -f- diff --git a/docs/k8s/README.md b/docs/k8s/README.md index 792c7f0e2..852367844 100644 --- a/docs/k8s/README.md +++ b/docs/k8s/README.md @@ -108,3 +108,40 @@ Running a Tailscale proxy allows you to provide inbound connectivity to a Kubern ```bash curl "http://$(tailscale ip -4 proxy)" ``` + +### Subnet Router + +Running a Tailscale [subnet router](https://tailscale.com/kb/1019/subnets/) allows you to access +the entire Kubernetes cluster network (assuming NetworkPolicies allow) over Tailscale. + +1. Identify the Pod/Service CIDRs that cover your Kubernetes cluster. These will vary depending on [which CNI](https://kubernetes.io/docs/concepts/cluster-administration/networking/) you are using and on the Cloud Provider you are using. Add these to the `ROUTES` variable as comma-separated values. + + ```bash + SERVICE_CIDR=10.20.0.0/16 + POD_CIDR=10.42.0.0/15 + export ROUTES=$SERVICE_CIDR,$POD_CIDR + ``` + +1. Deploy the subnet-router pod. + + ```bash + make subnet-router + # If not using an auth key, authenticate by grabbing the Login URL here: + kubectl logs subnet-router + ``` + +1. In the [Tailscale admin console](https://login.tailscale.com/admin/machines), ensure that the +routes for the subnet-router are enabled. + +1. Make sure that any client you want to connect from has `--accept-routes` enabled. + +1. Check if you can connect to a `ClusterIP` or a `PodIP` over Tailscale: + + ```bash + # Get the Service IP + INTERNAL_IP="$(kubectl get svc -o=jsonpath='{.spec.clusterIP}')" + # or, the Pod IP + # INTERNAL_IP="$(kubectl get po -o=jsonpath='{.status.podIP}')" + INTERNAL_PORT=8080 + curl http://$INTERNAL_IP:$INTERNAL_PORT + ``` \ No newline at end of file diff --git a/docs/k8s/subnet.yaml b/docs/k8s/subnet.yaml new file mode 100644 index 000000000..eaf5820cd --- /dev/null +++ b/docs/k8s/subnet.yaml @@ -0,0 +1,32 @@ +# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. +apiVersion: v1 +kind: Pod +metadata: + name: subnet-router + labels: + app: tailscale +spec: + serviceAccountName: "{{SA_NAME}}" + containers: + - name: tailscale + imagePullPolicy: Always + image: "{{IMAGE_TAG}}" + env: + # Store the state in a k8s secret + - name: KUBE_SECRET + value: "{{KUBE_SECRET}}" + - name: USERSPACE + value: "true" + - name: AUTH_KEY + valueFrom: + secretKeyRef: + name: tailscale-auth + key: AUTH_KEY + optional: true + - name: ROUTES + value: "{{ROUTES}}" + securityContext: + runAsUser: 1000 + runAsGroup: 1000