cmd/k8s-operator: add nodeSelector to `DNSConfig` resourcedavidb/dns-config-node-selector

This commit modifies the `DNSConfig` resource to allow customisation of the `spec.nodeSelector` field in the nameserver pods. Closes: https://github.com/tailscale/tailscale/issues/19419 Signed-off-by: David Bond <davidsbond93@gmail.com>
author: David Bond <davidsbond93@gmail.com> 2026-04-16 14:10:12 +0100
committer: David Bond <davidsbond93@gmail.com> 2026-04-16 14:10:12 +0100
commit: bdb77000423efd70d37b7dd76d552457fff9a099 (patch)
tree: 9c7436e644d729ccfee3eb8cc82c46ff1f98128d /cmd
parent: 4f47c3c93d71dd4436e9163d9aa4bb7fc82a1ae8 (diff)
download: tailscale-davidb/dns-config-node-selector.tar.xz
tailscale-davidb/dns-config-node-selector.zip
4 files changed, 28 insertions, 9 deletions
diff --git a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
index d54b0eca0..4d6422ede 100644
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
@@ -977,6 +977,11 @@ spec:
                                           Empty topologyKey is not allowed.
                                         type: string
                                   x-kubernetes-list-type: atomic
+                        nodeSelector:
+                          description: If specified, applies node selector rules to the pods deployed by the DNSConfig resource.
+                          type: object
+                          additionalProperties:
+                            type: string
                         tolerations:
                           description: If specified, applies tolerations to the pods deployed by the DNSConfig resource.
                           type: array
diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml
index d3c2e74de..07c9f3af3 100644
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -1315,6 +1315,11 @@ spec:
                                                                 x-kubernetes-list-type: atomic
                                                         type: object
                                                 type: object
+                                            nodeSelector:
+                                                additionalProperties:
+                                                    type: string
+                                                description: If specified, applies node selector rules to the pods deployed by the DNSConfig resource.
+                                                type: object
                                             tolerations:
                                                 description: If specified, applies tolerations to the pods deployed by the DNSConfig resource.
                                                 items:
diff --git a/cmd/k8s-operator/nameserver.go b/cmd/k8s-operator/nameserver.go
index 9a5b98ed1..f5565e5d3 100644
--- a/cmd/k8s-operator/nameserver.go
+++ b/cmd/k8s-operator/nameserver.go
@@ -191,6 +191,7 @@ func (a *NameserverReconciler) maybeProvision(ctx context.Context, tsDNSCfg *tsa
 	if tsDNSCfg.Spec.Nameserver.Pod != nil {
 		dCfg.tolerations = tsDNSCfg.Spec.Nameserver.Pod.Tolerations
 		dCfg.affinity = tsDNSCfg.Spec.Nameserver.Pod.Affinity
+		dCfg.nodeSelector = tsDNSCfg.Spec.Nameserver.Pod.NodeSelector
 	}
 
 	for _, deployable := range []deployable{saDeployable, deployDeployable, svcDeployable, cmDeployable} {
@@ -218,15 +219,16 @@ type deployable struct {
 }
 
 type deployConfig struct {
-	replicas    int32
-	imageRepo   string
-	imageTag    string
-	labels      map[string]string
-	ownerRefs   []metav1.OwnerReference
-	namespace   string
-	clusterIP   string
-	tolerations []corev1.Toleration
-	affinity    *corev1.Affinity
+	replicas     int32
+	imageRepo    string
+	imageTag     string
+	labels       map[string]string
+	ownerRefs    []metav1.OwnerReference
+	namespace    string
+	clusterIP    string
+	tolerations  []corev1.Toleration
+	affinity     *corev1.Affinity
+	nodeSelector map[string]string
 }
 
 var (
@@ -253,6 +255,7 @@ var (
 			d.ObjectMeta.OwnerReferences = cfg.ownerRefs
 			d.Spec.Template.Spec.Tolerations = cfg.tolerations
 			d.Spec.Template.Spec.Affinity = cfg.affinity
+			d.Spec.Template.Spec.NodeSelector = cfg.nodeSelector
 			updateF := func(oldD *appsv1.Deployment) {
 				oldD.Spec = d.Spec
 			}
diff --git a/cmd/k8s-operator/nameserver_test.go b/cmd/k8s-operator/nameserver_test.go
index aa2a294c5..3ec00d5ed 100644
--- a/cmd/k8s-operator/nameserver_test.go
+++ b/cmd/k8s-operator/nameserver_test.go
@@ -43,6 +43,9 @@ func TestNameserverReconciler(t *testing.T) {
 					ClusterIP: "5.4.3.2",
 				},
 				Pod: &tsapi.NameserverPod{
+					NodeSelector: map[string]string{
+						"foo": "bar",
+					},
 					Tolerations: []corev1.Toleration{
 						{
 							Key:      "some-key",
@@ -131,6 +134,9 @@ func TestNameserverReconciler(t *testing.T) {
 				},
 			},
 		}
+		wantsDeploy.Spec.Template.Spec.NodeSelector = map[string]string{
+			"foo": "bar",
+		}
 
 		expectEqual(t, fc, wantsDeploy)
 	})
author	David Bond <davidsbond93@gmail.com>	2026-04-16 14:10:12 +0100
committer	David Bond <davidsbond93@gmail.com>	2026-04-16 14:10:12 +0100
commit	bdb77000423efd70d37b7dd76d552457fff9a099 (patch)
tree	9c7436e644d729ccfee3eb8cc82c46ff1f98128d /cmd
parent	4f47c3c93d71dd4436e9163d9aa4bb7fc82a1ae8 (diff)
download	tailscale-davidb/dns-config-node-selector.tar.xz tailscale-davidb/dns-config-node-selector.zip