Movatterモバイル変換


[0]ホーム

URL:


Skip to content
DEV Community
Log in Create account

DEV Community

Josh Kasuboski
Josh Kasuboski

Posted on • Originally published atjoshkasuboski.com on

     

Connect to Kubernetes Pods with Tailscale

I wasn't ready to add auth to my new feedreader. So I built a moat with Tailscale.

What does thatmean?

I added a kubernetes pod to my tailnet so it's accessible from anywhere that can route to Tailscale nodes. It also gets a nice domain name sohttp://feedreader works.

Tailscale actually has ablog post andexample for how to set this up. I wanted it to be mildly different so modified their run script. They also don't publish their example image so I needed to build one.

You can see my version atkasuboski/tailscale-proxy. The main differences are it takes aHOSTNAME andDEST_PORT parameters.

TheHOSTNAME is so you can set the name the node will show up as. This was important for kubernetes because I don't want the generated name of the pod to be how I access it.DEST_PORT is so you can have it forward to a different port. This allows you to run your app on8080, but thetailscale-proxy will route any port to8080 meaning you can hit it on80 in your browser. This is required to not have:8080 ugliness after your URL.

But Why?

I've been making afeedreader to replace my runningminiflux. It's my firstreal rust project and I wanted an even more minimal feedreader.

I haven't gotten around to figuring out users or authentication in the feedreader though. Despite this, it finally reached the point where I can use it as my main feedreader. However, I didn't exactly want an unauthenticated app hanging out on the internet for someone to ruin my day.

If you don't want to make authentication, just make it inaccessible. This is whereTailscale comes in. I already run Tailscale on all the nodes, which is how I'm able to have amulti-region k3s cluster. That doesn't make my pods routable though.

Tailscale has an option for asubnet router that is actually highlighted as how to access all things k8s in the examples. This probably would have been nice (and I might still add it), but I wouldn't automatically get dns routing I believe.

You can see how it's all put together in myk8s-gitops repo. The gist is that you add a sidecar container that starts tailscale and in my case adds aniptables rule which forwards all traffic to the app port. You can see my poor Doppler secret naming in there too where everything is usingminiflux-secret.

So, no more auth?

I still want to add users to the feedreader so that you can have multiple users on one instance. It remains to be seen whether I'll just add basic auth or something more complicated. Tailscale let me focus on getting something usable quickly though.

After seeing how convenient it was to expose a pod with a dns name, I also want to make a debugging tool injecting tailscale to pods. I could then finely be rid of the finickykubectl port-forward.

Top comments(0)

Subscribe
pic
Create template

Templates let you quickly answer FAQs or store snippets for re-use.

Dismiss

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment'spermalink.

For further actions, you may consider blocking this person and/orreporting abuse

Improving the developer experience and making development more accessible to take code from laptop to production.
  • Location
    Austin, Texas
  • Joined

More fromJosh Kasuboski

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account

[8]ページ先頭

©2009-2025 Movatter.jp