diff options
| author | Tom Proctor <tomhjp@users.noreply.github.com> | 2025-10-05 02:10:50 +0100 |
|---|---|---|
| committer | Tom Proctor <tomhjp@users.noreply.github.com> | 2025-11-07 14:24:24 +0000 |
| commit | d4c5b278b3dd67e31498dfbfe321c5e00a801898 (patch) | |
| tree | 47ba83f03b4a8b1a2a22c95d984959186463257a /control/controlhttp/controlhttpserver/controlhttpserver.go | |
| parent | 1ed117dbc08ac60a69ba46bdb7289b1d416bc5dc (diff) | |
| download | tailscale-d4c5b278b3dd67e31498dfbfe321c5e00a801898.tar.xz tailscale-d4c5b278b3dd67e31498dfbfe321c5e00a801898.zip | |
cmd/k8s-operator: support workload identity federation
The feature is currently in private alpha, so requires a tailnet feature
flag. Initially focuses on supporting the operator's own auth, because the
operator is the only device we maintain that uses static long-lived
credentials. All other operator-created devices use single-use auth keys.
Testing steps:
* Create a cluster with an API server accessible over public internet
* kubectl get --raw /.well-known/openid-configuration | jq '.issuer'
* Create a federated OAuth client in the Tailscale admin console with:
* The issuer from the previous step
* Subject claim `system:serviceaccount:tailscale:operator`
* Write scopes services, devices:core, auth_keys
* Tag tag:k8s-operator
* Allow the Tailscale control plane to get the public portion of
the ServiceAccount token signing key without authentication:
* kubectl create clusterrolebinding oidc-discovery \
--clusterrole=system:service-account-issuer-discovery \
--group=system:unauthenticated
* helm install --set oauth.clientId=... --set oauth.audience=...
Updates #17457
Change-Id: Ib29c85ba97b093c70b002f4f41793ffc02e6c6e9
Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions
