Join us live on August 26 in San Francisco for TailscaleUpTICKETS ON SALE NOW ->

Session recording

Last validated:

The API server proxy can record kubectl sessions and Kubernetes API request events, giving you an audit trail of cluster interactions for security and compliance.

kubectl session recording

The following kubectl commands can be recorded:

  • kubectl exec
  • kubectl debug
  • kubectl attach
  • kubectl run

A session recording includes the command sent, stdout and stderr output, pod and container context, and the Tailscale identity of the user. stdin is not recorded to protect sensitive data like passwords.

API request event recordings

When enabled, all Kubernetes API requests passing through the proxy are recorded. Each event includes the API verb, targeted resource, HTTP details, client user agent, and the Tailscale identity of the requesting device or user.

How recordings are routed

When a user connects to the API server proxy, the control plane determines which tsrecorder instances should receive recordings based on the user's grants. The proxy then streams session data to a tsrecorder instance over your tailnet, end-to-end encrypted using WireGuard.

The tsrecorder does not need to run in the same cluster as the API server proxy. It can be deployed anywhere on your tailnet. Any tsrecorder instance that matches the tags specified in the grant receives recordings.

Failure policy

If the tsrecorder is unreachable, the proxy can either:

  • Fail open (default): Sessions proceed even if they cannot be recorded.
  • Fail closed: Sessions are blocked if recording is not possible.

The Recorder custom resource

The operator provides a Recorder custom resource as a convenience for deploying tsrecorder in-cluster. It manages the pod lifecycle and supports configurable storage backends:

  • Ephemeral filesystem (default): Recordings stored in an emptyDir volume. Suitable for testing, but lost if the pod is deleted.
  • S3-compatible object storage: Recommended for production to ensure durable, long-term retention.

For more information, refer to Deploy a recorder for setup instructions.

Future exploration

Deploy the session recorder. Record kubectl sessions. Access the Kubernetes API over Tailscale.