apiVersion: v1 data: policy: | { // groups are collections of users having a common scope. A user can be in multiple groups // groups cannot be composed of groups "groups": { "group:admin": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "simen.kirkvik@oceanbox.io", "stig.r.jensen@oceanbox.io", "system-tos", ], "group:devops": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "stig.r.jensen@oceanbox.io", "radovan.bast@oceanbox.io", "simen.kirkvik@oceanbox.io", "Ole.Tytlandsvik@tromso.serit.no", ], "group:oceanographer": [ "frank.gaardsted@oceanbox.io", "ole.anders.nost@oceanbox.io", "helge.avlesen@oceanbox.io", "isa.rosso@oceanbox.io", "jonathan.lilly@oceanbox.io", ], "group:manager": [ "svenn.hanssen@oceanbox.io", "hilde.iversen@oceanbox.io", ], "group:dev": [], "group:intern": [], }, // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/) "tagOwners": { "tag:k8s": [ "group:admin" ], "tag:hpc": [ "group:admin" ], }, // hosts should be defined using its IP addresses and a subnet mask. // to define a single host, use a /32 mask. You cannot use DNS entries here, // as they're prone to be hijacked by replacing their IP addresses. // see https://github.com/tailscale/tailscale/issues/3800 for more information. "hosts": { "ingress.ekman.tos": "10.255.241.99/32", "ingress.ceph.tos": "10.255.241.10/32", "ingress.ceph.vtn": "172.16.239.50/32", "ingress.adm.ceph.vtn": "172.16.239.51/32", "ingress.oceanbox.tos": "10.255.241.11/32", "manage.ekman.tos": "10.255.241.99/32", "k8s.oceanbox.tos": "10.255.241.200/32", "k8s.ekman.tos": "10.255.241.99/32", "k8s.ceph.tos": "10.255.241.29/32", "printer.office.tos": "10.132.46.108/32", "net.office.tos": "10.132.46.0/24", "net.dc.tos": "10.255.241.0/24", "net.100gbe.tos": "10.255.244.0/24", "net.mgmt.tos": "10.255.240.0/24", "net.dc.vtn": "172.16.239.0/24", "net.mgmt.vtn": "172.16.238.0/24", }, "acls": [ { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "100.64.0.0/24:0", "100.64.0.0/24:22", ] }, { "action": "accept", "src": [ "ekman", "net.dc.tos" ], "dst": [ "net.dc.vtn:*", "100.64.0.0/24:0", "100.64.0.0/24:22", ] }, { "action": "accept", "src": [ "rossby", "net.dc.vtn" ], "dst": [ "net.dc.tos:*", "100.64.0.0/24:0", "100.64.0.0/24:22", ] }, { "action": "accept", "src": [ "group:admin" ], "dst": [ "net.dc.tos:*", "net.mgmt.tos:*", "net.100gbe.tos:*", "net.office.tos:*", "net.dc.vtn:*", "net.mgmt.vtn:*", ] }, { "action": "accept", "src": [ "group:devops" ], "dst": [ "k8s.oceanbox.tos:6443", "k8s.ekman.tos:4443", ] }, { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "ingress.oceanbox.tos:443", "ingress.ekman.tos:443", "printer.office.tos:631", "10.255.241.99/32:22", "10.255.241.100/32:22", ] }, { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "100.64.0.0/24:*", "autogroup:internet:*", ] }, ] } kind: ConfigMap metadata: annotations: argocd.argoproj.io/tracking-id: headscale:/ConfigMap:headscale/headscale-acl labels: app.kubernetes.io/instance: headscale app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: headscale app.kubernetes.io/version: v0.25.0 helm.sh/chart: headscale-0.16.0 name: headscale-acl namespace: headscale