Secure, ephemeral Kubernetes access powered by your Tailscale network and identity.
TKA eliminates the complexity of traditional Kubernetes access control by leveraging your existing Tailscale infrastructure. No auth proxies, no OIDC headaches, no kubeconfig sprawl - just clean, auditable access with short-lived credentials.
Full Documentation & Getting Started Guide →
TKA (Tailscale Kubernetes Auth) is a zero-trust authentication system that issues short-lived Kubernetes credentials based on your Tailscale identity and ACL grants. It runs entirely within your private Tailscale network with no public endpoints.
- Zero-trust by design - No public endpoints, access gated by Tailscale ACLs and device attestation
- Ephemeral credentials - Short-lived tokens that auto-expire, reducing blast radius
- Kubernetes-native - Built on ServiceAccounts, ClusterRoles, and standard APIs
- Developer-friendly -
tsh login-like UX that just works - GitOps-ready - Declarative grant-to-role mapping via CRDs
# Install TKA CLI
curl -fsSL https://github.com/spechtlabs/tka/releases/latest/download/ts-k8s-auth-linux-amd64 -o ts-k8s-auth
chmod +x ts-k8s-auth && sudo mv ts-k8s-auth /usr/local/bin/
# Deploy TKA server with Helm
helm repo add spechtlabs https://charts.specht-labs.de
helm install tka spechtlabs/tka -n tka-system --create-namespace --set tka.tailscale.tailnet=your-tailnet.ts.net --set secrets.tailscale.authKey=tskey-auth-your-key-here
# Install shell integration for tka wrapper functions
eval "$(ts-k8s-auth generate integration bash)" # or zsh/fish
# Start an ephemeral session (perfect for debugging)
tka shell
(tka) $ kubectl get pods
(tka) $ exit # Access automatically revoked
# Or login for persistent access (KUBECONFIG auto-managed)
tka login
$ kubectl get namespaces
$ tka logoutgraph TB
A[Developer] -->|1 - tka login| B[TKA Server]
B -->|2 - Validate identity| C[Tailscale API]
B -->|3 - Check grants| D[Tailscale ACLs]
B -->|4 - Create ServiceAccount| E[Kubernetes API]
B -->|5 - Return kubeconfig| A
F[TKA Operator] -->|6. Cleanup expired tokens| E
- Identity verification - TKA validates your Tailscale identity and device
- Authorization - Checks your ACL grants for Kubernetes access permissions
- Credential provisioning - Creates ephemeral ServiceAccount and token
- Access granted - Returns time-limited kubeconfig for direct cluster access
- Automatic cleanup - Expired credentials are automatically revoked
TKA consists of two main components:
- CLI (
tka) - User-facing command for authentication and kubeconfig management - Server - In-cluster service handling authentication and credential issuance
- Operator - Kubernetes controller managing ServiceAccount lifecycle
The server runs inside your cluster and is only accessible via your Tailscale network. No ingress controllers, load balancers, or public endpoints required.
.
├── cmd/
│ ├── cli/ # TKA CLI implementation
│ └── server/ # TKA server and operator
├── pkg/
│ ├── api/ # HTTP API handlers
│ ├── auth/ # Authentication middleware
│ ├── operator/ # Kubernetes operator logic
│ └── tailscale/ # Tailscale integration
└── internal/
└── cli/ # CLI-specific utilities
- Go 1.21+
- Kubernetes cluster (for testing)
- Tailscale account and tailnet
# Build CLI
make build-cli
# Build server
make build-server
# Run tests
make test
# Generate documentation
make docs# Start development server
make dev-server
# Run CLI against local server
export TKA_TAILSCALE_HOSTNAME=localhost
export TKA_TAILSCALE_PORT=8080
./bin/tka-cli loginTKA's security model is built on several key principles:
- Network isolation - All communication happens within your private Tailscale network
- Device attestation - Access requires authenticated Tailscale device
- Ephemeral credentials - Short-lived tokens minimize exposure window
- Principle of least privilege - Explicit grant mapping to Kubernetes roles
- Audit trail - All access is logged and attributable to specific users/devices
Warning
TKA's security model is thoughtfully designed but still evolving. While suitable for many use cases, it hasn't undergone professional security auditing.
See the Security Documentation for details.
| Feature | TKA | Teleport | Tailscale K8s Operator |
|---|---|---|---|
| Zero public endpoints | ✅ | ❌ | ✅ |
| Ephemeral credentials | ✅ | ✅ | ❌ |
| Tailscale native | ✅ | ❌ | ✅ |
| Multi-protocol support | ❌ | ✅ | ❌ |
| Session recording | ❌ | ✅ | ❌ |
| Lightweight deployment | ✅ | ❌ | ✅ |
- Full Documentation - Comprehensive guides and reference
- Quick Start Tutorial - Get up and running in 5 minutes
- Production Deployment - Production-ready setup guide
- Configuration Reference - All configuration options
- Troubleshooting - Common issues and solutions
Found a bug or have a feature request? Please check existing issues first, then open a new issue with details.
- Tailscale - For the amazing zero-trust networking platform
- Teleport - Inspiration for the UX and security model
Built by SREs, for SREs. TKA is designed for real-world production operations with security, reliability, and developer experience as top priorities.