Tailscale Capabilities

Running on the Tailscale Kubernetes Operator gives you more than subnet routing to your VPC. This page covers the extra capabilities you can use and how to turn them on.

All of these are opt-in per cluster. Skyscrapers enables the building blocks (ingress/egress proxy groups, the API server proxy) in your cluster definition, scoped to the namespaces you choose. Once enabled, you create the Kubernetes objects below in those namespaces.

Note

Let us know which capabilities and namespaces you want, and we’ll wire them up. The proxy_groups / api_server_proxy configuration behind these lives in your cluster definition, see the deployment options.

Expose a service to your tailnet (ingress)

Publish an in-cluster Service onto your tailnet, reachable only by your tailnet devices, with no public load balancer or DNS record.

Once we’ve configured an ingress proxy group for your namespace, create an Ingress with the tailscale class and point it at the proxy group:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  namespace: customer-apps
  annotations:
    tailscale.com/proxy-group: customer-apps   # the proxy group we enabled for you
spec:
  ingressClassName: tailscale
  defaultBackend:
    service:
      name: my-app
      port:
        number: 80

The service becomes reachable on your tailnet at a MagicDNS name. See Tailscale’s cluster ingress guide.

Reach a tailnet service from the cluster (egress)

Let workloads in the cluster connect out to a service elsewhere on your tailnet (a database, an on-prem host, another cluster) by a stable in-cluster name.

With an egress proxy group enabled, create an ExternalName Service annotated with the tailnet target:

apiVersion: v1
kind: Service
metadata:
  name: tailnet-db
  namespace: customer-apps
  annotations:
    tailscale.com/tailnet-fqdn: db.example-tailnet.ts.net   # the tailnet device to reach
    tailscale.com/proxy-group: customer-apps
spec:
  type: ExternalName
  externalName: placeholder   # replaced by the operator

Workloads then reach the tailnet service via tailnet-db.customer-apps.svc.cluster.local. See Tailscale’s cluster egress guide.

Restrict which namespaces can use it

Each proxy group is locked to an explicit namespace allowlist. A tailscale.com/proxy-group annotation that references a proxy group from a namespace not on its allowlist is rejected at admission, so teams can’t accidentally publish onto or egress through the tailnet from the wrong namespace.

This is enforced for you: the allowlist is the namespaces list we set on each proxy group, you don’t manage it directly.

Reach the Kubernetes API over Tailscale

With the API server proxy enabled, you can run kubectl against your cluster’s API server over your tailnet, without exposing it publicly. Point your kubeconfig at the proxy:

tailscale configure kubeconfig <api-server-proxy-hostname>

The hostname appears as a device in your Tailscale admin console once enabled. Access is still governed by your tailnet ACL grants (see ACL configuration) and Kubernetes RBAC. See Tailscale’s API server proxy guide.

Resources

Last updated on June 24, 2026

Tailscale ACL File Tailscale Deployment