Expose services to the internet

Info

This tutorial is for Tailscale Funnel users, please skip if you use port forwarding.

Apply the ./external layer to create a tunnel if you haven't already, then add the following annotations to your Ingress object (replace example.com with your domain):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    tailscale.com/funnel: "true"
# ...

Exposing a `Service` to the public internet using `Ingress` and Tailscale Funnel

You can also use the Tailscale Kubernetes operator to expose an Ingress resource in your Kubernetes cluster to the public internet using Tailscale Funnel. To do so:

Add a tailscale.com/funnel: "true" annotation:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bar
  annotations:
    tailscale.com/funnel: "true"
spec:
  defaultBackend:
    service:
      name: bar
      port:
        number: 80
  ingressClassName: tailscale
  tls:
    - hosts:
        - bar

Update the ACLs for your tailnet to allow Kubernetes Operator proxy services to use Tailscale Funnel.

Add a node attribute to allow nodes created by the Kubernetes operator to use Funnel:

"nodeAttrs": [
  {
    "target": ["tag:k8s"], // tag that Tailscale Operator uses to tag proxies; defaults to 'tag:k8s'
    "attr":   ["funnel"],
  },
  ...
]

Note that even if your policy has the funnel attribute assigned to autogroup:member (the default), you still need to add it to the tag used by proxies because autogroup:member does not include tagged devices.

Expose services to the internet

Exposing a Service to the public internet using Ingress and Tailscale Funnel

Exposing a `Service` to the public internet using `Ingress` and Tailscale Funnel