Tailscale, Self Hosted Kubernetes and Funnels

I have a bunch of linux servers with Tailscale installed on them. I’ve recently installed k3s on each of those servers and created a kubernetes cluster.

Now, I want to expose some of the applications running on my cluster to public internet using Tailscale Funnel.

So in the final picture, there will be tailscale daemons running on the physical node, plus for each of the exposed services a Tailscale container running inside a pod. As far as I understand, the services I expose will appear as different machines on my Tailnet.

I have several concerns over this set up:

  1. Does this set up make sense?
  2. Am I introducing some security breaches by effectively putting containerized apps and physical machines on the same tailnet?
  3. Is the funnel network traffic going to be encrypted twice, wasting cpu cycles on both ends?
  4. Is there a better way?

A shameless plug here. I’m currently working on the Tailscale-based Ingress Controller (a fork of an earlier work I found on Github) that allows you to expose services on the tailnet including Funnel.

Feel free to test and see if it fits your purpose.