ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [k8s] TailScale subnet router 적용하기
    Computer Science/k8s 2023. 8. 24. 21:25

    1. TailScale Auth key 생성

    2. k8s Secret 생성

    3. k8s Role 생성

    4. k8s Deployment ( subnet router ) 생성

    5. TailScale 연동 및 설정


    1. TailScale Auth key 생성

    Auth key

    Auth key를 생성해준다.

     

    2. k8s Secret 생성

    #tailscale-secret.yaml
    
    apiVersion: v1
    kind: Secret
    metadata:
      name: tailscale-secret
    stringData:
      TS_AUTH_KEY: tskey-auth-######

    3. k8s Role 생성

    # Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
    # Use of this source code is governed by a BSD-style
    # license that can be found in the LICENSE file.
    
    # tailscale-role.yaml
    
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: tailscale
    rules:
      - apiGroups: [""] 
        resources: ["secrets"]
        verbs: ["create"]
      - apiGroups: [""]
        # secret에서 생성한 이름 기입
        resourceNames: ["tailscale-secret"]
        resources: ["secrets"]
        verbs: ["get", "update"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: tailscale
    subjects:
      - kind: ServiceAccount
        name: tailscale
    roleRef:
      kind: Role
      name: tailscale
      apiGroup: rbac.authorization.k8s.io
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: tailscale

    4. k8s Deployment ( subnet router ) 생성

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        app: tailscale
      name: tailscale-subnet-router
      namespace: tailscale
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: tailscale
      template:
        metadata:
          labels:
            app: tailscale
        spec:
          containers:
            - env:
                - name: TS_KUBE_SECRET
                  value: tailscale-secret
                - name: TS_USERSPACE
                  value: "true"
                - name: TS_AUTH_KEY
                  valueFrom:
                    secretKeyRef:
                      key: AUTH_KEY
                      name: tailscale-auth
                      optional: true
                - name: TS_ROUTES
                  #value: #pod cidr, #service cidr
                  value: 192.168.0.0/16,10.0.0.0/8
              image: ghcr.io/tailscale/tailscale:v1.46.1
              name: tailscale
              securityContext:
                runAsGroup: 1000
                runAsUser: 1000
              volumeMounts:
                - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
                  name: kube-api-access
                  readOnly: true
          tolerations:
            - effect: NoExecute
              key: node.kubernetes.io/not-ready
              operator: Exists
              tolerationSeconds: 300
            - effect: NoExecute
              key: node.kubernetes.io/unreachable
              operator: Exists
              tolerationSeconds: 300
          preemptionPolicy: PreemptLowerPriority
          priority: 0
          serviceAccountName: tailscale
          volumes:
            - name: kube-api-access
              projected:
                sources:
                  - serviceAccountToken:
                      expirationSeconds: 3607
                      path: token
                  - configMap:
                      items:
                        - key: ca.crt
                          path: ca.crt
                      name: kube-root-ca.crt
                  - downwardAPI:
                      items:
                        - fieldRef:
                            fieldPath: metadata.namespace
                          path: namespace

    5. TailScale 연동 및 설정

    위 파일들을 전부 tailscale namespace에 배포해주었다.

    그런뒤 아래의 명령어로 로그를 확인해본다면

     kubectl logs -l app=tailscale -n tailscale

     

    아래와 같이 링크가 나온다.

    2023/08/24 12:13:18 stopEngineAndWait...
    2023/08/24 12:13:18 requestEngineStatusAndWait
    2023/08/24 12:13:18 requestEngineStatusAndWait: waiting...
    2023/08/24 12:13:18 requestEngineStatusAndWait: got status update.
    2023/08/24 12:13:18 stopEngineAndWait: done.
    
    To authenticate, visit:
    
            https://login.tailscale.com/a/#####

    링크에 접속하여 내 tailscale에 등록해주자

    그런뒤 이제 machine 설정에서 해당 routes 를 Approve all 해주면된다.

    Subnets에 Review

    이제 pod의 ip나 service의 ip로 직접 내 TailScale에서 접근할 수 있다.

     

Designed by Tistory.