Tailscale makes it incredibly easy to build secure, private networks between devices — and it works brilliantly inside Kubernetes too. In this guide, we’ll run a Kubernetes pod as a Tailscale client, routing its egress traffic through a Tailscale exit node.

✅ Use case: You want a pod to access the internet through a specific IP/location (e.g., a static home server) while maintaining full mesh connectivity over Tailscale.

🧱 Requirements

  • A Kubernetes cluster (k3s, k8s, or managed service)
  • A working Tailscale account
  • An exit node already configured and enabled in Tailscale
  • Linux container support (Debian-based preferred for Tailscale)

🐳 Step 1: Create a Tailscale-enabled Pod

Here’s a basic example using an init container to authenticate and set up Tailscale.

apiVersion: v1
kind: Pod
metadata:
  name: tailscale-client
spec:
  containers:
  - name: app
    image: ubuntu
    command: ["sleep", "infinity"]
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]
    volumeMounts:
    - name: tailscale-state
      mountPath: /var/lib/tailscale
  - name: tailscale
    image: tailscale/tailscale:stable
    securityContext:
      capabilities:
        add: ["NET_ADMIN", "SYS_MODULE"]
    env:
    - name: TS_AUTHKEY
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
          key: TS_AUTHKEY
    args: ["up", "--exit-node=100.x.x.x", "--accept-routes", "--authkey=$(TS_AUTHKEY)"]
    volumeMounts:
    - name: tailscale-state
      mountPath: /var/lib/tailscale
  volumes:
  - name: tailscale-state
    emptyDir: {}