Skip to content

Access with the Tailscale Operator

Tailscale is a Wireguard(tm) based software-defined networking platform, most often used to replace traditional VPNs, or implement Zero Trust Networking (ZTE). Tailscale is used to implement a Tailnet, peer-to-peer mesh network across all of your devices and services.

Tailscale also has some particularly cool features when used in combination with Kubernetes such as:

  • Expose a k8s workload to your tailnet directly
  • Create a k8s ingress acessible by your tailnet
  • Grant access to your k8s API server via tailnet
  • Authenticate access to your API server
  • Create subnet routers, or exit-nodes with in your cluster.

All of this is driven by the same Tailscale policy, and authenticated per-user and per-device, true Zero Trust access into your cluster.

Installing the operator

Pre-setup a few things to make this all work: 

kubectl create namespace tailscale
helm repo add tailscale https://pkgs.tailscale.com/helmcharts
helm repo update

Before we can actually install this, we need to create an oauth token within Tailscale to authenticate our operator, and some tags to indicate ownership.

Within your tailscale policy, create the tags k8s-operator and k8s. Make k8s-operator the owner of k8s.

Now go into settings->OAuth Clients and hit the 'Generate OAuth Client' button.

Add a useful description, like 'k8s operator' and grant it 'Devices Core', and 'Auth Keys' write scopes, and the tag k8s-operator.

Copy the client ID and secret, we'll create a k8s secret to hold them.

kubectl -n tailscale create secret generic operator-oauth \
    --from-literal=client_id=$YOUR_CLIENT_ID_FROM_ABOVE \
    --from-literal=password=$YOUR_CLIENT_SECRET_FROM_ABOVE

Now install the operator itself, noting that we are setting the api proxy to noauth as we already have our own authentication to use for the k8s api.

helm upgrade \
  --install tailscale-operator tailscale/tailscale-operator \
  -n tailscale \
  --set-string apiServerProxyConfig.mode="noauth" \
  --reuse-values

Now you can see how to access the kubernetes api and many more things