summaryrefslogtreecommitdiffhomepage
path: root/docs
AgeCommit message (Collapse)AuthorFilesLines
2025-02-11docs/windows/policy: update ADMX/ADML policy definitions to include the new ↵Nick Khyl2-0/+43
Always On setting This adds a new policy definition for the AlwaysOn.Enabled policy setting as well as the AlwaysOn.OverrideWithReason sub-option. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-02-05docs/windows/policy: remove an extra closing >Nick Khyl1-1/+1
Something I accidentally added in #14217. It doesn't seem to impact Intune or the Administrative Templates MMC extension, but it should still be fixed. Updates #cleanup Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-12-17docs/k8s: add some high-level operator architecture diagrams (#13915)Tom Proctor1-0/+517
This is an experiment to see how useful we will find it to have some text-based diagrams to document how various components of the operator work. There are no plans to link to this from elsewhere yet, but hopefully it will be a useful reference internally. Updates #cleanup Change-Id: If5911ed39b09378fec0492e87738ec0cc3d8731e Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2024-12-16Switch logging service from log.tailscale.io to log.tailscale.com (#14398)Joe Tsai1-1/+1
Updates tailscale/corp#23617 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2024-12-03cmd/k8s-operator,docs/k8s: run tun mode proxies in privileged containers ↵Irbe Krumina3-9/+3
(#14262) We were previously relying on unintended behaviour by runc where all containers where by default given read/write/mknod permissions for tun devices. This behaviour was removed in https://github.com/opencontainers/runc/pull/3468 and released in runc 1.2. Containerd container runtime, used by Docker and majority of Kubernetes distributions bumped runc to 1.2 in 1.7.24 https://github.com/containerd/containerd/releases/tag/v1.7.24 thus breaking our reference tun mode Tailscale Kubernetes manifests and Kubernetes operator proxies. This PR changes the all Kubernetes container configs that run Tailscale in tun mode to privileged. This should not be a breaking change because all these containers would run in a Pod that already has a privileged init container. Updates tailscale/tailscale#14256 Updates tailscale/tailscale#10814 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-11-25docs/windows/policy: update ADMX policy definitions to reflect the syspolicy ↵Nick Khyl2-51/+91
settings We add a policy definition for the AllowedSuggestedExitNodes syspolicy setting, allowing admins to configure a list of exit node IDs to be used as a pool for automatic suggested exit node selection. We update definitions for policy settings configurable on both a per-user and per-machine basis, such as UI customizations, to specify class="Both". Lastly, we update the help text for existing policy definitions to include a link to the KB article as the last line instead of in the first paragraph. Updates #12687 Updates tailscale/corp#19681 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-11-20cmd/k8s-operator,kube/kubeclient,docs/k8s: update rbac to emit events + ↵Irbe Krumina5-0/+35
small fixes (#14164) This is a follow-up to #14112 where our internal kube client was updated to allow it to emit Events - this updates our sample kube manifests and tsrecorder manifest templates so they can benefit from this functionality. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-10-02docs/windows/policy: add ADMX policy setting to configure the AuthKeyNick Khyl2-0/+31
Updates tailscale/corp#22120 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-05-31docs/k8s: fix subnet router manifests (#12305)Irbe Krumina1-2/+3
In https://github.com/tailscale/tailscale/pull/11363 I changed the subnet router manifest to run in tun mode (for performance reasons), but did not change the security context to give it net_admin, which is required to for the tailscale socket. Updates tailscale/tailscale#12083 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-18docs/windows/policy: add missing key expiration warning intervalAdrian Dewhurst2-8/+19
Fixes #11345 Change-Id: Ib53b639690b77d1b7d857304dca2119f197227ce Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2024-04-08docs/policy: update ADMX and ADML files with new Windows 1.62 syspoliciesAndrea Gottardo2-0/+33
Updates ENG-2776 Updates the .admx and .adml files to include the new ManagedByOrganizationName, ManagedByCaption and ManagedByURL system policies, added in Tailscale v1.62 for Windows. Co-authored-by: Andrea Gottardo <andrea@gottardo.me> Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-03-07docs/k8s: don't run subnet router in userspace mode (#11363)Irbe Krumina1-1/+3
There should not be a need to do that unless we run on host network Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-04docs/k8s: update docs (#11307)Irbe Krumina3-1/+80
Update docs for static Tailscale deployments on kube to always use firewall mode autodection when in non-userspace. Also add a note about running multiple replicas and a few suggestions how folks could do that. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>
2024-01-19cmd/k8s-operator/deploy: allow modifying operator tags via Helm valuesChandonPierre1-1/+1
Updates tailscale/tailscale#10659 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
2024-01-05docs: add Windows administrative templateAdrian Dewhurst2-0/+478
To make setting Windows policies easier, this adds ADMX policy descriptions. Fixes #6495 Updates ENG-2515 Change-Id: If4613c9d8ec734afec8bd781575e24b4aef9bb73 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-21all: cleanup unused code, part 2 (#10670)Andrew Lytvynov1-2/+2
And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-10-17cmd/k8s-operator: use our own container image instead of busyboxMaisem Ali1-1/+1
We already have sysctl in the `tailscale/tailscale` image, just use that. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-10-06docs/sysv: add a sysv style init scriptJames Tucker1-0/+63
The script depends on a sufficiently recent start-stop-daemon as to provide the `-m` and `--remove-pidfile` flags. Updates #9502 Signed-off-by: James Tucker <james@tailscale.com>
2023-07-01docs/k8s: don't call kubectl directly from MakefileDavid Wolever2-16/+14
Instead of calling kubectl directly in k8s Makefile, write the yaml to stdout so it can be reviewed/edited/etc before manually applying with kubectl. Fixes: #8511 Signed-off-by: David Wolever <david@wolever.net>
2023-01-27all: update copyright and license headersWill Norris9-27/+18
This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>
2023-01-27docs/k8s: Use TS_AUTHKEY instead of TS_AUTH_KEY (#7092)Walter Poupore5-9/+9
Updates https://github.com/tailscale/tailscale-www/issues/2199. Signed-off-by: Walter Poupore <walterp@tailscale.com>
2022-11-30docs/webhooks: use subtle.ConstantTimeCompare for comparing signaturesAndrew Dunham1-1/+2
Fixes #6572 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I58610c46e0ea1d3a878f91d154db3da4de9cae00
2022-11-07docs/k8s: add secrets patching permission to the tailscale role.David Anderson1-1/+1
Fixes #6225. Signed-off-by: David Anderson <danderson@tailscale.com>
2022-11-03cmd/containerboot: PID1 for running tailscaled in a container.David Anderson2-93/+2
This implements the same functionality as the former run.sh, but in Go and with a little better awareness of tailscaled's lifecycle. Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had where it would unconditionally try to reauth every time if you gave it an authkey, rather than try to use it only if auth is actually needed. This makes it a bit nicer to deploy these containers in automation, since you don't have to run the container once, then go and edit its definition to remove authkeys. Signed-off-by: David Anderson <danderson@tailscale.com>
2022-10-26docs/webhooks: add sample endpoint codeSonia Appasamy1-0/+149
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2022-10-01docs/k8s: [proxy] fix sysctl commandMaisem Ali1-2/+2
Fixes #5805 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-09-22docker: add ability to use a custom control socketAnton Schubert1-3/+4
Signed-off-by: Anton Schubert <anton.schubert@riedel.net>
2022-09-22fix auth key namehlts23-3/+3
Signed-off-by: hlts2 <hiroto.funakoshi.hiroto@gmail.com>
2022-09-16Switched Secret snippet to match run.shTyler Lee2-2/+2
Signed-off-by: Tyler Lee <tyler.lee@radius.ai>
2022-09-16Updated secret example in readme to match the sidecar key valueTyler Lee1-1/+1
Signed-off-by: Tyler Lee <tyler.lee@radius.ai>
2022-09-04docs/k8s: make run.sh handle SIGINTMaisem Ali1-3/+10
It was previously using jobcontrol to achieve this, but that apparently doesn't work when there is no tty. This makes it so that it directly handles SIGINT and SIGTERM and passes it on to tailscaled. I tested this works on a Digital Ocean K8s cluster. Fixes #5512 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-08-30docs/k8s: add IPv6 forwarding in proxy.yamlDenton Gentry1-1/+1
Fixes https://github.com/tailscale/tailscale/issues/4999 Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-07-25docs/k8s: add prefix to (#5167)Walter Poupore1-6/+21
Signed-off-by: Walter Poupore <walterp@tailscale.com>
2022-07-21docs/k8s: use job control in run.shMaisem Ali1-2/+3
This has the benefit of propagating SIGINT to tailscaled, which in turn can react to the event and logout in case of an ephemeral node. Also fix missing run.sh in Dockerfile. Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-18docs/k8s: set statedir to /tmp when not specifiedMaisem Ali1-2/+2
This makes `tailscale cert` and Taildrop work on k8s and in ephemeral mode. Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-01docs/k8s: Add env vars for tailscaled argsCraig Rodrigues1-0/+15
- TS_SOCKS5_SERVER, argument passed to tailscaled --socks5-server - TS_OUTBOUND_HTTP_PROXY_LISTEN, argument passed to tailscaled -outbound-http-proxy-listen - TS_TAILSCALED_EXTRA_ARGS extra arguments passed to tailscaled Fixes #4985 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>
2022-06-30fix: typo rename, ROUTES -> TS_ROUTESJake Edgington1-1/+1
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-30fix: typo rename, KUBE_SECRET -> TS_KUBE_SECRETJake Edgington1-1/+1
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-07build_docker.sh: add run.sh as an entrypoint to the docker imageMaisem Ali10-86/+72
Fixes #4071 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-11-16fix minor typoBrian Fallik1-2/+2
Signed-off-by: Brian Fallik <bfallik@gmail.com>
2021-10-18docs/k8s: add example about setting up a subnet routerRobert3-0/+73
Signed-off-by: Robert <rspier@pobox.com> Co-authored-by: Maisem Ali <3953239+maisem@users.noreply.github.com>
2021-10-14Fix k8s READMEFelipe Cruz Martinez1-2/+2
Use the correct KUBE_SECRET value
2021-10-14docs/k8s: update run.sh to use the correct socket pathMaisem Ali1-2/+2
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-13docs/k8s: use ghcr.io for base imageMaisem Ali1-1/+1
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-13docs/k8s: use tailscale/tailscale as base imageMaisem Ali1-2/+2
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-10-13docs/k8s: add instructions on how to run as a sidecar or a proxy.Maisem Ali10-17/+325
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-09-01ipn/store: add ability to store data as k8s secrets.Maisem Ali4-0/+47
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-08-30wgengine/userspace: add support to automatically enable/disable the tailscaleMaisem Ali2-0/+20
protocol in BIRD, when the node is a primary subnet router as determined by control. Signed-off-by: Maisem Ali <maisem@tailscale.com>
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.