{"id":30529442,"url":"https://github.com/spechtlabs/tka","last_synced_at":"2026-05-18T11:06:38.316Z","repository":{"id":303116683,"uuid":"1014407310","full_name":"SpechtLabs/tka","owner":"SpechtLabs","description":"Zero-friction Kubernetes access using Tailscale and ephemeral service accounts","archived":false,"fork":false,"pushed_at":"2026-05-14T13:54:24.000Z","size":9524,"stargazers_count":4,"open_issues_count":10,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-14T15:46:10.776Z","etag":null,"topics":["access-control","authentication","kubernetes","sre","tailscale"],"latest_commit_sha":null,"homepage":"https://tka.specht-labs.de/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SpechtLabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-05T16:59:58.000Z","updated_at":"2026-05-14T13:54:27.000Z","dependencies_parsed_at":"2025-07-05T20:28:44.416Z","dependency_job_id":"003a808c-bf09-4160-89bf-da25b2ec0108","html_url":"https://github.com/SpechtLabs/tka","commit_stats":null,"previous_names":["spechtlabs/tailscale-k8s-auth","spechtlabs/tka"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/SpechtLabs/tka","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpechtLabs%2Ftka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpechtLabs%2Ftka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpechtLabs%2Ftka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpechtLabs%2Ftka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SpechtLabs","download_url":"https://codeload.github.com/SpechtLabs/tka/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpechtLabs%2Ftka/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33175890,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","authentication","kubernetes","sre","tailscale"],"created_at":"2025-08-27T07:00:56.823Z","updated_at":"2026-05-18T11:06:38.309Z","avatar_url":"https://github.com/SpechtLabs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tailscale Kubernetes Auth (TKA)\n\n[![Go Build \u0026 Docker Build](https://github.com/spechtlabs/tka/actions/workflows/build.yaml/badge.svg)](https://github.com/spechtlabs/tka/actions/workflows/build.yaml)\n[![Documentation](https://github.com/spechtlabs/tka/actions/workflows/docs-website.yaml/badge.svg)](https://github.com/spechtlabs/tka/actions/workflows/docs-website.yaml)\n[![Codecov](https://codecov.io/gh/spechtlabs/tka/branch/main/graph/badge.svg)](https://codecov.io/gh/spechtlabs/tka)\n[![Go Report Card](https://goreportcard.com/badge/github.com/spechtlabs/tka)](https://goreportcard.com/report/github.com/spechtlabs/tka)\n[![Go Doc](https://godoc.org/github.com/spechtlabs/tka?status.svg)](https://godoc.org/github.com/spechtlabs/tka)\n\n\u003e Secure, ephemeral Kubernetes access powered by your Tailscale network and identity.\n\nTKA eliminates the complexity of traditional Kubernetes access control by leveraging your existing Tailscale infrastructure. No auth proxies, no OIDC headaches, no kubeconfig sprawl - just clean, auditable access with short-lived credentials.\n\n**[Full Documentation \u0026 Getting Started Guide →](https://tka.specht-labs.de)**\n\n## What is TKA?\n\nTKA (Tailscale Kubernetes Auth) is a zero-trust authentication system that issues short-lived Kubernetes credentials based on your Tailscale identity and ACL grants. It runs entirely within your private Tailscale network with no public endpoints.\n\n### Key Benefits\n\n- **Zero-trust by design** - No public endpoints, access gated by Tailscale ACLs and device attestation\n- **Ephemeral credentials** - Short-lived tokens that auto-expire, reducing blast radius\n- **Kubernetes-native** - Built on ServiceAccounts, ClusterRoles, and standard APIs\n- **Developer-friendly** - `tsh login`-like UX that just works\n- **GitOps-ready** - Declarative grant-to-role mapping via CRDs\n\n## Quick Start\n\n```bash\n# Install TKA CLI\ncurl -fsSL https://github.com/spechtlabs/tka/releases/latest/download/ts-k8s-auth-linux-amd64 -o ts-k8s-auth\nchmod +x ts-k8s-auth \u0026\u0026 sudo mv ts-k8s-auth /usr/local/bin/\n\n# Deploy TKA server with Helm\nhelm repo add spechtlabs https://charts.specht-labs.de\nhelm install tka spechtlabs/tka -n tka-system --create-namespace --set tka.tailscale.tailnet=your-tailnet.ts.net --set secrets.tailscale.authKey=tskey-auth-your-key-here\n\n# Install shell integration for tka wrapper functions\neval \"$(ts-k8s-auth generate integration bash)\"  # or zsh/fish\n\n# Start an ephemeral session (perfect for debugging)\ntka shell\n(tka) $ kubectl get pods\n(tka) $ exit  # Access automatically revoked\n\n# Or login for persistent access (KUBECONFIG auto-managed)\ntka login\n$ kubectl get namespaces\n$ tka logout\n```\n\n## How It Works\n\n```mermaid\ngraph TB\n    A[Developer] --\u003e|1 - tka login| B[TKA Server]\n    B --\u003e|2 - Validate identity| C[Tailscale API]\n    B --\u003e|3 - Check grants| D[Tailscale ACLs]\n    B --\u003e|4 - Create ServiceAccount| E[Kubernetes API]\n    B --\u003e|5 - Return kubeconfig| A\n    F[TKA Operator] --\u003e|6. Cleanup expired tokens| E\n```\n\n1. **Identity verification** - TKA validates your Tailscale identity and device\n2. **Authorization** - Checks your ACL grants for Kubernetes access permissions\n3. **Credential provisioning** - Creates ephemeral ServiceAccount and token\n4. **Access granted** - Returns time-limited kubeconfig for direct cluster access\n5. **Automatic cleanup** - Expired credentials are automatically revoked\n\n## Architecture\n\nTKA consists of two main components:\n\n- **CLI** (`tka`) - User-facing command for authentication and kubeconfig management\n- **Server** - In-cluster service handling authentication and credential issuance\n- **Operator** - Kubernetes controller managing ServiceAccount lifecycle\n\nThe server runs inside your cluster and is only accessible via your Tailscale network. No ingress controllers, load balancers, or public endpoints required.\n\n## Repository Structure\n\n```text\n.\n├── cmd/\n│   ├── cli/          # TKA CLI implementation\n│   └── server/       # TKA server and operator\n├── pkg/\n│   ├── api/          # HTTP API handlers\n│   ├── auth/         # Authentication middleware\n│   ├── operator/     # Kubernetes operator logic\n│   └── tailscale/    # Tailscale integration\n└── internal/\n    └── cli/          # CLI-specific utilities\n```\n\n## Development\n\n### Prerequisites\n\n- Go 1.21+\n- Kubernetes cluster (for testing)\n- Tailscale account and tailnet\n\n### Building\n\n```bash\n# Build CLI\nmake build-cli\n\n# Build server\nmake build-server\n\n# Run tests\nmake test\n\n# Generate documentation\nmake docs\n```\n\n### Running Locally\n\n```bash\n# Start development server\nmake dev-server\n\n# Run CLI against local server\nexport TKA_TAILSCALE_HOSTNAME=localhost\nexport TKA_TAILSCALE_PORT=8080\n./bin/tka-cli login\n```\n\n## Security Model\n\nTKA's security model is built on several key principles:\n\n- **Network isolation** - All communication happens within your private Tailscale network\n- **Device attestation** - Access requires authenticated Tailscale device\n- **Ephemeral credentials** - Short-lived tokens minimize exposure window\n- **Principle of least privilege** - Explicit grant mapping to Kubernetes roles\n- **Audit trail** - All access is logged and attributable to specific users/devices\n\n\u003e [!WARNING]\n\u003e TKA's security model is thoughtfully designed but still evolving.\n\u003e While suitable for many use cases, it hasn't undergone professional security auditing.\n\u003e\n\u003e See the [Security Documentation](https://tka.specht-labs.de/explanation/security) for details.\n\n## Comparison with Alternatives\n\n| Feature | TKA | Teleport | Tailscale K8s Operator |\n|---------|-----|----------|-------------------------|\n| **Zero public endpoints** | ✅ | ❌ | ✅ |\n| **Ephemeral credentials** | ✅ | ✅ | ❌ |\n| **Tailscale native** | ✅ | ❌ | ✅ |\n| **Multi-protocol support** | ❌ | ✅ | ❌ |\n| **Session recording** | ❌ | ✅ | ❌ |\n| **Lightweight deployment** | ✅ | ❌ | ✅ |\n\n## Documentation\n\n- **[Full Documentation](https://tka.specht-labs.de)** - Comprehensive guides and reference\n- **[Quick Start Tutorial](https://tka.specht-labs.de/tutorials/quick)** - Get up and running in 5 minutes\n- **[Production Deployment](https://tka.specht-labs.de/how-to/deploy-production)** - Production-ready setup guide\n- **[Configuration Reference](https://tka.specht-labs.de/reference/configuration)** - All configuration options\n- **[Troubleshooting](https://tka.specht-labs.de/how-to/troubleshooting)** - Common issues and solutions\n\n### Reporting Issues\n\nFound a bug or have a feature request? Please check existing [issues](https://github.com/spechtlabs/tka/issues) first, then [open a new issue](https://github.com/spechtlabs/tka/issues/new/choose) with details.\n\n## Acknowledgments\n\n- **[Tailscale](https://tailscale.com)** - For the amazing zero-trust networking platform\n- **[Teleport](https://goteleport.com)** - Inspiration for the UX and security model\n\n---\n\n**Built by SREs, for SREs.** TKA is designed for real-world production operations with security, reliability, and developer experience as top priorities.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspechtlabs%2Ftka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspechtlabs%2Ftka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspechtlabs%2Ftka/lists"}