# Copyright (c) Tailscale Inc & AUTHORS # SPDX-License-Identifier: BSD-3-Clause apiVersion: v1 kind: Pod metadata: name: proxy spec: serviceAccountName: "{{SA_NAME}}" initContainers: # In order to run as a proxy we need to enable IP Forwarding inside # the container. The `net.ipv4.ip_forward` sysctl is not allowlisted # in Kubelet by default. - name: sysctler image: "ghcr.io/tailscale/tailscale:latest" securityContext: privileged: true command: ["/bin/sh"] args: - -c - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 resources: requests: cpu: 1m memory: 1Mi containers: - name: tailscale imagePullPolicy: Always image: "ghcr.io/tailscale/tailscale:latest" env: # Store the state in a k8s secret - name: TS_KUBE_SECRET value: "{{TS_KUBE_SECRET}}" - name: TS_USERSPACE value: "false" - name: TS_DEBUG_FIREWALL_MODE value: auto - name: TS_AUTHKEY valueFrom: secretKeyRef: name: tailscale-auth key: TS_AUTHKEY optional: true - name: TS_DEST_IP value: "{{TS_DEST_IP}}" - name: TS_AUTH_ONCE value: "true" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_UID valueFrom: fieldRef: fieldPath: metadata.uid securityContext: capabilities: add: - NET_ADMIN