Deploy exit nodes and subnet routers on Kubernetes

The Tailscale Kubernetes Operator installation includes a Connector Custom Resource Definition. You can use the Connector to configure the operator to deploy a device that acts as an exit node, a subnet router, or both.

For example, you can deploy a Connector that acts as a subnet router and exposes cluster Service CIDRs or cloud service CIDRs that are available from the cluster but not publicly accessible.

Prerequisites

Complete the following before deploying a Connector:

• Install the Tailscale Kubernetes Operator.

Deploy an exit node or subnet router

To create a Connector that exposes the 10.40.0.0/14 CIDR to your tailnet:

1. (Optional) Set the tag of the Connector node to be automatically approved. By default, the device is tagged with tag:k8s. You can set custom tags using .connector.spec.tags. If you set a custom tag, ensure the operator is an owner of this tag.

2. Create a Connector custom resource:

   apiVersion: tailscale.com/v1alpha1
   kind: Connector
   metadata:
     name: ts-pod-cidrs
   spec:
     replicas: 1
     hostnamePrefix: ts-pod-cidrs
     subnetRouter:
       advertiseRoutes:
         - "10.40.0.0/14"
   

3. Verify resource creation:

   kubectl get connector ts-pod-cidrs
   NAME           SUBNETROUTES                ISEXITNODE   STATUS
   ts-pod-cidrs   10.40.0.0/14          false        ConnectorCreated
   

4. (Optional) If you did not configure automatic approval, open Machines and manually approve the newly created ts-pod-cidrs device to advertise the 10.40.0.0/14 route.

5. (Optional) Linux clients needing to access resources in the subnet must accept the advertised route.

Customization

For details on customizing the operator and the resources it manages, refer to Kubernetes Operator customization. You can find all available Connector configuration options on GitHub.

Troubleshooting

For troubleshooting information, refer to Troubleshooting the Tailscale Kubernetes Operator.