summaryrefslogtreecommitdiffhomepage
path: root/docs
AgeCommit message (Collapse)AuthorFilesLines
2025-07-10docs/windows/policy: add ExitNode.AllowOverride as an option to ExitNodeID ↵Nick Khyl2-1/+15
policy In this PR, we make ExitNode.AllowOverride configurable as part of the Exit Node ADMX policy setting, similarly to Always On w/ "Disconnect with reason" option. Updates tailscale/corp#29969 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-06-26ipn/store: automatically migrate between plaintext and encrypted state (#16318)Andrew Lytvynov2-1/+24
Add a new `--encrypt-state` flag to `cmd/tailscaled`. Based on that flag, migrate the existing state file to/from encrypted format if needed. Updates #15830 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-06-20docs: fix typo in commit-messages.mdokunamayanad1-1/+1
Updates: #cleanup Signed-off-by: okunamayanad <baran@okunamayanad.com>
2025-05-12docs/commit-messages.md: explain #cleanup commits (#15933)Simon Law1-1/+49
Adapted from http://go/cleanup. Fixes: #15932 Signed-off-by: Simon Law <sfllaw@tailscale.com>
2025-05-12docs/windows/policy: add OnboardingFlow policy to ADMX fileAaron Klotz2-0/+21
Fixes #15907 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2025-05-12net/dns,docs/windows/policy,util/syspolicy: register Tailscale IP addresses ↵Nick Khyl2-0/+34
in AD DNS if required by policy In this PR, we make DNS registration behavior configurable via the EnableDNSRegistration policy setting. We keep the default behavior unchanged, but allow admins to either enforce DNS registration and dynamic DNS updates for the Tailscale interface, or prevent Tailscale from modifying the settings configured in the network adapter's properties or by other means. Updates #14917 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-04-14docs/commit-messages.md: merge two 'commit messages' sections (#15668)Irbe Krumina1-5/+1
Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2025-04-10docs/k8s: add architecture diagram for ProxyGroup Ingress (#15593)Tom Proctor1-7/+92
Adds a new diagram for ProxyGroups running in Ingress mode. Documentation is currently not publicly available, but a link needs adding once it is. Updates tailscale/corp#24795 Change-Id: I0d5dd6bf6f0e1b8b0becae848dc97d8b4bfb9ccb Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-04-08commit-messages.md: make our git commit message style guide publicBrad Fitzpatrick1-0/+150
So we can link open source contributors to it. Updates #cleanup Change-Id: I02f612b38db9594f19b3be5d982f58c136120e9a Co-authored-by: James Sanderson <jsanderson@tailscale.com> Co-authored-by: Will Norris <will@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-02-24ipn/ipnlocal,util/syspolicy,docs/windows/policy: implement the ↵Nick Khyl2-0/+21
ReconnectAfter policy setting In this PR, we update the LocalBackend so that when the ReconnectAfter policy setting is configured and a user disconnects Tailscale by setting WantRunning to false in the profile prefs, the LocalBackend will now start a timer to set WantRunning back to true once the ReconnectAfter timer expires. We also update the ADMX/ADML policy definitions to allow configuring this policy setting for Windows via Group Policy and Intune. Updates #14824 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-02-11docs/windows/policy: update ADMX/ADML policy definitions to include the new ↵Nick Khyl2-0/+43
Always On setting This adds a new policy definition for the AlwaysOn.Enabled policy setting as well as the AlwaysOn.OverrideWithReason sub-option. Updates #14823 Updates tailscale/corp#26247 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-02-05docs/windows/policy: remove an extra closing >Nick Khyl1-1/+1
Something I accidentally added in #14217. It doesn't seem to impact Intune or the Administrative Templates MMC extension, but it should still be fixed. Updates #cleanup Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-12-17docs/k8s: add some high-level operator architecture diagrams (#13915)Tom Proctor1-0/+517
This is an experiment to see how useful we will find it to have some text-based diagrams to document how various components of the operator work. There are no plans to link to this from elsewhere yet, but hopefully it will be a useful reference internally. Updates #cleanup Change-Id: If5911ed39b09378fec0492e87738ec0cc3d8731e Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2024-12-16Switch logging service from log.tailscale.io to log.tailscale.com (#14398)Joe Tsai1-1/+1
Updates tailscale/corp#23617 Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2024-12-03cmd/k8s-operator,docs/k8s: run tun mode proxies in privileged containers ↵Irbe Krumina3-9/+3
(#14262) We were previously relying on unintended behaviour by runc where all containers where by default given read/write/mknod permissions for tun devices. This behaviour was removed in https://github.com/opencontainers/runc/pull/3468 and released in runc 1.2. Containerd container runtime, used by Docker and majority of Kubernetes distributions bumped runc to 1.2 in 1.7.24 https://github.com/containerd/containerd/releases/tag/v1.7.24 thus breaking our reference tun mode Tailscale Kubernetes manifests and Kubernetes operator proxies. This PR changes the all Kubernetes container configs that run Tailscale in tun mode to privileged. This should not be a breaking change because all these containers would run in a Pod that already has a privileged init container. Updates tailscale/tailscale#14256 Updates tailscale/tailscale#10814 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-11-25docs/windows/policy: update ADMX policy definitions to reflect the syspolicy ↵Nick Khyl2-51/+91
settings We add a policy definition for the AllowedSuggestedExitNodes syspolicy setting, allowing admins to configure a list of exit node IDs to be used as a pool for automatic suggested exit node selection. We update definitions for policy settings configurable on both a per-user and per-machine basis, such as UI customizations, to specify class="Both". Lastly, we update the help text for existing policy definitions to include a link to the KB article as the last line instead of in the first paragraph. Updates #12687 Updates tailscale/corp#19681 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-11-20cmd/k8s-operator,kube/kubeclient,docs/k8s: update rbac to emit events + ↵Irbe Krumina5-0/+35
small fixes (#14164) This is a follow-up to #14112 where our internal kube client was updated to allow it to emit Events - this updates our sample kube manifests and tsrecorder manifest templates so they can benefit from this functionality. Updates tailscale/tailscale#14080 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-10-02docs/windows/policy: add ADMX policy setting to configure the AuthKeyNick Khyl2-0/+31
Updates tailscale/corp#22120 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-05-31docs/k8s: fix subnet router manifests (#12305)Irbe Krumina1-2/+3
In https://github.com/tailscale/tailscale/pull/11363 I changed the subnet router manifest to run in tun mode (for performance reasons), but did not change the security context to give it net_admin, which is required to for the tailscale socket. Updates tailscale/tailscale#12083 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-04-18docs/windows/policy: add missing key expiration warning intervalAdrian Dewhurst2-8/+19
Fixes #11345 Change-Id: Ib53b639690b77d1b7d857304dca2119f197227ce Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2024-04-08docs/policy: update ADMX and ADML files with new Windows 1.62 syspoliciesAndrea Gottardo2-0/+33
Updates ENG-2776 Updates the .admx and .adml files to include the new ManagedByOrganizationName, ManagedByCaption and ManagedByURL system policies, added in Tailscale v1.62 for Windows. Co-authored-by: Andrea Gottardo <andrea@gottardo.me> Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-03-07docs/k8s: don't run subnet router in userspace mode (#11363)Irbe Krumina1-1/+3
There should not be a need to do that unless we run on host network Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-04docs/k8s: update docs (#11307)Irbe Krumina3-1/+80
Update docs for static Tailscale deployments on kube to always use firewall mode autodection when in non-userspace. Also add a note about running multiple replicas and a few suggestions how folks could do that. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <1687799+knyar@users.noreply.github.com>
2024-01-19cmd/k8s-operator/deploy: allow modifying operator tags via Helm valuesChandonPierre1-1/+1
Updates tailscale/tailscale#10659 Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
2024-01-05docs: add Windows administrative templateAdrian Dewhurst2-0/+478
To make setting Windows policies easier, this adds ADMX policy descriptions. Fixes #6495 Updates ENG-2515 Change-Id: If4613c9d8ec734afec8bd781575e24b4aef9bb73 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>
2023-12-21all: cleanup unused code, part 2 (#10670)Andrew Lytvynov1-2/+2
And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-10-17cmd/k8s-operator: use our own container image instead of busyboxMaisem Ali1-1/+1
We already have sysctl in the `tailscale/tailscale` image, just use that. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-10-06docs/sysv: add a sysv style init scriptJames Tucker1-0/+63
The script depends on a sufficiently recent start-stop-daemon as to provide the `-m` and `--remove-pidfile` flags. Updates #9502 Signed-off-by: James Tucker <james@tailscale.com>
2023-07-01docs/k8s: don't call kubectl directly from MakefileDavid Wolever2-16/+14
Instead of calling kubectl directly in k8s Makefile, write the yaml to stdout so it can be reviewed/edited/etc before manually applying with kubectl. Fixes: #8511 Signed-off-by: David Wolever <david@wolever.net>
2023-01-27all: update copyright and license headersWill Norris9-27/+18
This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>
2023-01-27docs/k8s: Use TS_AUTHKEY instead of TS_AUTH_KEY (#7092)Walter Poupore5-9/+9
Updates https://github.com/tailscale/tailscale-www/issues/2199. Signed-off-by: Walter Poupore <walterp@tailscale.com>
2022-11-30docs/webhooks: use subtle.ConstantTimeCompare for comparing signaturesAndrew Dunham1-1/+2
Fixes #6572 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I58610c46e0ea1d3a878f91d154db3da4de9cae00
2022-11-07docs/k8s: add secrets patching permission to the tailscale role.David Anderson1-1/+1
Fixes #6225. Signed-off-by: David Anderson <danderson@tailscale.com>
2022-11-03cmd/containerboot: PID1 for running tailscaled in a container.David Anderson2-93/+2
This implements the same functionality as the former run.sh, but in Go and with a little better awareness of tailscaled's lifecycle. Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had where it would unconditionally try to reauth every time if you gave it an authkey, rather than try to use it only if auth is actually needed. This makes it a bit nicer to deploy these containers in automation, since you don't have to run the container once, then go and edit its definition to remove authkeys. Signed-off-by: David Anderson <danderson@tailscale.com>
2022-10-26docs/webhooks: add sample endpoint codeSonia Appasamy1-0/+149
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2022-10-01docs/k8s: [proxy] fix sysctl commandMaisem Ali1-2/+2
Fixes #5805 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-09-22docker: add ability to use a custom control socketAnton Schubert1-3/+4
Signed-off-by: Anton Schubert <anton.schubert@riedel.net>
2022-09-22fix auth key namehlts23-3/+3
Signed-off-by: hlts2 <hiroto.funakoshi.hiroto@gmail.com>
2022-09-16Switched Secret snippet to match run.shTyler Lee2-2/+2
Signed-off-by: Tyler Lee <tyler.lee@radius.ai>
2022-09-16Updated secret example in readme to match the sidecar key valueTyler Lee1-1/+1
Signed-off-by: Tyler Lee <tyler.lee@radius.ai>
2022-09-04docs/k8s: make run.sh handle SIGINTMaisem Ali1-3/+10
It was previously using jobcontrol to achieve this, but that apparently doesn't work when there is no tty. This makes it so that it directly handles SIGINT and SIGTERM and passes it on to tailscaled. I tested this works on a Digital Ocean K8s cluster. Fixes #5512 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-08-30docs/k8s: add IPv6 forwarding in proxy.yamlDenton Gentry1-1/+1
Fixes https://github.com/tailscale/tailscale/issues/4999 Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2022-07-25docs/k8s: add prefix to (#5167)Walter Poupore1-6/+21
Signed-off-by: Walter Poupore <walterp@tailscale.com>
2022-07-21docs/k8s: use job control in run.shMaisem Ali1-2/+3
This has the benefit of propagating SIGINT to tailscaled, which in turn can react to the event and logout in case of an ephemeral node. Also fix missing run.sh in Dockerfile. Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-18docs/k8s: set statedir to /tmp when not specifiedMaisem Ali1-2/+2
This makes `tailscale cert` and Taildrop work on k8s and in ephemeral mode. Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-01docs/k8s: Add env vars for tailscaled argsCraig Rodrigues1-0/+15
- TS_SOCKS5_SERVER, argument passed to tailscaled --socks5-server - TS_OUTBOUND_HTTP_PROXY_LISTEN, argument passed to tailscaled -outbound-http-proxy-listen - TS_TAILSCALED_EXTRA_ARGS extra arguments passed to tailscaled Fixes #4985 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>
2022-06-30fix: typo rename, ROUTES -> TS_ROUTESJake Edgington1-1/+1
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-30fix: typo rename, KUBE_SECRET -> TS_KUBE_SECRETJake Edgington1-1/+1
Signed-off-by: Jake Edgington <jake.edgington@gmail.com>
2022-06-07build_docker.sh: add run.sh as an entrypoint to the docker imageMaisem Ali10-86/+72
Fixes #4071 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2021-11-16fix minor typoBrian Fallik1-2/+2
Signed-off-by: Brian Fallik <bfallik@gmail.com>
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.