Tailscale + Kubernetes: The Ultimate Guide to Zero-Trust Networking in Your Home Lab
Traditional perimeter-based security assumes that devices inside your network are inherently trusted. Zero-trust networking flips this assumption, requiring every connection to be explicitly authenticated and authorized.
In this guide, we will show how to combine Tailscale, a WireGuard-based mesh VPN, with Kubernetes to create a secure, zero-trust network for your home lab. Whether you are experimenting with a Raspberry Pi cluster or building a full-blown multi-node setup, this step-by-step guide will help you securely connect and manage your infrastructure.
Prerequisites
Before you begin, ensure you have:
- A multinode Kubernetes cluster (K3s, MicroK8s or upstream Kubernetes)
- A Tailscale account (free tier supports up to 20 devices)
- SSH access and sudo privileges on each node
- Familiarity with the Linux CLI and basic Kubernetes administration
Optional, but recommended:
- A DNS provider (Cloudflare works well for custom domains)
- Helm installed for deploying Tailscale’s Kubernetes operator
Why Combine Tailscale and Kubernetes?
While Kubernetes offers powerful container orchestration, its native networking assumes trust within the cluster. Tailscale fills that security gap.
| Problem | Solution With Tailscale |
| Nodes on different subnets or NATs | Automatically builds a mesh VPN across nodes |
| API server exposed publicly | Access securely via Tailscale IPs only |
| No secure remote kubectl access | kubectl over Tailscale without port forwarding |
| Flat networking lacks access control | Enforce ACLs at Layer 3 with Tailscale |
Step-by-Step Setup
1. Install Tailscale on Kubernetes Nodes
Run the following commands on each node:
bash
CopyEdit
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# Authenticate and join the mesh
sudo tailscale up –authkey $TAILSCALE_AUTHKEY \
–hostname “k8s-node-$(hostname)” \
–accept-dns=false –accept-routes
Replace $TAILSCALE_AUTHKEY with an auth key from your Tailscale dashboard.
2. Validate the Mesh
From any connected device, check Tailscale status:
bash
CopyEdit
tailscale status
Sample output:
CopyEdit
100.101.102.103 k8s-node-1 linux idle
100.101.102.104 k8s-node-2 linux idle
100.101.102.105 laptop macOS active
Now you can enable Secure Shell Protocol (SSH) to any node:
bash
CopyEdit
css
CopyEdit
[ Laptop ]
│
▼
[Tailscale Network]
┌───────────────┐ ┌───────────────┐
│ k8s-node-1 │<—>│ k8s-node-2 │
└───────────────┘ └───────────────┘
▲ ▲
│ │
┌───────────────┐ ┌───────────────┐
│ NAS Server │ │ Home Desktop │
└───────────────┘ └───────────────┘
Diagram 1: Tailscale Mesh Overview
(To be rendered visually in the PDF)
3. Secure Kubernetes API Access
Kubernetes typically exposes its API on port 6443. Using Tailscale, you can lock this down:
- Get the Tailscale IP of your master node:
bash
CopyEdit
tailscale ip -4
- Access the API securely:
bash
CopyEdit
kubectl –server=https://100.101.102.103:6443 get nodes
- Restrict the firewall to allow only Tailscale subnet access.
4. Expose Kubernetes Services Privately
- Method 1: NodePort + Tailscale
Deploy a test app:
bash
CopyEdit
kubectl create deployment whoami –image=traefik/whoami
kubectl expose deployment whoami –type=NodePort –port=80
Run the following command from any Tailscale-connected device:
bash
CopyEdit
curl http://100.101.102.103:<NodePort>
- Method 2: Subnet Routing
- Enable subnet routing on one node:
bash
CopyEdit
sudo tailscale up –advertise-routes=10.42.0.0/16
- Approve the route in Tailscale’s admin console.
Now, your entire cluster subnet is securely reachable.
scss
CopyEdit
[Laptop] <– Tailscale Mesh –> [Subnet Router Node]
│
┌───────────────┐
│ Kubernetes │
│ Cluster (10.x)│
└───────────────┘
Diagram 2: Subnet Routing Architecture
Enforce Zero-Trust With ACLs
Define ACL rules in Tailscale’s admin console:
json
CopyEdit
{
“ACLs”: [
{
“Users”: [“[email protected]”],
“Action”: “accept”,
“Ports”: [“100.101.102.103:6443”, “100.101.102.103:22”]
}
]
}
Only authorized devices/users can access your Kubernetes API and SSH.
Real-World Use Cases
| Use Case | Benefit |
| Secure CI/CD pipeline | GitHub Actions deploy directly to the cluster |
| Private container registry | Push/pull images securely via Tailscale |
| Cross-site home labs | Seamlessly links clusters across different locations |
| Self-hosted services (Nextcloud, Gitea) | Private access with no public endpoints |
