Tailscale met Kubernetes

December 19, 2022

In my previous blog entry, I mentioned Tailscale support in Kubernetes. It extensively describes this knowledge base entry.

For my use case, the best option is to use sidecar mode, because I want only to have selected services available in tailnet. Tailscaled is running alongside your service, most of the helm charts allow additional setup containers so it’s pretty easy to implement. Unfortunately to start using tailscaled require elevating permissions by adding NET_ADMIN Linux capability, it is required because tailscaled is creating a dedicated network interface. Some environments are not intended to use elevated permissions that’s why there is an option to use userspace sidecar which doesn’t create a dedicated interface instead of exposing itself as SOCKS5 proxy or HTTP proxy.

Kubernetes pods are intended to use in non-interactive mode and one of the steps to establish a connection to tailnet require your manual authentication. To make it more automated you can create auth keys those keys are only used to authenticate, you can also assign tags to those keys, and whenever your service is being authenticated this tag is being assigned. Tags are one of the options to be used in ACL ie. defining what can connect and what cannot connect. Right after you use auth key it’s generated tailscaled state which can be stored as a Kubernetes secret, so next time when you recreate the pod it will first start looking for the tailscaled state.

Defining all the options like the location of the tailscaled state is done through the component called containerboot. It translates environment variables into an argument passed to tailscaled and does the authentication. So when you run tailscaled in sidecar mode, your services get all the routes to establish a connection to your tailnet. So when you run tailscaled in sidecar mode, your services get all the routes to establish a bidirectional connection to your tailnet. To get access to Magic DNS you have to set the environment TS_ACCEPT_DNS to true and it will automatically reconfigure your DNS resolver.