Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve documentation for Tailscale + K3s with an example ACL #10078

Open
clouedoc opened this issue May 8, 2024 · 1 comment
Open

Improve documentation for Tailscale + K3s with an example ACL #10078

clouedoc opened this issue May 8, 2024 · 1 comment
Assignees
@manuelbuil

Comments

@clouedoc
Copy link

clouedoc commented May 8, 2024
edited

Is your feature request related to a problem? Please describe.

I was stuck debugging a connectivity issue on my newly-created cluster for multiple days.
It turns out the Tailscale ACL I written was insufficient.
It looked like #8372 for a long while.

Describe the solution you'd like

An example Tailscale ACL in the k3s documentation.

Describe alternatives you've considered

  • Taking a networking course
  • Banging my head on the table (didn't help)
  • Asking my friends for moral support

Example ACL

I attached an excerpt from my ACL which might help my fellow Tailscale+k3s enthusiasts.

Some information to know before reading:

  • My cluster's nodes get auto-assigned the "skynet" tag.
  • PodCIDR is 10.142.0.0/16 and ServiceCIDR is 10.143.0.0/16
  • What was missing for me was to approve connections from the above subnets. I think I could skip the ServiceCIDR but I don't want to run into this issue again!
  • "grafana:80" is just a service running on another machine connected to the network. I don't want skynet to escape...
{
  acls: [
    {
      action: 'accept',
      src: ['tag:skynet', '10.142.0.0/16', '10.143.0.0/16'],
      dst: ['10.142.0.0/16:*', '10.143.0.0/16:*', 'tag:skynet:*'],
    },
  ],
  autoApprovers: {
    routes: {
      '10.142.0.0/16': ['tag:skynet'],
      '10.143.0.0/16': ['tag:skynet'],
    },
  },
  tagOwners: {
    'tag:skynet': ['autogroup:admin'],
  },
  tests: [
    {
      src: 'tag:skynet',
      accept: ['10.142.0.1:6443', '10.143.0.1:6443', 'tag:skynet:6443'],
      deny: ['grafana:80'],
    },
    {
      src: '10.142.0.1',
      accept: ['10.142.0.1:6443', '10.143.0.1:6443', 'tag:skynet:6443'],
      deny: ['grafana:80'],
    },
    {
      src: '10.143.0.1',
      accept: ['10.142.0.1:6443', '10.143.0.1:6443', 'tag:skynet:6443'],
      deny: ['grafana:80'],
    },
  ],
}
@clouedoc clouedoc changed the title Improve documentation for Tailscale + K3S with an example ACL Improve documentation for Tailscale + k3s with an example ACL May 8, 2024
@clouedoc clouedoc changed the title Improve documentation for Tailscale + k3s with an example ACL Improve documentation for Tailscale + D3s with an example ACL May 8, 2024
@clouedoc clouedoc changed the title Improve documentation for Tailscale + D3s with an example ACL Improve documentation for Tailscale + K3s with an example ACL May 8, 2024
@brandond
Copy link
Contributor

brandond commented May 8, 2024
edited

cc @manuelbuil - I know we'd intentionally avoided getting too fancy with the example tailscale config in the docs. Not sure if this is something we want to entertain or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manuelbuil manuelbuil

Labels
None yet
Projects
K3s Development
Status: New
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brandond @clouedoc @manuelbuil