Tailscale Kubernetes Operator Proxy Architecture

Technical diagram showing Tailscale Kubernetes Operator ingress and egress proxy flows for connecting external Tailscale clients to K8s services and K8s workloads to external resources

#wireguard #kubernetes #zero-trust #ingress #egress #mesh-vpn #connector #exit-node #cloud
Tailscale Kubernetes Operator Proxy ArchitectureKubernetes ClusterTailscale Control Plane• Key Exchange• Policy DistributionTailscale OperatorControllerProxyClassINGRESSweb-proxy100.64.0.10→ web-service:80INGRESSapi-proxy100.64.0.12→ api-service:8080web-serviceClusterIP10.96.0.10api-serviceClusterIP10.96.0.20web-appPodapi-appPodEXITegress-proxy100.64.0.20Routes: 0.0.0.0/0client-podNeeds External DBlaptop100.64.1.5database100.64.2.10directdirectLegend:Online/ConnectedINGRESSIngress Proxy (Connector)EXITExit NodeDirect WireGuard ConnectionControl PlaneKey Features• Zero-config ingress• Automatic proxy deployment• Service discovery• Mesh network integration• ProxyClass management

This diagram illustrates the Tailscale Kubernetes Operator proxy architecture, showing:

  • Ingress Proxy: External Tailscale clients accessing Kubernetes services through proxy pods
  • Egress Proxy: Kubernetes workloads connecting to external Tailscale resources
  • ProxyClass Resources: Configuration management for different proxy types
  • Operator Controller: Automated deployment and management of proxy pods
  • Traffic Flows: Secure WireGuard tunnels for both inbound and outbound connections

The operator enables seamless integration between Tailscale’s zero-trust network and Kubernetes clusters, providing secure connectivity without complex networking configurations.