platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

fix: simplify and clean headscale acls

Browse Source
This commit is contained in:
Jonas Juselius
2025-10-14 13:00:42 +02:00
parent 284a02be7b
commit 747ae04ca3
1 changed files with 24 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
values/headscale/values/values.yaml
+24 -56
View File
@@ -105,12 +105,8 @@ configMaps:
"stig.r.jensen@oceanbox.io", "stig.r.jensen@oceanbox.io",
], ],
"group:devops": [ "group:devops": [
"jonas.juselius@oceanbox.io",
"Moritz.Jorg@oceanbox.io",
"stig.r.jensen@oceanbox.io",
"radovan.bast@oceanbox.io", "radovan.bast@oceanbox.io",
"simen.kirkvik@oceanbox.io", "ole.tytlandsvik@oceanbox.io",
"Ole.Tytlandsvik@tromso.serit.no",
], ],
"group:oceanographer": [ "group:oceanographer": [
"frank.gaardsted@oceanbox.io", "frank.gaardsted@oceanbox.io",
@@ -121,7 +117,10 @@ configMaps:
], ],
"group:manager": [ "group:manager": [
"svenn.hanssen@oceanbox.io", "svenn.hanssen@oceanbox.io",
],
"group:marketing": [
"hilde.iversen@oceanbox.io", "hilde.iversen@oceanbox.io",
"pal.herstad@oceanbox.io",
], ],
"group:dev": [], "group:dev": [],
"group:intern": [], "group:intern": [],
@@ -133,8 +132,6 @@ configMaps:
"tag:k8s": [ "group:admin" ], "tag:k8s": [ "group:admin" ],
"tag:hpc": [ "group:admin" ], "tag:hpc": [ "group:admin" ],
"tag:mumindalen": [ "group:admin" ], "tag:mumindalen": [ "group:admin" ],
"tag:ekman": [ "group:admin" ],
"tag:rossby": [ "group:admin" ],
}, },
// hosts should be defined using its IP addresses and a subnet mask. // hosts should be defined using its IP addresses and a subnet mask.
// to define a single host, use a /32 mask. You cannot use DNS entries here, // to define a single host, use a /32 mask. You cannot use DNS entries here,
@@ -163,25 +160,18 @@ configMaps:
"action": "accept", "action": "accept",
"src": [ "src": [
"group:admin", "group:admin",
"tag:mumindalen",
], ],
"dst": [ "dst": [
"tag:hpc:*", "tag:hpc:*",
"tag:rossby:*",
"tag:mumindalen:*", "tag:mumindalen:*",
"100.64.0.0/10:*",
"autogroup:internet:*",
]
},
{
"action": "accept",
"src": [ "group:admin" ],
"dst": [
"dc.tos.net:*", "dc.tos.net:*",
"mgmt.tos.net:*", "mgmt.tos.net:*",
"100gbe.tos.net:*", "100gbe.tos.net:*",
"office.tos.net:*", "office.tos.net:*",
"dc.vtn.net:*", "dc.vtn.net:*",
"mgmt.vtn.net:*", "mgmt.vtn.net:*",
"100.64.0.0/10:*",
] ]
}, },
{ {
@@ -190,52 +180,30 @@ configMaps:
"dst": [ "dst": [
"k8s.oceanbox.tos:6443", "k8s.oceanbox.tos:6443",
"k8s.ekman.tos:6443", "k8s.ekman.tos:6443",
]
},
{
"action": "accept",
"src": [
"group:admin",
"group:devops",
"group:oceanographer",
"group:manager",
"group:dev",
],
"dst": [
"ingress.oceanbox.tos:443",
"ingress.ekman.tos:443",
"printer.office.tos:631",
]
},
{
"action": "accept",
"src": [ "tag:mumindalen", ],
"dst": [
"tag:hpc:*", "tag:hpc:*",
"tag:rossby:*",
"100.64.0.0/10:*",
"dc.vtn.net:*",
"mgmt.vtn.net:*",
"autogroup:internet:*",
]
},
{
"action": "accept",
"src": [
"group:admin",
"group:devops",
"group:oceanographer",
"group:manager",
"group:dev",
],
"dst": [
"tag:mumindalen:*", "tag:mumindalen:*",
"tag:hpc:*",
"tag:rossby:*",
"dc.tos.net:*", "dc.tos.net:*",
]
},
{
"action": "accept",
"src": [
"group:oceanographer",
"group:manager",
"group:marketing",
],
"dst": [
"tag:mumindalen:0",
"tag:hpc:22,80,443",
"dc.tos.net:22,80,443",
"autogroup:internet:*", "autogroup:internet:*",
] ]
}, },
{
"action": "accept",
"src": [ "*" ],
"dst": [ "autogroup:internet:*", ]
},
] ]
} }
dns: dns: