Zero Trust and VPC


We’re migrating to Zero Trust Networking but we have questions. Ideally, we would like to identify all our servers so we can log everything accurately. We’re now wondering about K8S nodes. Nodes are dynamic and pool size can increase / decrease during all the day. Ideally, I guess it’s recommended (for Zero Trust) to identify each K8S node with a Tailscale instance running as a DaemonSet with Ephemeral auth key. In that case, we need to have Tailscale interface to be available as part of node, and not only container network as node must be able to pull images from registry available only on Tailscale network. However, we could have hundreds of nodes. If we want to apply zero trust strictly, I guess it’s what we should do.

In the end, what’s your POV / recommendation ?
Is there a performance impact having all nodes connected instead of connecting VPC gateway directly to Tailscale network ?