Ludovic Alarcon

Ludovic Alarcon .

Kubernetes and Cloud technologies enthusiast, DevOps believer - Golang and Dotnet Developer

Access your kubernetes cluster from your local machine with tailscale


We will install tailscale to create a VPN between the control plane and our machine.
Let’s first install tailscale on both control plane and our computer. These steps are for ubuntu, for other os you can refer to the official documentation.

# Add package signing key & repo
curl -fsSL | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL | sudo tee /etc/apt/sources.list.d/tailscale.list
# Install tailscale
sudo apt-get update
sudo apt-get install tailscale

Now we need to authenticate and connect the machine to our tailscale network.

sudo tailscale up

From the tailscale’s admin console, you can disable the key expiration if you don’t want/can’t connect each time to re-authenticate.

The installation needs to be done on the control plane and your machine.


Let’s open the connectivity on the firewall on Oracle Cloud.
First we need to retrieve our machine’s IP address inside tailscale network.
We will open the port TCP 6433 in source and destination for our machine only. Run the following command on your machine.

tailscale ip -4

On the Oracle Cloud portail, go to Networking -> Virtual Cloud Networks -> your VCN -> Subnets -> public-subnet

Then go to Security Lists -> Default Security List

Adn finally to Ingress Rules -> Add Ingress Rules


We need to ssh into the control plane in order to retrieve the KubeConfig file located in .kube/config.
But first we need to retrieve the tailscale’s IP address of the control plane.

tailscale ip -4

We will create a KubeConfig file on our machine and put the content inside and replace the line server: https://10.0.0.X:6443 with the IP address previously retrieved.

# On the local machine
mkdir -p ~/.kube
# Put content retrieve on the control plane
vi ~/.kube/oracle-config
# Use the kubeconfig
export KUBECONFIG=~/.kube/oracle-config

If we try to interact with our cluster from our local machine, we will now have an error on the certificate.

Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for 10.0.0.W, not 100.X.Y.Z

Add SAN to the certificate

We will need to add the IP address to the SAN of the certificate.
To do so, we will first remove the certificates of the API server, so we can regenerate them.

sudo rm /etc/kubernetes/pki/apiserver.{crt,key}

Then, we need to retrieve our kubeadm configuration file

kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yaml

Now, we can modify our configuration file to add the SAN.
Replace with your own IP addresses.

    - "kubernetes.default"
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes

Finally, we can generate the new certificates for the API server.

sudo kubeadm init phase certs apiserver --config kubeadm.yaml


We are now able to interact with our kubernetes cluster from our local machine.

I hope this was useful!