Join us live on August 26 in San Francisco for TailscaleUpTICKETS ON SALE NOW ->

Record kubectl sessions

Last validated:

This guide explains how to configure grants in your tailnet policy file to enable kubectl session recording. Grants control which users or devices have their sessions recorded, which tsrecorder instance receives the recordings, and whether recording is enforced.

Prerequisites

Before you begin, make sure you have the following:

Basic recording

Record sessions for group:engineering connecting to any proxy tagged tag:k8s-operator:

"grants": [
  {
    "src": ["group:engineering"],
    "dst": ["tag:k8s-operator"],
    "app": {
      "tailscale.com/cap/kubernetes": [{
        "recorder": ["tag:tsrecorder"]
      }]
    }
  }
]

Enforced recording

Block sessions if the recorder is unreachable by setting enforceRecorder to true:

"grants": [
  {
    "src": ["group:engineering"],
    "dst": ["tag:k8s-operator"],
    "app": {
      "tailscale.com/cap/kubernetes": [{
        "recorder": ["tag:tsrecorder"],
        "enforceRecorder": true
      }]
    }
  }
]

Combining with impersonation

Record the session while also granting Kubernetes RBAC permissions:

"grants": [
  {
    "src": ["group:engineering"],
    "dst": ["tag:k8s-operator"],
    "app": {
      "tailscale.com/cap/kubernetes": [{
        "impersonate": { "groups": ["system:masters"] },
        "recorder": ["tag:tsrecorder"]
      }]
    }
  }
]

Enable API request event recording

API request event recording is in beta.

Add "enableEvents": true to record all Kubernetes API requests in addition to kubectl sessions:

"acls": [
  {
    "action": "accept",
    "src": ["group:engineering"],
    "dst": ["tag:k8s-operator:443"]
  }
],
"grants": [
  {
    "src": ["group:engineering"],
    "dst": ["tag:k8s-operator"],
    "app": {
      "tailscale.com/cap/kubernetes": [{
        "recorder": ["tag:tsrecorder"],
        "enableEvents": true
      }]
    }
  }
]

Session recording captures more than interactive kubectl sessions. It also records all API requests that pass through the proxy, including get, list, create, and delete operations.

Further exploration