Deploy tsrecorder on Kubernetes using the operator
In Tailscale 1.74 and later, you can deploy tsrecorder
to your Kubernetes cluster using the operator and its Recorder
Custom Resource Definition.
You can use this as a recording destination for SSH sessions.
The recorder will connect to your tailnet and receive end-to-end-encrypted recordings using WireGuard just like any other tsrecorder
devices running in your tailnet.
Prerequisites
-
Set up the Kubernetes operator.
-
(Optional) create a tag, for example
tag:k8s-recorder
, to attach to thetsrecorder
device. This might be a useful way to refer to the recorder when configuring the ACLs for SSH session recording. Make sure the operator is one of the tag owners for your recorder tag:"tagOwners": { "tag:k8s-operator": [], "tag:k8s-recorder": ["tag:k8s-operator"], }
-
(Optional) enable HTTPS for your tailnet if you want to use the recorder's UI.
Deploy
- Create your
Recorder
resource based on the below. Use the reference documentation to update it as required and then save it asrecorder.yaml
.
The following spec will save recordings to a local temporary directory, and only persist for the lifetime of the pod.
Use the s3
storage option shown below for durable storage.
apiVersion: tailscale.com/v1alpha1
kind: Recorder
metadata:
name: recorder
spec:
enableUI: true
-
Apply the file:
kubectl apply -f recorder.yaml
-
(Optional) wait for the recorder to become ready:
$ kubectl wait --for condition=RecorderReady=true Recorder recorder recorder.tailscale.com/recorder condition met
-
(Optional) find the URL for the recorder's UI:
$ kubectl get Recorder recorder NAME STATUS URL recorder RecorderCreated https://recorder-0.tails-scales.ts.net
Examples
The following example:
- Creates a
Secret
named "s3-auth" with AWS credentials for writing to a pre-existing S3 bucket named "tsrecorder-bucket". - Deploys a
StatefulSet
with a single replica oftsrecorder
. - Assigns the tag
tag:k8s-recorder
to the recorder tailnet device. - Enables the recorder's UI.
- Stores the recordings in an S3 bucket called "tsrecorder-bucket".
- Gets S3 credentials as environment variables from a
Secret
called "s3-auth" in the same namespace as the Tailscale operator.
apiVersion: v1
kind: Secret
metadata:
name: s3-auth
namespace: tailscale
stringData:
AWS_ACCESS_KEY_ID: ABC...
AWS_SECRET_ACCESS_KEY: xyz123...
---
apiVersion: tailscale.com/v1alpha1
kind: Recorder
metadata:
name: recorder
namespace: tailscale
spec:
enableUI: true
tags:
- "tag:k8s-recorder"
storage:
s3:
endpoint: s3.us-east-1.amazonaws.com
bucket: tsrecorder-bucket
credentials:
secret:
name: s3-auth
Known issues and limitations
- Only a single replica is supported per
Recorder
resource. We are planning to support multiple replicas in the future. - The only durable storage method currently available is
s3
. Ifs3
storage isn't configured, recordings will be saved to a local temporary directory, and will only persist for the lifetime of thePod
.