Skip to content

Commit c08bd23

Browse files
rajsinghtechrajsinghtech
committed
Refactor tailscale policy configuration by standardizing formatting, updating network definitions, and adding test ACLs for improved clarity and functionality.
1 parent b229ef4 commit c08bd23

File tree

1 file changed

+149
-149
lines changed

1 file changed

+149
-149
lines changed

tailscale/policy.hujson

Lines changed: 149 additions & 149 deletions
Original file line numberDiff line numberDiff line change
@@ -4,43 +4,43 @@
44
"ipsets": {
55
// Robbinsdale site networks
66
"ipset:robbinsdale": [
7-
"192.168.50.0/24", // Main LAN
8-
"fd7a:115c:a1e0:b1a:0:1::/96", // 4via6 subnet
9-
"10.69.0.0/16", // LB network range
10-
"10.0.0.0/16", // Service network range
11-
"10.1.0.0/16", // Pod network range
12-
],
7+
"192.168.50.0/24", // Main LAN
8+
"fd7a:115c:a1e0:b1a:0:1::/96", // 4via6 subnet
9+
"10.69.0.0/16", // LB network range
10+
"10.0.0.0/16", // Service network range
11+
"10.1.0.0/16", // Pod network range
12+
],
1313
// Ottawa site networks
1414
"ipset:ottawa": [
1515
"192.168.169.0/24", // Main LAN
16-
"fd7a:115c:a1e0:b1a:0:2::/96", // 4via6 subnet
17-
"10.169.0.0/16", // LB network range
18-
"10.2.0.0/16", // Service network range
19-
"10.3.0.0/16", // Pod network range
20-
],
21-
// St Petersburg site networks
22-
"ipset:stpetersburg": [
23-
"192.168.73.0/24", // Main LAN
24-
"10.73.3.0/24", // LB network range
25-
"10.4.0.0/16", // Service network range
26-
"10.5.0.0/16", // Pod network range
27-
"fd7a:115c:a1e0:b1a:0:3::/96", // 4via6 subnet
28-
],
16+
"fd7a:115c:a1e0:b1a:0:2::/96", // 4via6 subnet
17+
"10.169.0.0/16", // LB network range
18+
"10.2.0.0/16", // Service network range
19+
"10.3.0.0/16", // Pod network range
20+
],
21+
// St Petersburg site networks
22+
"ipset:stpetersburg": [
23+
"192.168.73.0/24", // Main LAN
24+
"10.73.3.0/24", // LB network range
25+
"10.4.0.0/16", // Service network range
26+
"10.5.0.0/16", // Pod network range
27+
"fd7a:115c:a1e0:b1a:0:3::/96", // 4via6 subnet
28+
],
2929
},
3030
"groups": {
3131
"group:superuser": [
3232
"kbpersonal@github",
33-
"LukeHouge@github",
33+
"LukeHouge@github",
3434
"rajsinghtech@github",
35-
"[email protected]"
36-
]
35+
"[email protected]",
36+
],
3737
},
3838
"tagOwners": {
3939
// Core infrastructure tags
4040
"tag:k8s-operator": [],
4141
"tag:k8s": ["tag:k8s-operator", "autogroup:admin"],
4242
"tag:k8s-recorder": ["tag:k8s-operator"],
43-
"tag:udm": ["autogroup:admin"],
43+
"tag:udm": ["autogroup:admin"],
4444
// Site-specific tags
4545
"tag:robbinsdale": ["tag:k8s-operator", "autogroup:admin"],
4646
"tag:ottawa": ["tag:k8s-operator", "autogroup:admin"],
@@ -50,14 +50,14 @@
5050
"autoApprovers": {
5151
"exitNode": ["tag:k8s"],
5252
"routes": {
53-
"0.0.0.0/0": ["tag:k8s"], // Default route (exit node)
54-
"::/0": ["tag:k8s"], // IPv6 default route
55-
"192.168.50.0/24": ["tag:robbinsdale"], // Robbinsdale LAN
56-
"192.168.169.0/24": ["tag:ottawa"], // Ottawa LAN
57-
"192.168.73.0/24": ["tag:stpetersburg"], // St Petersburg LAN
53+
"0.0.0.0/0": ["tag:k8s"], // Default route (exit node)
54+
"::/0": ["tag:k8s"], // IPv6 default route
55+
"192.168.50.0/24": ["tag:robbinsdale"], // Robbinsdale LAN
56+
"192.168.169.0/24": ["tag:ottawa"], // Ottawa LAN
57+
"192.168.73.0/24": ["tag:stpetersburg"], // St Petersburg LAN
5858
},
5959
"services": {
60-
"tag:k8s": ["tag:k8s"],
60+
"tag:k8s": ["tag:k8s"],
6161
},
6262
},
6363
// Define SSH access policies
@@ -78,21 +78,21 @@
7878
"dst": ["autogroup:self"],
7979
"ip": ["*"],
8080
},
81-
// Allow Superuser to access all location nodes
82-
{
83-
"src": ["group:superuser", "tag:ottawa", "tag:robbinsdale", "tag:stpetersburg"],
84-
"dst": ["tag:ottawa", "tag:robbinsdale", "tag:stpetersburg"],
85-
"ip": ["*"],
86-
},
87-
// Allow members to reach udm nodes
88-
{
89-
"src": ["group:superuser", "tag:udm", "tag:k8s", "tag:k8s-operator"],
90-
"dst": ["tag:udm"],
91-
"ip": ["*"],
92-
"app": {
93-
"tailscale.com/cap/relay": [],
94-
},
95-
},
81+
// Allow Superuser to access all location nodes
82+
{
83+
"src": ["group:superuser", "tag:ottawa", "tag:robbinsdale", "tag:stpetersburg"],
84+
"dst": ["tag:ottawa", "tag:robbinsdale", "tag:stpetersburg"],
85+
"ip": ["*"],
86+
},
87+
// Allow members to reach udm nodes
88+
{
89+
"src": ["group:superuser", "tag:udm", "tag:k8s", "tag:k8s-operator"],
90+
"dst": ["tag:udm"],
91+
"ip": ["*"],
92+
"app": {
93+
"tailscale.com/cap/relay": [],
94+
},
95+
},
9696
// Allow members to use nodes as exit nodes and app connector
9797
{
9898
"src": ["group:superuser", "tag:k8s"],
@@ -108,16 +108,16 @@
108108
"via": ["tag:robbinsdale"],
109109
},
110110
{
111-
"src": ["group:superuser", "tag:robbinsdale", "tag:stpetersburg"],
112-
"dst": ["ipset:ottawa"],
113-
"ip": ["*"],
114-
"via": ["tag:ottawa"],
111+
"src": ["group:superuser", "tag:robbinsdale", "tag:stpetersburg"],
112+
"dst": ["ipset:ottawa"],
113+
"ip": ["*"],
114+
"via": ["tag:ottawa"],
115115
},
116116
{
117-
"src": ["group:superuser", "tag:robbinsdale", "tag:ottawa"],
118-
"dst": ["ipset:stpetersburg"],
119-
"ip": ["*"],
120-
"via": ["tag:stpetersburg"],
117+
"src": ["group:superuser", "tag:robbinsdale", "tag:ottawa"],
118+
"dst": ["ipset:stpetersburg"],
119+
"ip": ["*"],
120+
"via": ["tag:stpetersburg"],
121121
},
122122
// Admin access to Kubernetes API with system:masters privileges
123123
{
@@ -134,17 +134,17 @@
134134
"enforceRecorder": true,
135135
},
136136
],
137-
"tailscale.com/cap/tsidp": [
138-
{
139-
"allow_admin_ui": true,
140-
},
141-
],
137+
"tailscale.com/cap/tsidp": [
138+
{
139+
"allow_admin_ui": true,
140+
},
141+
],
142142
},
143143
},
144144
// Member access to Kubernetes API with read-only privileges
145145
{
146146
"src": ["autogroup:member"],
147-
"dst": ["tag:k8s-operator","tag:k8s"],
147+
"dst": ["tag:k8s-operator", "tag:k8s"],
148148
"ip": ["*"],
149149
"app": {
150150
"tailscale.com/cap/kubernetes": [
@@ -160,100 +160,100 @@
160160
},
161161
],
162162
"nodeAttrs": [
163-
{
164-
"target": ["*"],
165-
"app": {
166-
"tailscale.com/app-connectors": [
167-
{
168-
"name":"shared",
169-
"connectors":["tag:k8s"],
170-
"domains":["docs.google.com"]
171-
},
172-
{
173-
"name":"robbinsdale",
174-
"connectors":["tag:robbinsdale"],
175-
"domains":[
176-
"robbinsdale.k8s"
177-
],
178-
"routes":["fd7a:115c:a1e0:b1a:0:1::/96"]
179-
},
180-
{
181-
"name":"ottawa",
182-
"connectors":["tag:ottawa"],
183-
"domains":[
184-
"ottawa.k8s"
185-
],
186-
"routes":["fd7a:115c:a1e0:b1a:0:2::/96"]
187-
},
188-
]
189-
}
190-
},
191-
{
192-
"target": ["group:superuser"],
193-
"attr": [
194-
// "experimental:exit-node-steering", // FF traffic-steering
195-
// "only-tcp-443", // FF allow-only-tcp-443
196-
// "custom:test" // FF metadata-node-set-attrs node-attributes-api
197-
],
198-
},
199-
200163
{
201-
"target": ["tag:k8s"],
164+
"target": ["*"],
165+
"app": {
166+
"tailscale.com/app-connectors": [
167+
{
168+
"name": "shared",
169+
"connectors": ["tag:k8s"],
170+
"domains": ["docs.google.com"],
171+
},
172+
{
173+
"name": "robbinsdale",
174+
"connectors": ["tag:robbinsdale"],
175+
"domains": [
176+
"robbinsdale.k8s",
177+
],
178+
"routes": ["fd7a:115c:a1e0:b1a:0:1::/96"],
179+
},
180+
{
181+
"name": "ottawa",
182+
"connectors": ["tag:ottawa"],
183+
"domains": [
184+
"ottawa.k8s",
185+
],
186+
"routes": ["fd7a:115c:a1e0:b1a:0:2::/96"],
187+
},
188+
],
189+
},
190+
},
191+
{
192+
"target": ["group:superuser"],
202193
"attr": [
203-
"funnel",
204-
// "only-tcp-443",
205-
],
194+
// "experimental:exit-node-steering", // FF traffic-steering
195+
// "only-tcp-443", // FF allow-only-tcp-443
196+
// "custom:test" // FF metadata-node-set-attrs node-attributes-api
197+
],
198+
},
199+
200+
{
201+
"target": ["tag:k8s"],
202+
"attr": [
203+
"funnel",
204+
// "only-tcp-443",
205+
],
206+
},
207+
],
208+
// Define test ACLs
209+
"tests": [
210+
{
211+
// Admin user test ACLs
212+
"src": "rajsinghtech@github",
213+
"accept": [
214+
"192.168.50.1:443",
215+
"192.168.169.1:443",
216+
"10.0.0.1:443",
217+
"10.1.0.1:443",
218+
"10.2.0.1:443",
219+
"10.69.0.1:443",
220+
"10.169.0.1:443",
221+
"tag:k8s-operator:443",
222+
"tag:k8s:443",
223+
"tag:k8s:80",
224+
"tag:robbinsdale:443",
225+
"rajsinghtech@github:53",
226+
],
227+
},
228+
{
229+
// K8s user
230+
"src": "tag:k8s",
231+
"accept": [
232+
"tag:k8s-operator:443",
233+
"tag:k8s:443",
234+
],
235+
},
236+
{
237+
// Robbinsdale cannot reach it's own LAN
238+
"src": "tag:robbinsdale",
239+
"accept": [
240+
"192.168.169.1:443",
241+
],
242+
"deny": [
243+
"192.168.50.1:443",
244+
],
245+
},
246+
{
247+
// Ottawa cannot reach it's own LAN
248+
"src": "tag:ottawa",
249+
"accept": [
250+
"192.168.50.1:443",
251+
],
252+
"deny": [
253+
"192.168.169.1:443",
254+
],
206255
},
207256
],
208-
// Define test ACLs
209-
"tests": [
210-
{
211-
// Admin user test ACLs
212-
"src": "rajsinghtech@github",
213-
"accept": [
214-
"192.168.50.1:443",
215-
"192.168.169.1:443",
216-
"10.0.0.1:443",
217-
"10.1.0.1:443",
218-
"10.2.0.1:443",
219-
"10.69.0.1:443",
220-
"10.169.0.1:443",
221-
"tag:k8s-operator:443",
222-
"tag:k8s:443",
223-
"tag:k8s:80",
224-
"tag:robbinsdale:443",
225-
"rajsinghtech@github:53",
226-
]
227-
},
228-
{
229-
// K8s user
230-
"src": "tag:k8s",
231-
"accept": [
232-
"tag:k8s-operator:443",
233-
"tag:k8s:443",
234-
]
235-
},
236-
{
237-
// Robbinsdale cannot reach it's own LAN
238-
"src": "tag:robbinsdale",
239-
"accept": [
240-
"192.168.169.1:443",
241-
],
242-
"deny": [
243-
"192.168.50.1:443",
244-
]
245-
},
246-
{
247-
// Ottawa cannot reach it's own LAN
248-
"src": "tag:ottawa",
249-
"accept": [
250-
"192.168.50.1:443",
251-
],
252-
"deny": [
253-
"192.168.169.1:443",
254-
]
255-
},
256-
],
257257
// Legacy ACL rules (deprecated - using grants instead)
258258
"acls": [{
259259
// Private log streaming enables audit and network logs to be directly
@@ -265,4 +265,4 @@
265265
"src": ["logstream@tailscale"],
266266
"dst": ["[fd7a:115c:a1e0::801:1578]:8088"],
267267
}],
268-
}
268+
}

0 commit comments

Comments
 (0)