Narrow tag:ci Tailscale SSH ACL to deploy user only #49

New issue

Open

opened 2026-05-23 20:54:33 +00:00 by coilysiren · 0 comments

coilysiren commented

2026-05-23 20:54:33 +00:00

Owner

Originally filed by @coilysiren on 2026-05-18T01:37:58Z - https://github.com/coilysiren/infrastructure/issues/179

Problem

Current tailnet ACL grants tag:ci Tailscale SSH access to tag:server as autogroup:nonroot OR root:

{
  action = "accept"
  src    = ["tag:ci"]
  dst    = ["tag:server"]
  users  = ["autogroup:nonroot", "root"]
}

A CI workflow that gets a federated-identity token (anyone with main-push rights to a repo in repos.yaml) can tailscale ssh root@kai-server and own the host. The narrow deploy-user sudoers (/etc/sudoers.d/deploy-k3s allows only k3s ctr ... images import -) is irrelevant when SSH-as-root is in scope.

Plan

Split the SSH stanza in terraform/tailscale-oidc/main.tf into two rules:

ssh = [
  // Humans: unchanged - autogroup:member can SSH to their own devices
  // and tag:server as nonroot/root.
  { action = "accept", src = ["autogroup:member"], dst = ["autogroup:self", "tag:server"], users = ["autogroup:nonroot", "root"] },

  // CI: deploy user only.
  { action = "accept", src = ["tag:ci"], dst = ["tag:server"], users = ["deploy"] },
]

Requires the deploy user to exist on kai-server with a kubeconfig and narrow sudoers - that's already on the kai-server prereq list under #177.

Related

#177 (Tailscale OIDC federated-identity module for CI deploys) - parent
Follow-up worth filing once this lands: tighten the federated_identity subject from repo:<>:ref:refs/heads/main to job_workflow_ref:<>/.github/workflows/deploy.yml@refs/heads/main to pin which workflow file can mint a token.

_Originally filed by @coilysiren on 2026-05-18T01:37:58Z - [https://github.com/coilysiren/infrastructure/issues/179](https://github.com/coilysiren/infrastructure/issues/179)_ **Problem** Current tailnet ACL grants `tag:ci` Tailscale SSH access to `tag:server` as `autogroup:nonroot` OR `root`: ```hcl { action = "accept" src = ["tag:ci"] dst = ["tag:server"] users = ["autogroup:nonroot", "root"] } ``` A CI workflow that gets a federated-identity token (anyone with main-push rights to a repo in `repos.yaml`) can `tailscale ssh root@kai-server` and own the host. The narrow `deploy`-user sudoers (`/etc/sudoers.d/deploy-k3s` allows only `k3s ctr ... images import -`) is irrelevant when SSH-as-root is in scope. **Plan** Split the SSH stanza in `terraform/tailscale-oidc/main.tf` into two rules: ```hcl ssh = [ // Humans: unchanged - autogroup:member can SSH to their own devices // and tag:server as nonroot/root. { action = "accept", src = ["autogroup:member"], dst = ["autogroup:self", "tag:server"], users = ["autogroup:nonroot", "root"] }, // CI: deploy user only. { action = "accept", src = ["tag:ci"], dst = ["tag:server"], users = ["deploy"] }, ] ``` Requires the `deploy` user to exist on kai-server with a kubeconfig and narrow sudoers - that's already on the kai-server prereq list under #177. **Related** - #177 (Tailscale OIDC federated-identity module for CI deploys) - parent - Follow-up worth filing once this lands: tighten the federated_identity `subject` from `repo:<>:ref:refs/heads/main` to `job_workflow_ref:<>/.github/workflows/deploy.yml@refs/heads/main` to pin which workflow file can mint a token.

coilysiren added the

label

2026-05-31 01:54:45 +00:00

coilysiren added

and removed

labels

2026-05-31 07:00:49 +00:00

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/infrastructure#49

No description provided.

Rows
Columns