Tailscale K8s Auth

Appearance

One command gets you secure kubectl access. No proxies, no OIDC setup, no hassle.Tailscale-native Kubernetes access

Ephemeral credentials that auto-expire, powered by your existing Tailscale network.

Get Started →View Documentation →

Why Tailscale K8s Auth?

Built for Kubernetes. Powered by your tailnet.

Zero-proxy simplicity

Direct API access without auth proxies, reverse tunnels, or complex gateway chains. Your kubectl talks directly to the cluster.

Ephemeral by design

Short-lived tokens that auto-expire. Get access exactly when you need it, for exactly as long as you need it.

Zero-trust, zero-ingress

No public endpoints. Access flows through your private Tailscale network with device-level attestation.

Kubernetes-native

Built on ServiceAccounts and ClusterRoles. No custom protocols or vendor lock-in - just native Kubernetes security.

Traditional vs. TKA

Compare the old way with the TKA approach

Traditional Kubernetes Access

Complex, fragile, and hard to maintain

  • Complex Setup
    OIDC providers, auth proxies, bastion hosts
  • Fragile Chains
    Multiple hops that break at the worst times
  • Long-lived Tokens
    Shared credentials with limited rotation
  • Manual Onboarding
    Per-environment setup and documentation drift
  • Hard to Debug
    Complex auth flows with poor visibility

TKA Approach

Simple, secure, and Kubernetes-native

  • One-Command Deploy
    Helm install. That's it. kubectl works immediately
  • Zero Infrastructure
    Uses your existing Tailscale network
  • Ephemeral Credentials
    Auto-expiring tokens with least privilege
  • Instant Onboarding
    If you have Tailscale, you have access
  • Clear Audit Trail
    Standard Kubernetes events and logs

Best-in-Class Developer Experience

TKA is built by SREs who understand production operations. Every workflow is designed for real-world reliability, security, and ease of use.

We provide two intuitive workflows to provide instant, secure access without the usual ceremony:

tka shell → ephemeral, isolated sessions (perfect for quick debugging and production safety)

Terminal
$ tka shell --quiet
 sign-in successful!

(tka) $ kubectl version | grep Server
Server Version: v1.31.1+k3s1

(tka) $ exit
 You have been signed out

tka login → persistent sessions with full control (ideal for development and administration)

Found a rough edge? Have an idea for improvement?

Open an issue - we're always working to make Kubernetes access better.

Security & Maturity

Security Model Status

TKA's security model is thoughtfully designed and suitable for many production use cases. However, it hasn't undergone formal security auditing yet.

For mission-critical environments requiring the highest security assurance, consider professionally audited solutions or review our security documentation to make an informed decision.