Skip to content

tailscale.md

Latest commit

 

History

History
161 lines (121 loc) · 4.13 KB

tailscale.md

File metadata and controls

161 lines (121 loc) · 4.13 KB

Tailscale Setup

Tailscale Operator provides private access to cluster services and kubectl via VPN.

Docs: https://tailscale.com/kb/1236/kubernetes-operator

Prerequisites

  • Tailscale account with server joined (Step 1.1)
  • Doppler project with shared config (Step 2.1)

1. Configure ACL Policy

  1. Open ACL Editor
  2. Add or merge these sections:
{
  "tagOwners": {
    "tag:k8s-operator": ["autogroup:admin"],
    "tag:k8s":          ["tag:k8s-operator"],
    "tag:server":       ["autogroup:admin"],
    // ... other tags
  },
  "acls": [
    {"action": "accept", "src": ["autogroup:admin"], "dst": ["*:*"]},
    {"action": "accept", "src": ["autogroup:admin"], "dst": ["tag:server:22,2222"]},
    {"action": "accept", "src": ["autogroup:member"], "dst": ["tag:k8s:443"]},
    // ... other rules
  ],
  "grants": [
    {
      "src": ["autogroup:admin"],
      "dst": ["tag:k8s-operator"],
      "ip":  ["*:*"],
      "app": {
        "tailscale.com/cap/kubernetes": [{
          "impersonate": {"groups": ["system:masters"]},
        }],
      },
    },
    // ... other grants
  ],
  "autoApprovers": {
    "services": {
      "tag:k8s": ["tag:k8s"],
    },
    // ... other auto approvers
  },
  "ssh": [
    {
      "action": "check",
      "src":    ["autogroup:admin"],
      "dst":    ["tag:server"],
      "users":  ["autogroup:nonroot", "root"],
    },
    // ... other ssh rules
  ],
  // ... other sections
}
What each section does
Section Purpose
tagOwners Defines who can assign tags to devices
acls[0] Admins — full access to all devices
acls[1] Server SSH — only admins can SSH (port 22, 2222)
acls[2] K8s services — members can access HTTPS only
grants Admin kubectl access via API Server Proxy
autoApprovers Auto-approve Tailscale Services

Security model:

  • autogroup:admin → full access (SSH, kubectl, all services)
  • autogroup:member → only HTTPS services (:443)
  • Others → no access

2. Enable HTTPS

Required for API Server Proxy (kubectl via Tailscale).

  1. Open DNS Settings
  2. Scroll to HTTPS Certificates
  3. Click Enable HTTPS

3. Create OAuth Client

  1. Open OAuth Clients
  2. Click Generate OAuth client
  3. Select scopes:
    • Devices: Core → Write
    • Auth Keys → Write
    • Services → Write
  4. Add tag: tag:k8s-operator
  5. Click Generate client
  6. Save Client ID as <TS_CLIENT_ID>
  7. Add to Doppler: TS_OAUTH_CLIENT_SECRET

4. Get Tailnet Name

Find in Machines — shown in hostnames (e.g., server.tail123456.ts.net)

Note: Want to change tailnet name? Do it now — see Tailscale Server Setup.

Save as <TAILNET_NAME> (just the tail123456 part).

Troubleshooting

Operator not joining tailnet 
kubectl get secret tailscale-oauth -n tailscale -o yaml
kubectl logs -n tailscale -l app.kubernetes.io/name=tailscale-operator

Check Machines for tailscale-operator with tag:k8s-operator.

kubectl access denied
  1. Verify HTTPS enabled in DNS settings
  2. Check ACL grants include your user/group
  3. Verify apiServerProxyConfig.mode: "true" in operator values
Service "Pending approval"

Add autoApprovers to ACL (see step 1).

Ingress not appearing in Services

Check Services — ingress should appear as ts-ingress-0, ts-ingress-1 with tag:k8s.

kubectl get pods -n tailscale
kubectl logs -n tailscale -l app.kubernetes.io/name=tailscale-operator