parts requests
cluster initialization
download and install
curl -sfL https://get.k3s.io | sh -
# Check for Ready node,
# takes maybe 30 seconds
k3s kubectl get nodesetup nodes
K3S_TOKEN=SECRET k3s server --server https://masters-up βΉοΈ
Source: K3s HA Installation Guide
plug A into B
- Tailscale needs to be containerized to run in k8s.
- Two options:
- Dockerize: github.com/tailscale/tailscale
- Or Dockerize steps below:
# Raspbian Buster (for Raspberry Pi)
# Add Tailscale's GPG key
curl https://pkgs.tailscale.com/unstable/raspbian/buster.gpg | sudo apt-key add -
# Add the tailscale repository
curl https://pkgs.tailscale.com/unstable/raspbian/buster.list | sudo tee /etc/apt/sources.list.d/tailscale.list
# Install Tailscale
sudo apt-get update && sudo apt-get install tailscale
# Start Tailscale!
sudo tailscale upassemble
y tho
- Launch k8s pods with task-specific containers pre-configured with your credentials (dotfiles, SSH keys, CAs as k8s secrets).
- Connect to your pod from any Tailscale device for a persistent shell session.
- Optional: connect the cluster CNI to a corporate VPN (e.g., GlobalProtect) and isolate VPN usage to the pods themselves.
- Enables a zero trust model, especially useful in WFH environments.
notes
- Based on this gist
- Switched to ECDH keys with Letβs Encrypt CA due to handshake delays with 4096-bit DH keys.
- For corp setups, distributing TLS infra would be too complex. Instead, use hardware tokens like YubiKey with Duo.
- In this model, SSH access to pods becomes trivial and secure, making password/key management obsolete.