Join us live on August 26 in San Francisco for TailscaleUpTICKETS ON SALE NOW ->

Deploy app connectors on Kubernetes

Last validated:

In Tailscale v1.78 and later, you can deploy an app connector to your Kubernetes cluster using the Tailscale Kubernetes Operator and its Connector custom resource definition.

The only tested and supported use case is to deploy an app connector to access SaaS applications available on the public internet. Using the app connector to expose cluster workloads or other internal workloads might work, but this is not a use case that Tailscale has tested or optimized for.

If you are using the app connector to access SaaS applications because you need a predictable egress IP address that you can add to an allowlist, it's also your responsibility to ensure that cluster traffic from the connector flows through that predictable IP address. For example, route cluster egress through a NAT device with a static IP address.

Prerequisites

Complete the following before deploying an app connector:

  1. Set up the Kubernetes operator.

  2. (Optional) Create a tag (for example, tag:github-connector) to attach to the connector device.

    If you do not specify a custom tag, the operator tags the connector device with tag:k8s.

    Make sure the operator is one of the tag owners for the connector tag:

    "tagOwners": {
  "tag:k8s-operator":     [],
  "tag:github-connector": ["tag:k8s-operator"],
}

    You can use the visual policy editor to manage your tailnet policy file. Refer to the visual editor reference for guidance on using the visual editor.

  3. Configure the domains that route through the app connector in Apps.

  4. Configure tailnet policy permissions to route traffic for the required domains using the app connector. Refer to app connector policy configuration instructions.

Deploy the app connector

Follow these steps to deploy the app connector:

  1. Create your Connector resource based on the following example and save it as connector.yaml:

    apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
  name: appc-github
spec:
  appConnector: {}

  2. (Optional) Add preconfigured routes:

    apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
  name: appc-github
spec:
  appConnector:
    routes:
    - 140.82.114.4/32

    You can find all available Connector configuration options on GitHub.

  3. Apply the file:

    kubectl apply -f connector.yaml

  4. (Optional) Wait for the connector to become ready:

    kubectl wait --for condition=ConnectorReady=true Connector appc-github

    connector.tailscale.com/appc-github condition met

  5. (Optional) Add the app connector's egress IP address to an IP allowlist.

Known issues and limitations

The following limitations apply:

  • Configuring the app connector requires a significant amount of manual setup, including updates to the tailnet policy file and the applications that route traffic through the connector.
  • The app connector's egress IP address cannot be discovered automatically. You can retrieve it from the Machines page of the admin console.