Tailscale K8s Auth

Appearance

Tailscale-native Kubernetes accessSkip the proxies, VPNs, and OIDC headaches.

Secure, short-lived cluster access — powered entirely by your Tailscale identity and network.

Get Started →GitHub Releases →

Why Tailscale K8s Auth?

Built for Kubernetes. Powered by your tailnet.

Zero-trust, zero-ingress

No public endpoints. Access is gated by your Tailscale ACLs, identity, and devices — and nothing else.

Ephemeral credentials, by default

All kubeconfigs are short-lived and auto-expiring. You get access when you need it, and not a second longer.

Kubernetes-native RBAC

Grants are mapped to native ClusterRoles, and credentials are provisioned as real Kubernetes ServiceAccounts.

Declarative grant-to-role mapping

Use a CRD to define how Tailscale users, groups, or tags map to Kubernetes roles — GitOps ready.

No complex proxies or auth chains

Say goodbye to reverse proxies and auth headers. Access is handled with direct, secure API calls inside the tailnet.

Built for ephemeral clusters

Great for dev/test environments that spin up and down frequently — join the tailnet, register, and go.

Central login API, federation-ready

Supports a central login cluster with other clusters registering dynamically — ideal for multi-cluster orgs.

Tiny footprint, hackable core

Lightweight Go components designed to be extended, embedded, or scripted into your own workflows.