Get started
Login
© 2024

Deploy tsrecorder on Kubernetes using the operator

In Tailscale 1.74 and later, you can deploy tsrecorder to your Kubernetes cluster using the operator and its Recorder Custom Resource Definition. You can use this as a recording destination for SSH sessions. The recorder will connect to your tailnet and receive end-to-end-encrypted recordings using WireGuard just like any other tsrecorder devices running in your tailnet.

Tailscale SSH session recording is available for the Personal, Personal Plus, and Enterprise plans.

Prerequisites

  • Set up the Kubernetes operator.

  • (Optional) create a tag, for example tag:k8s-recorder, to attach to the tsrecorder device. This might be a useful way to refer to the recorder when configuring the ACLs for SSH session recording. Make sure the operator is one of the tag owners for your recorder tag:

    "tagOwners": {
     	"tag:k8s-operator":   [],
     	"tag:k8s-recorder":   ["tag:k8s-operator"],
    }
    
  • (Optional) enable HTTPS for your tailnet if you want to use the recorder's UI.

Deploy

  1. Create your Recorder resource based on the below. Use the reference documentation to update it as required and then save it as recorder.yaml.

The following spec will save recordings to a local temporary directory, and only persist for the lifetime of the pod. Use the s3 storage option shown below for durable storage.

apiVersion: tailscale.com/v1alpha1
kind: Recorder
metadata:
  name: recorder
spec:
  enableUI: true
  1. Apply the file:

    kubectl apply -f recorder.yaml
    
  2. (Optional) wait for the recorder to become ready:

    $ kubectl wait --for condition=RecorderReady=true Recorder recorder
    recorder.tailscale.com/recorder condition met
    
  3. (Optional) find the URL for the recorder's UI:

    $ kubectl get Recorder recorder
    NAME       STATUS            URL
    recorder   RecorderCreated   https://recorder-0.tails-scales.ts.net
    

Examples

The following example:

  • Creates a Secret named "s3-auth" with AWS credentials for writing to a pre-existing S3 bucket named "tsrecorder-bucket".
  • Deploys a StatefulSet with a single replica of tsrecorder.
  • Assigns the tag tag:k8s-recorder to the recorder tailnet device.
  • Enables the recorder's UI.
  • Stores the recordings in an S3 bucket called "tsrecorder-bucket".
  • Gets S3 credentials as environment variables from a Secret called "s3-auth" in the same namespace as the Tailscale operator.
apiVersion: v1
kind: Secret
metadata:
  name: s3-auth
  namespace: tailscale
stringData:
  AWS_ACCESS_KEY_ID: ABC...
  AWS_SECRET_ACCESS_KEY: xyz123...
---
apiVersion: tailscale.com/v1alpha1
kind: Recorder
metadata:
  name: recorder
  namespace: tailscale
spec:
  enableUI: true
  tags:
    - "tag:k8s-recorder"
  storage:
    s3:
      endpoint: s3.us-east-1.amazonaws.com
      bucket: tsrecorder-bucket
      credentials:
        secret:
          name: s3-auth

Known issues and limitations

  • Only a single replica is supported per Recorder resource. We are planning to support multiple replicas in the future.
  • The only durable storage method currently available is s3. If s3 storage isn't configured, recordings will be saved to a local temporary directory, and will only persist for the lifetime of the Pod.

Last updated Dec 20, 2024