Deploy exit nodes and subnet routers on Kubernetes

Tailscale Kubernetes operator installation includes a Connector Custom Resource Definition.

You can use the Connector to configure the operator to deploy a Tailscale device that acts as a Tailscale subnet router, exit-node, or both.

For example, you can deploy a Connector that acts as a subnet router and exposes to your tailnet cluster Service CIDRs or some cloud service CIDRs that are available from the cluster, but not publicly accessible.

Prerequisites

• Set up the Kubernetes Operator.

Deploy an exit node or subnet router

To create a Connector that exposes 10.40.0.0/14 CIDR to your tailnet:

1. (Optional) Set the tag of the Connector node to be auto-approved. By default, the device will be tagged with tag:k8s. You can set one or more custom tags using .connector.spec.tags in step 2. If you set a custom tag, you must also ensure that the operator is an owner of this tag.

2. Create a Connector Custom Resource:

   apiVersion: tailscale.com/v1alpha1
   kind: Connector
   metadata:
     name: ts-pod-cidrs
   spec:
     hostname: ts-pod-cidrs
     subnetRouter:
       advertiseRoutes:
         - "10.40.0.0/14"
   

3. Wait for the Connector resources to get created:

   $ kubectl get connector ts-pod-cidrs
   NAME   SUBNETROUTES                  ISEXITNODE   STATUS
   ts-pod-cidrs   10.40.0.0/14         false        ConnectorCreated
   

4. (Optional) If you did not configure the route to be auto-approved in step 1, open the Machines page of the admin console and manually approve the newly created ts-pod-cidrs device to advertise the 10.40.0.0/14 route.

5. (Optional and for Linux clients only) Ensure that clients that need to access resources in the subnet have accepted the advertised route.

Customization

Learn how to customize the operator and resources it manages. You can find all available Connector configuration options on GitHub.

Troubleshooting

Learn how to troubleshoot the operator and resources it manages.