Tailscale: ACL Policy Detail
Level 3 (Detail) — Tag ownership, ACL rules, and SSH access.
Tag Owners
File: ephemeral-castle/tailscale/acl.json
| Tag | Owners |
|---|---|
tag:tazlab-vault | roberto.tazzoli@gmail.com, tag:tazpod |
tag:tazlab-k8s | roberto.tazzoli@gmail.com |
tag:vault-api | roberto.tazzoli@gmail.com, tag:tazpod |
tag:tazlab-db | roberto.tazzoli@gmail.com |
tag:tazpod | roberto.tazzoli@gmail.com |
tag:k8s-operator | roberto.tazzoli@gmail.com |
tag:k8s | tag:k8s-operator (operator proxy devices) |
tag:internal-apps | tag:k8s-operator (admin ingress devices) |
ACL Rules
┌─────────────┐ ┌─────────────────┐
│ tag:tazpod │ ───────►│ tag:tazlab-vault │ :22, :6443, :50000
│ (operator) │ ───────►│ tag:tazlab-k8s │ :6443, :50000
│ │ ───────►│ tag:vault-api │ :8200
│ │ ───────►│ tag:tazlab-db │ :5432
│ │ ───────►│ tag:k8s │ :5432 (DB via Operator)
│ │ ───────►│ tag:internal-apps│ :443 (Admin dashboards)
└─────────────┘ └─────────────────┘
│
┌─────────────────┐ │
│ tag:tazlab-k8s │────────────┤
│ (cluster) │ │
└─────────────────┘ ▼
┌─────────────────┐
┌─────────────────┐ │ tag:vault-api │
│ tag:tazlab-vault │─────►│ :8200 │
│ (vault runtime) │ └─────────────────┘
│ │──────► tag:tazlab-db:5432
│ │──────► tag:tazlab-vault:8201 (raft)
└─────────────────┘
┌─────────────────┐
│ tag:k8s-operator │──────► tag:vault-api:8200
│ (k8s operator) │
└─────────────────┘
ACL Details
| Source | Destination | Ports | Purpose |
|---|---|---|---|
tag:tazpod | tag:tazlab-vault | 22, 6443, 50000 | SSH + Talos API |
tag:tazpod | tag:tazlab-k8s | 6443, 50000 | K8s API + Talos API |
tag:tazpod | tag:vault-api | 8200 | Vault HTTP API |
tag:tazpod | tag:tazlab-db | 5432 | PostgreSQL (direct via MetalLB/tailscale) |
tag:tazpod | tag:k8s | 5432 | PostgreSQL via Operator LoadBalancer proxy |
tag:tazpod | tag:internal-apps | 443 | Admin dashboards via Operator Ingress proxy |
tag:tazlab-k8s | tag:vault-api | 8200 | App secret retrieval |
tag:k8s-operator | tag:vault-api | 8200 | Operator OAuth credentials from Vault |
tag:tazlab-vault | tag:tazlab-db | 5432 | DB access (internal) |
tag:tazlab-vault | tag:tazlab-vault | 8201 | Raft cluster gossip |
SSH Access
Tailscale SSH is enabled on the operator daemon via the --ssh flag in tazpod-tailscale-up. This allows SSH to any node running Tailscale SSH without managing SSH keys per host.
See Also
- Reference: acl.json
- Topic: IaC Management
- Topic: Service Exposure
- Topic: Vault Contract
- Hub: Tailscale