Tailscale: ACL Policy Detail

Level 3 (Detail) — Tag ownership, ACL rules, and SSH access.

Tag Owners

File: ephemeral-castle/tailscale/acl.json

TagOwners
tag:tazlab-vaultroberto.tazzoli@gmail.com, tag:tazpod
tag:tazlab-k8sroberto.tazzoli@gmail.com
tag:vault-apiroberto.tazzoli@gmail.com, tag:tazpod
tag:tazlab-dbroberto.tazzoli@gmail.com
tag:tazpodroberto.tazzoli@gmail.com
tag:k8s-operatorroberto.tazzoli@gmail.com
tag:k8stag:k8s-operator (operator proxy devices)
tag:internal-appstag:k8s-operator (admin ingress devices)

ACL Rules

┌─────────────┐         ┌─────────────────┐
│  tag:tazpod  │ ───────►│  tag:tazlab-vault │  :22, :6443, :50000
│  (operator)  │ ───────►│  tag:tazlab-k8s   │  :6443, :50000
│              │ ───────►│  tag:vault-api    │  :8200
│              │ ───────►│  tag:tazlab-db    │  :5432
│              │ ───────►│  tag:k8s          │  :5432 (DB via Operator)
│              │ ───────►│  tag:internal-apps│  :443 (Admin dashboards)
└─────────────┘         └─────────────────┘
                                │
┌─────────────────┐            │
│ tag:tazlab-k8s  │────────────┤
│  (cluster)      │            │
└─────────────────┘            ▼
                         ┌─────────────────┐
┌─────────────────┐      │  tag:vault-api  │
│ tag:tazlab-vault │─────►│  :8200          │
│  (vault runtime) │      └─────────────────┘
│                  │──────► tag:tazlab-db:5432
│                  │──────► tag:tazlab-vault:8201 (raft)
└─────────────────┘
┌─────────────────┐
│ tag:k8s-operator │──────► tag:vault-api:8200
│  (k8s operator)  │
└─────────────────┘

ACL Details

SourceDestinationPortsPurpose
tag:tazpodtag:tazlab-vault22, 6443, 50000SSH + Talos API
tag:tazpodtag:tazlab-k8s6443, 50000K8s API + Talos API
tag:tazpodtag:vault-api8200Vault HTTP API
tag:tazpodtag:tazlab-db5432PostgreSQL (direct via MetalLB/tailscale)
tag:tazpodtag:k8s5432PostgreSQL via Operator LoadBalancer proxy
tag:tazpodtag:internal-apps443Admin dashboards via Operator Ingress proxy
tag:tazlab-k8stag:vault-api8200App secret retrieval
tag:k8s-operatortag:vault-api8200Operator OAuth credentials from Vault
tag:tazlab-vaulttag:tazlab-db5432DB access (internal)
tag:tazlab-vaulttag:tazlab-vault8201Raft cluster gossip

SSH Access

Tailscale SSH is enabled on the operator daemon via the --ssh flag in tazpod-tailscale-up. This allows SSH to any node running Tailscale SSH without managing SSH keys per host.

See Also