platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix: update headscale acls

Browse Source
This commit is contained in:
Jonas Juselius
2025-10-14 11:13:47 +02:00
parent d782913d94
commit 284a02be7b
2 changed files with 52 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files
values/headscale-router/values/values.yaml
+14 -24
View File
@@ -106,8 +106,8 @@ configMaps:
"tagOwners": { "tagOwners": {
"tag:k8s": [ "group:admin" ], "tag:k8s": [ "group:admin" ],
"tag:hpc": [ "group:admin" ], "tag:hpc": [ "group:admin" ],
"tag:tos-relay": [ "group:admin" ], "tag:tos-router": [ "group:admin" ],
"tag:vtn-relay": [ "group:admin" ], "tag:vtn-router": [ "group:admin" ],
"tag:mumindalen": [ "group:admin" ], "tag:mumindalen": [ "group:admin" ],
"tag:ekman": [ "group:admin" ], "tag:ekman": [ "group:admin" ],
"tag:rossby": [ "group:admin" ], "tag:rossby": [ "group:admin" ],
@@ -117,38 +117,28 @@ configMaps:
// as they're prone to be hijacked by replacing their IP addresses. // as they're prone to be hijacked by replacing their IP addresses.
// see https://github.com/tailscale/tailscale/issues/3800 for more information. // see https://github.com/tailscale/tailscale/issues/3800 for more information.
"hosts": { "hosts": {
"ingress.ekman.tos": "10.255.241.99/32", "office.tos.net": "10.132.46.0/24",
"ingress.ceph.tos": "10.255.241.10/32", "dc.tos.net": "10.255.241.0/24",
"ingress.ceph.vtn": "172.16.239.50/32", "100gbe.tos.net": "10.255.244.0/24",
"ingress.adm.ceph.vtn": "172.16.239.51/32", "mgmt.tos.net": "10.255.240.0/24",
"ingress.oceanbox.tos": "10.255.241.11/32", "dc.vtn.net": "172.16.239.0/24",
"manage.ekman.tos": "10.255.241.99/32", "mgmt.vtn.net": "172.16.238.0/24",
"k8s.oceanbox.tos": "10.255.241.200/32",
"k8s.ekman.tos": "10.255.241.99/32",
"k8s.ceph.tos": "10.255.241.29/32",
"printer.office.tos": "10.132.46.108/32",
"net.office.tos": "10.132.46.0/24",
"net.dc.tos": "10.255.241.0/24",
"net.100gbe.tos": "10.255.244.0/24",
"net.mgmt.tos": "10.255.240.0/24",
"net.dc.vtn": "172.16.239.0/24",
"net.mgmt.vtn": "172.16.238.0/24",
}, },
"acls": [ "acls": [
{ {
"action": "accept", "action": "accept",
"src": [ "tag:tos-relay", "net.dc.tos" ], "src": [ "tag:tos-router", "dc.tos.net" ],
"dst": [ "dst": [
"tag:vtn-relay:*", "tag:vtn-router:*",
"net.dc.vtn:*", "dc.vtn.net:*",
] ]
}, },
{ {
"action": "accept", "action": "accept",
"src": [ "tag:vtn-relay", "net.dc.vtn" ], "src": [ "tag:vtn-router", "dc.vtn.net" ],
"dst": [ "dst": [
"tag:tos-relay:*", "tag:tos-router:*",
"net.dc.tos:*", "dc.tos.net:*",
] ]
}, },
] ]
values/headscale/values/values.yaml
+28 -39
View File
@@ -132,8 +132,6 @@ configMaps:
"tagOwners": { "tagOwners": {
"tag:k8s": [ "group:admin" ], "tag:k8s": [ "group:admin" ],
"tag:hpc": [ "group:admin" ], "tag:hpc": [ "group:admin" ],
"tag:tos-relay": [ "group:admin" ],
"tag:vtn-relay": [ "group:admin" ],
"tag:mumindalen": [ "group:admin" ], "tag:mumindalen": [ "group:admin" ],
"tag:ekman": [ "group:admin" ], "tag:ekman": [ "group:admin" ],
"tag:rossby": [ "group:admin" ], "tag:rossby": [ "group:admin" ],
@@ -153,40 +151,37 @@ configMaps:
"k8s.ekman.tos": "10.255.241.99/32", "k8s.ekman.tos": "10.255.241.99/32",
"k8s.ceph.tos": "10.255.241.29/32", "k8s.ceph.tos": "10.255.241.29/32",
"printer.office.tos": "10.132.46.108/32", "printer.office.tos": "10.132.46.108/32",
"net.office.tos": "10.132.46.0/24", "office.tos.net": "10.132.46.0/24",
"net.dc.tos": "10.255.241.0/24", "dc.tos.net": "10.255.241.0/24",
"net.100gbe.tos": "10.255.244.0/24", "100gbe.tos.net": "10.255.244.0/24",
"net.mgmt.tos": "10.255.240.0/24", "mgmt.tos.net": "10.255.240.0/24",
"net.dc.vtn": "172.16.239.0/24", "dc.vtn.net": "172.16.239.0/24",
"net.mgmt.vtn": "172.16.238.0/24", "mgmt.vtn.net": "172.16.238.0/24",
}, },
"acls": [ "acls": [
{ {
"action": "accept", "action": "accept",
"src": [ "tag:tos-relay", "net.dc.tos" ], "src": [
"group:admin",
],
"dst": [ "dst": [
"tag:vtn-relay:*", "tag:hpc:*",
"net.dc.vtn:*", "tag:rossby:*",
] "tag:mumindalen:*",
}, "100.64.0.0/10:*",
{ "autogroup:internet:*",
"action": "accept",
"src": [ "tag:vtn-relay", "net.dc.vtn" ],
"dst": [
"tag:tos-relay:*",
"net.dc.tos:*",
] ]
}, },
{ {
"action": "accept", "action": "accept",
"src": [ "group:admin" ], "src": [ "group:admin" ],
"dst": [ "dst": [
"net.dc.tos:*", "dc.tos.net:*",
"net.mgmt.tos:*", "mgmt.tos.net:*",
"net.100gbe.tos:*", "100gbe.tos.net:*",
"net.office.tos:*", "office.tos.net:*",
"net.dc.vtn:*", "dc.vtn.net:*",
"net.mgmt.vtn:*", "mgmt.vtn.net:*",
] ]
}, },
{ {
@@ -194,7 +189,7 @@ configMaps:
"src": [ "group:devops" ], "src": [ "group:devops" ],
"dst": [ "dst": [
"k8s.oceanbox.tos:6443", "k8s.oceanbox.tos:6443",
"k8s.ekman.tos:4443", "k8s.ekman.tos:6443",
] ]
}, },
{ {
@@ -215,20 +210,12 @@ configMaps:
{ {
"action": "accept", "action": "accept",
"src": [ "tag:mumindalen", ], "src": [ "tag:mumindalen", ],
"dst": [ "100.64.0.0/10:*", ]
},
{
"action": "accept",
"src": [
"group:admin",
"group:devops",
"group:oceanographer",
"group:manager",
"group:dev",
],
"dst": [ "dst": [
"tag:hpc:*", "tag:hpc:*",
"tag:mumindalen:*", "tag:rossby:*",
"100.64.0.0/10:*",
"dc.vtn.net:*",
"mgmt.vtn.net:*",
"autogroup:internet:*", "autogroup:internet:*",
] ]
}, },
@@ -242,8 +229,10 @@ configMaps:
"group:dev", "group:dev",
], ],
"dst": [ "dst": [
"tag:mumindalen:*",
"tag:hpc:*", "tag:hpc:*",
"100.64.0.0/10:22", "tag:rossby:*",
"dc.tos.net:*",
"autogroup:internet:*", "autogroup:internet:*",
] ]
}, },