𝔩𝔢𝔩𝕠𝔭𝔢𝔷
Theme
 Connect With Me on LinkedIn Buy Me a Coffee

Homelab

Tailscale ACL and Subnet Routes

Adding New Nodes to Tailscale Subnet Routing

Overview

Adding new cluster nodes to Tailscale subnet routing1. After adding a node to the cluster, update Tailscale so it's reachable remotely.

Before You Begin

Prerequisites

What Needs Updating

  1. Tailscale ACL - Add the node IP to autoApprovers (do this first!)
  2. Connector manifest - Add the node IP to advertised routes
Important:Update the ACL before the connector. autoApprovers only catches new route advertisements - if a route is already "Awaiting Approval", you must manually approve it in admin.

Update Tailscale ACL

ACL autoApprovers

Go to Tailscale ACLs and add the new IP to autoApprovers:

"autoApprovers": {
    "routes": {
        "192.168.1.30/32": ["tag:k8s"],
        "192.168.1.31/32": ["tag:k8s"],
        "192.168.1.32/32": ["tag:k8s"],
        "192.168.1.40/29": ["tag:k8s"],
        "192.168.1.48/28": ["tag:k8s"],
        "192.168.1.64/28": ["tag:k8s"]
    }
},

Save the ACL before proceeding.

Update Connector

Connector

k8s/core/tailscale/connector/connector.yaml:

---
apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
    name: homelab-subnet
spec:
    hostname: homelab-subnet
    subnetRouter:
        advertiseRoutes:
            - '192.168.1.30/32' # Control plane node
            - '192.168.1.31/32' # Control plane node
            - '192.168.1.32/32' # Control plane node (NEW)
            - '192.168.1.40/29' # MetalLB pool .40-.47
            - '192.168.1.48/28' # MetalLB pool .48-.63
            - '192.168.1.64/28' # MetalLB pool .64-.79

Commit Changes

git add k8s/core/tailscale/connector/connector.yaml
git commit -m "feat(tailscale): add node 3 to subnet router"
git push

Apply Changes

Reconcile Flux and restart the subnet router pod to pick up the new routes.

Reconcile Flux

flux reconcile kustomization sync

Restart Subnet Router

# Restart pod to re-register routes with new advertised IPs
kubectl delete pod -n tailscale -l tailscale.com/parent-resource=homelab-subnet

# Watch for it to come back
kubectl get pods -n tailscale -w

Verify Changes

Connector Status

kubectl get connector homelab-subnet -n tailscale -o yaml | grep -A 10 advertiseRoutes

Tailscale Admin

Check Tailscale Machines:

  • Click homelab-subnet
  • Subnets tab should show the new IP under "Approved" (not "Awaiting Approval")

Test Connectivity

ping 192.168.1.32

Next Steps

For connectivity resilience (network segmentation, TPM errors, subnet router failover), enable Tailscale HA.

See: Tailscale High Availability

Resources

Footnotes

  1. Tailscale, "Kubernetes Operator," tailscale.com. Accessed: Dec. 20, 2025. [Online]. Available: https://tailscale.com/kb/1236/kubernetes-operator

Previous
Tailscale Kubernetes Subnet Router
Next
Tailscale High Availability