Tailscale enables teams to establish a secure, encrypted, and authenticated network between resources; whether they’re running in the cloud, on-premises, in VMs, containers, or across remote locations. With the Tailscale Kubernetes Operator now generally available (GA), organizations can seamlessly connect internal users to applications inside their clusters, securely access the Kubernetes control plane, enable frictionless service-to-service communication, and link multiple clusters together all without complex VPNs or exposed public IPs.
Since its beta launch over a year ago, thousands of organizations have adopted the Tailscale Kubernetes Operator, even in production environments. Today’s GA release marks a major milestone in stability and reliability, building on the trust these users have already placed in Tailscale.
In this post, we’ll explore the most common use cases we’ve seen, along with the powerful features that make the operator a must-have for Kubernetes security and connectivity.
1. Secure, Zero-Trust Access to the Kubernetes API Server
Organizations require access to Kubernetes APIs for various reasons:
- Cluster admins need privileged access to deploy shared tooling.
- Developers need to deploy and manage their applications.
- CI/CD systems require permissions to push updates.
Managing least-privilege access across these different roles can be tedious and error-prone. Additionally, many teams expose their API servers via public IPs, making them prime targets for attackers.
The Tailscale Kubernetes Operator’s API Server Proxy solves both problems by:
- Routing all API requests over an encrypted, private connection (no public IP needed).
- Mapping Tailscale identities (users, groups, and tagged devices) directly to Kubernetes RBAC roles, eliminating the need for separate cluster credentials.
When a user or device is removed from the tailnet, their access to the cluster is automatically revoked. Organizations can further enhance security by integrating Tailscale with:
- External Identity Providers (IdPs) for automatic user sync.
- Device posture checks to enforce security policies.
- Just-In-Time (JIT) access for temporary, audited permissions.
New in GA: kubectl exec Session Recording
A major addition to the API Server Proxy is session recording for kubectl exec, which captures and stores terminal session logs in an S3-compatible bucket. These recordings help with:
- Threat detection (identifying suspicious activity).
- Incident investigation (auditing past sessions).
- Compliance adherence (meeting security policy requirements).
2. Private Application Access Without Public Exposure
Kubernetes clusters host many internal-only workloads, such as:
- Monitoring tools (private Prometheus/Grafana dashboards for app teams).
- Internal dashboards (for sales, marketing, or support teams).
- Self-hosted compliance-mandated software (in regulated industries).
Exposing these over the internet introduces unnecessary risk. The Tailscale Kubernetes Operator provides a secure, private access layer with:
- Fine-grained ACLs to restrict access only to authorized users.
- No public IPs required: all traffic flows over Tailscale’s encrypted network.
- Native Kubernetes integration (using Ingress or Service resources) for easy deployment.
Two Proxy Modes for Different Use Cases
- Application Layer Proxy (HTTPS) – Ideal for browser-accessible apps (e.g., Grafana, internal tools). Handles TLS termination automatically.
- Network Layer Proxy (TCP/UDP) – For non-HTTP services (e.g., databases, custom protocols).
3. Hosting Tailscale Infrastructure in Kubernetes
Some customers run most (or all) of their infrastructure on Kubernetes, including Tailscale’s networking components. The Connector Custom Resource Definition (CRD) allows users to deploy:
- Subnet routers (to bridge Kubernetes with on-prem networks).
- Exit nodes (for secure egress traffic).
- App connectors (to expose services securely).
- SSH session recorder nodes (for auditing).
Exposing these workloads over the internet can be risky, and managing VPNs for distributed users is complex. The Tailscale Kubernetes Operator allows you to:
- Securely share internal applications over a private network
- Define fine-grained ACLs to restrict access to specific users or groups
- Use native Kubernetes resources like Ingress or Service to embed proxies into your existing deployment workflows
You can choose between:
- An application-layer proxy, which:
- Exposes apps over HTTPS
- Offloads TLS certificate management to Tailscale
- Ideal for browser-based and HTTP clients
- A network-layer proxy, for:
- Apps accessed using other protocols (e.g., TCP or UDP)
This gives you flexibility to expose almost any workload securely—without exposing it to the public internet.
4. Enhanced Control & Reliability Features
Over the past year, we’ve added numerous improvements to give users more control, including:
- Tailscale metrics integration for monitoring proxy performance.
- Custom resource configurations to fine-tune proxy deployments.
High Availability (HA) Support (Coming Soon)
We’re actively working on HA mode for cluster proxies to ensure uninterrupted access to critical applications and the API server. This is already available for the egress proxy, with more features on the way.
Conclusion
The Tailscale Kubernetes Operator reaching general availability marks a major step forward in secure, seamless connectivity for Kubernetes environments. From simplified API access and internal app exposure to session recording and VPN infrastructure, it empowers teams to manage access with confidence and precision. With built-in support for ACLs, identity sync, and Kubernetes-native workflows, it’s designed to scale with your needs.
Source: https://tailscale.com/blog/k8s-operator-ga
