Tailscale raises $100M | slacker news

1. Lightbody ◴[04 May 22 13:46 UTC] No.31260320[source]▶

We love Tailscale. Everyone employee has it, and we use it to provide access to dev, staging, and prod environments as well.

Fun little thing we did with it: nobody can access the prod network without requesting access via a Slack bot (powered by https://indent.com/). So somebody requests access, another authorized person approves it, and the Tailscale ACLs are updated for X minutes and then reset.

Access to secure environments is super low friction but more secure (with fantastic audit trails) than ever.

replies(2): >>31260539 #>>31265499 #

2. fwip ◴[04 May 22 14:01 UTC] No.31260539[source]▶

>>31260320 (TP) #

That's gonna be exciting next time Slack is down.

replies(2): >>31260580 #>>31263940 #

3. dx034 ◴[04 May 22 14:04 UTC] No.31260580[source]▶

>>31260539 #

I'd assume they have a fallback option to provide access.

replies(2): >>31260789 #>>31261471 #

4. VWWHFSfQ ◴[04 May 22 14:18 UTC] No.31260789{3}[source]▶

>>31260580 #

I wouldn't assume anything

5. Lightbody ◴[04 May 22 15:02 UTC] No.31261471{3}[source]▶

>>31260580 #

It's a very safe assumption: we're just automating Tailscale ACLs. Tailscale admins (3 of us) can still come in and manually change them.

replies(1): >>31263828 #

6. fwip ◴[04 May 22 18:05 UTC] No.31263828{4}[source]▶

>>31261471 #

That's reassuring, the phrasing of "nobody can access prod without a Slack bot" was worrying.

7. obogobo ◴[04 May 22 18:15 UTC] No.31263940[source]▶

>>31260539 #

it was down for many folks about 2 hours after you posted this lol

8. ignoramous ◴[04 May 22 20:35 UTC] No.31265499[source]▶

>>31260320 (TP) #

Well, we run our servers without ssh access... no amount escalation through ACLs / Security Groups let you in. Can't say it would work for everyone, but at least, no one can mutate prod unless the code itself exposes those interfaces.