VERSION.txt: this is v1.64.2

Signed-off-by: Jenny Zhang <jz@tailscale.com>
VERSION.txt: this is v1.64.1
2024-04-17 13:08:36 +00:00 · 2024-04-15 17:10:28 +00:00 · 2024-04-15 09:49:54 -07:00 · 2024-04-11 17:29:54 +00:00 · 2024-04-11 09:29:49 -07:00 · 2024-04-10 16:58:35 -07:00
450 changed files with 26806 additions and 6657 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,6 +47,12 @@ jobs:
    - name: Checkout repository
      uses: actions/checkout@v4

+    # Install a more recent Go that understands modern go.mod content.
+    - name: Install Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -1,64 +0,0 @@
-name: go-licenses
-
-on:
-  # run action when a change lands in the main branch which updates go.mod or
-  # our license template file. Also allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/licenses.tmpl
-      - .github/workflows/go-licenses.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  update-licenses:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-
-      - name: Install go-licenses
-        run: |
-          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
-
-      - name: Run go-licenses
-        env:
-          # include all build tags to include platform-specific dependencies
-          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
-        run: |
-          [ -d licenses ] || mkdir licenses
-          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
-
-      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply+license-updater@tailscale.com>
-          committer: License Updater <noreply+license-updater@tailscale.com>
-          branch: licenses/cli
-          commit-message: "licenses: update tailscale{,d} licenses"
-          title: "licenses: update tailscale{,d} licenses"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          team-reviewers: opensource-license-reviewers
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -34,7 +34,7 @@ jobs:
        # Note: this is the 'v3' tag as of 2023-08-14
        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
        with:
-          version: v1.54.2
+          version: v1.56

          # Show only new issues if it's a pull request.
          only-new-issues: true
--- a/.github/workflows/kubemanifests.yaml
+++ b/.github/workflows/kubemanifests.yaml
@@ -2,8 +2,8 @@ name: "Kubernetes manifests"
 on:
  pull_request:
   paths: 
-   - './cmd/k8s-operator/'
-   - './k8s-operator/'
+   - 'cmd/k8s-operator/**'
+   - 'k8s-operator/**'
   - '.github/workflows/kubemanifests.yaml'

 # Cancel workflow run if there is a newer push to the same PR for which it is
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -183,6 +183,19 @@ jobs:
      # the equals signs cause great confusion.
      run: go test ./... -bench . -benchtime 1x -run "^$"

+  privileged:
+    runs-on: ubuntu-22.04
+    container:
+      image: golang:latest
+      options: --privileged
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: chown
+      run: chown -R $(id -u):$(id -g) $PWD
+    - name: privileged tests
+      run: ./tool/go test ./util/linuxfw
+
  vm:
    runs-on: ["self-hosted", "linux", "vm"]
    # VM tests run with some privileges, don't let them run on 3p PRs.
@@ -193,9 +206,9 @@ jobs:
    - name: Run VM tests
      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
      env:
-        HOME: "/tmp"
+        HOME: "/var/lib/ghrunner/home"
        TMPDIR: "/tmp"
-        XDB_CACHE_HOME: "/var/lib/ghrunner/cache"
+        XDG_CACHE_HOME: "/var/lib/ghrunner/cache"

  race-build:
    runs-on: ubuntu-22.04
@@ -241,9 +254,9 @@ jobs:
            goarch: amd64
          - goos: openbsd
            goarch: amd64
-          # Plan9
-          - goos: plan9
-            goarch: amd64
+          # Plan9 (disabled until 3p dependencies are fixed)
+          # - goos: plan9
+          #   goarch: amd64

    runs-on: ubuntu-22.04
    steps:
--- a/2
+++ b/2
@@ -31,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.21-alpine AS build-env
+FROM golang:1.22-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/README.md
+++ b/README.md
@@ -37,7 +37,7 @@ not open source.

 ## Building

-We always require the latest Go release, currently Go 1.21. (While we build
+We always require the latest Go release, currently Go 1.22. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.57.0
+1.64.2
--- a/api.md
+++ b/api.md
--- a/appc/appconnector.go
+++ b/appc/appconnector.go
@@ -10,6 +10,7 @@
 package appc

 import (
+	"context"
 	"net/netip"
 	"slices"
 	"strings"
@@ -20,14 +21,19 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/execqueue"
+	"tailscale.com/util/mak"
 )

 // RouteAdvertiser is an interface that allows the AppConnector to advertise
 // newly discovered routes that need to be served through the AppConnector.
 type RouteAdvertiser interface {
-	// AdvertiseRoute adds a new route advertisement if the route is not already
-	// being advertised.
-	AdvertiseRoute(netip.Prefix) error
+	// AdvertiseRoute adds one or more route advertisements skipping any that
+	// are already advertised.
+	AdvertiseRoute(...netip.Prefix) error
+
+	// UnadvertiseRoute removes any matching route advertisements.
+	UnadvertiseRoute(...netip.Prefix) error
 }

 // AppConnector is an implementation of an AppConnector that performs
@@ -45,12 +51,19 @@ type AppConnector struct {

 	// mu guards the fields that follow
 	mu sync.Mutex
-	// domains is a map of lower case domain names with no trailing dot, to a
-	// list of resolved IP addresses.
+
+	// domains is a map of lower case domain names with no trailing dot, to an
+	// ordered list of resolved IP addresses.
 	domains map[string][]netip.Addr

+	// controlRoutes is the list of routes that were last supplied by control.
+	controlRoutes []netip.Prefix
+
 	// wildcards is the list of domain strings that match subdomains.
 	wildcards []string
+
+	// queue provides ordering for update operations
+	queue execqueue.ExecQueue
 }

 // NewAppConnector creates a new AppConnector.
@@ -61,11 +74,33 @@ func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConn
 	}
 }

-// UpdateDomains replaces the current set of configured domains with the
-// supplied set of domains. Domains must not contain a trailing dot, and should
-// be lower case. If the domain contains a leading '*' label it matches all
-// subdomains of a domain.
+// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
+// given the new domains and routes.
+func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
+	e.queue.Add(func() {
+		// Add the new routes first.
+		e.updateRoutes(routes)
+		e.updateDomains(domains)
+	})
+}
+
+// UpdateDomains asynchronously replaces the current set of configured domains
+// with the supplied set of domains. Domains must not contain a trailing dot,
+// and should be lower case. If the domain contains a leading '*' label it
+// matches all subdomains of a domain.
 func (e *AppConnector) UpdateDomains(domains []string) {
+	e.queue.Add(func() {
+		e.updateDomains(domains)
+	})
+}
+
+// Wait waits for the currently scheduled asynchronous configuration changes to
+// complete.
+func (e *AppConnector) Wait(ctx context.Context) {
+	e.queue.Wait(ctx)
+}
+
+func (e *AppConnector) updateDomains(domains []string) {
 	e.mu.Lock()
 	defer e.mu.Unlock()

@@ -97,6 +132,46 @@ func (e *AppConnector) UpdateDomains(domains []string) {
 	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
 }

+// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
+// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
+// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
+// covered by new ranges.
+func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	// If there was no change since the last update, no work to do.
+	if slices.Equal(e.controlRoutes, routes) {
+		return
+	}
+
+	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+		e.logf("failed to advertise routes: %v: %v", routes, err)
+		return
+	}
+
+	var toRemove []netip.Prefix
+
+nextRoute:
+	for _, r := range routes {
+		for _, addr := range e.domains {
+			for _, a := range addr {
+				if r.Contains(a) && netip.PrefixFrom(a, a.BitLen()) != r {
+					pfx := netip.PrefixFrom(a, a.BitLen())
+					toRemove = append(toRemove, pfx)
+					continue nextRoute
+				}
+			}
+		}
+	}
+
+	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+	}
+
+	e.controlRoutes = routes
+}
+
 // Domains returns the currently configured domain list.
 func (e *AppConnector) Domains() views.Slice[string] {
 	e.mu.Lock()
@@ -132,6 +207,16 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		return
 	}

+	// cnameChain tracks a chain of CNAMEs for a given query in order to reverse
+	// a CNAME chain back to the original query for flattening. The keys are
+	// CNAME record targets, and the value is the name the record answers, so
+	// for www.example.com CNAME example.com, the map would contain
+	// ["example.com"] = "www.example.com".
+	var cnameChain map[string]string
+
+	// addressRecords is a list of address records found in the response.
+	var addressRecords map[string][]netip.Addr
+
 	for {
 		h, err := p.AnswerHeader()
 		if err == dnsmessage.ErrSectionDone {
@@ -147,73 +232,171 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 			}
 			continue
 		}
-		if h.Type != dnsmessage.TypeA && h.Type != dnsmessage.TypeAAAA {
+
+		switch h.Type {
+		case dnsmessage.TypeCNAME, dnsmessage.TypeA, dnsmessage.TypeAAAA:
+		default:
 			if err := p.SkipAnswer(); err != nil {
 				return
 			}
 			continue
+
 		}

-		domain := h.Name.String()
+		domain := strings.TrimSuffix(strings.ToLower(h.Name.String()), ".")
 		if len(domain) == 0 {
-			return
-		}
-		domain = strings.TrimSuffix(domain, ".")
-		domain = strings.ToLower(domain)
-		e.logf("[v2] observed DNS response for %s", domain)
-
-		e.mu.Lock()
-		addrs, ok := e.domains[domain]
-		// match wildcard domains
-		if !ok {
-			for _, wc := range e.wildcards {
-				if dnsname.HasSuffix(domain, wc) {
-					e.domains[domain] = nil
-					ok = true
-					break
-				}
-			}
-		}
-		e.mu.Unlock()
-
-		if !ok {
-			if err := p.SkipAnswer(); err != nil {
-				return
-			}
 			continue
 		}

-		var addr netip.Addr
+		if h.Type == dnsmessage.TypeCNAME {
+			res, err := p.CNAMEResource()
+			if err != nil {
+				return
+			}
+			cname := strings.TrimSuffix(strings.ToLower(res.CNAME.String()), ".")
+			if len(cname) == 0 {
+				continue
+			}
+			mak.Set(&cnameChain, cname, domain)
+			continue
+		}
+
 		switch h.Type {
 		case dnsmessage.TypeA:
 			r, err := p.AResource()
 			if err != nil {
 				return
 			}
-			addr = netip.AddrFrom4(r.A)
+			addr := netip.AddrFrom4(r.A)
+			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
 		case dnsmessage.TypeAAAA:
 			r, err := p.AAAAResource()
 			if err != nil {
 				return
 			}
-			addr = netip.AddrFrom16(r.AAAA)
+			addr := netip.AddrFrom16(r.AAAA)
+			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
 		default:
 			if err := p.SkipAnswer(); err != nil {
 				return
 			}
 			continue
 		}
-		if slices.Contains(addrs, addr) {
-			continue
-		}
-		if err := e.routeAdvertiser.AdvertiseRoute(netip.PrefixFrom(addr, addr.BitLen())); err != nil {
-			e.logf("failed to advertise route for %s: %v: %v", domain, addr, err)
-			continue
-		}
-		e.logf("[v2] advertised route for %v: %v", domain, addr)
+	}

-		e.mu.Lock()
-		e.domains[domain] = append(addrs, addr)
-		e.mu.Unlock()
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	for domain, addrs := range addressRecords {
+		domain, isRouted := e.findRoutedDomainLocked(domain, cnameChain)
+
+		// domain and none of the CNAMEs in the chain are routed
+		if !isRouted {
+			continue
+		}
+
+		// advertise each address we have learned for the routed domain, that
+		// was not already known.
+		var toAdvertise []netip.Prefix
+		for _, addr := range addrs {
+			if !e.isAddrKnownLocked(domain, addr) {
+				toAdvertise = append(toAdvertise, netip.PrefixFrom(addr, addr.BitLen()))
+			}
+		}
+
+		e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
+		e.scheduleAdvertisement(domain, toAdvertise...)
 	}
 }
+
+// starting from the given domain that resolved to an address, find it, or any
+// of the domains in the CNAME chain toward resolving it, that are routed
+// domains, returning the routed domain name and a bool indicating whether a
+// routed domain was found.
+// e.mu must be held.
+func (e *AppConnector) findRoutedDomainLocked(domain string, cnameChain map[string]string) (string, bool) {
+	var isRouted bool
+	for {
+		_, isRouted = e.domains[domain]
+		if isRouted {
+			break
+		}
+
+		// match wildcard domains
+		for _, wc := range e.wildcards {
+			if dnsname.HasSuffix(domain, wc) {
+				e.domains[domain] = nil
+				isRouted = true
+				break
+			}
+		}
+
+		next, ok := cnameChain[domain]
+		if !ok {
+			break
+		}
+		domain = next
+	}
+	return domain, isRouted
+}
+
+// isAddrKnownLocked returns true if the address is known to be associated with
+// the given domain. Known domain tables are updated for covered routes to speed
+// up future matches.
+// e.mu must be held.
+func (e *AppConnector) isAddrKnownLocked(domain string, addr netip.Addr) bool {
+	if e.hasDomainAddrLocked(domain, addr) {
+		return true
+	}
+	for _, route := range e.controlRoutes {
+		if route.Contains(addr) {
+			// record the new address associated with the domain for faster matching in subsequent
+			// requests and for diagnostic records.
+			e.addDomainAddrLocked(domain, addr)
+			return true
+		}
+	}
+	return false
+}
+
+// scheduleAdvertisement schedules an advertisement of the given address
+// associated with the given domain.
+func (e *AppConnector) scheduleAdvertisement(domain string, routes ...netip.Prefix) {
+	e.queue.Add(func() {
+		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+			e.logf("failed to advertise routes for %s: %v: %v", domain, routes, err)
+			return
+		}
+		e.mu.Lock()
+		defer e.mu.Unlock()
+
+		for _, route := range routes {
+			if !route.IsSingleIP() {
+				continue
+			}
+			addr := route.Addr()
+			if !e.hasDomainAddrLocked(domain, addr) {
+				e.addDomainAddrLocked(domain, addr)
+				e.logf("[v2] advertised route for %v: %v", domain, addr)
+			}
+		}
+	})
+}
+
+// hasDomainAddrLocked returns true if the address has been observed in a
+// resolution of domain.
+func (e *AppConnector) hasDomainAddrLocked(domain string, addr netip.Addr) bool {
+	_, ok := slices.BinarySearchFunc(e.domains[domain], addr, compareAddr)
+	return ok
+}
+
+// addDomainAddrLocked adds the address to the list of addresses resolved for
+// domain and ensures the list remains sorted. Does not attempt to deduplicate.
+func (e *AppConnector) addDomainAddrLocked(domain string, addr netip.Addr) {
+	e.domains[domain] = append(e.domains[domain], addr)
+	slices.SortFunc(e.domains[domain], compareAddr)
+}
+
+func compareAddr(l, r netip.Addr) int {
+	return l.Compare(r)
+}
--- a/appc/appconnector_test.go
+++ b/appc/appconnector_test.go
@@ -4,6 +4,7 @@
 package appc

 import (
+	"context"
 	"net/netip"
 	"reflect"
 	"slices"
@@ -11,12 +12,17 @@ import (

 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/appc/appctest"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )

 func TestUpdateDomains(t *testing.T) {
+	ctx := context.Background()
 	a := NewAppConnector(t.Logf, nil)
 	a.UpdateDomains([]string{"example.com"})
+
+	a.Wait(ctx)
 	if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
@@ -24,6 +30,7 @@ func TestUpdateDomains(t *testing.T) {
 	addr := netip.MustParseAddr("192.0.0.8")
 	a.domains["example.com"] = append(a.domains["example.com"], addr)
 	a.UpdateDomains([]string{"example.com"})
+	a.Wait(ctx)

 	if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
@@ -31,16 +38,68 @@ func TestUpdateDomains(t *testing.T) {

 	// domains are explicitly downcased on set.
 	a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
+	a.Wait(ctx)
 	if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }

-func TestDomainRoutes(t *testing.T) {
-	rc := &routeCollector{}
+func TestUpdateRoutes(t *testing.T) {
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
 	a := NewAppConnector(t.Logf, rc)
-	a.UpdateDomains([]string{"example.com"})
+	a.updateDomains([]string{"*.example.com"})
+
+	// This route should be collapsed into the range
+	a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
+	a.Wait(ctx)
+
+	if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
+		t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	}
+
+	// This route should not be collapsed or removed
+	a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
+	a.Wait(ctx)
+
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
+	a.updateRoutes(routes)
+
+	slices.SortFunc(rc.Routes(), prefixCompare)
+	rc.SetRoutes(slices.Compact(rc.Routes()))
+	slices.SortFunc(routes, prefixCompare)
+
+	// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
+	}
+
+	// Ensure that the contained /32 is removed, replaced by the /24.
+	wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
+	if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
+		t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
+	}
+}
+
+func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
+	rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
+	a.updateRoutes(routes)
+
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Fatalf("got %v, want %v", rc.Routes(), routes)
+	}
+}
+
+func TestDomainRoutes(t *testing.T) {
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.updateDomains([]string{"example.com"})
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	a.Wait(context.Background())

 	want := map[string][]netip.Addr{
 		"example.com": {netip.MustParseAddr("192.0.0.8")},
@@ -52,51 +111,89 @@ func TestDomainRoutes(t *testing.T) {
 }

 func TestObserveDNSResponse(t *testing.T) {
-	rc := &routeCollector{}
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
 	a := NewAppConnector(t.Logf, rc)

 	// a has no domains configured, so it should not advertise any routes
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	if got, want := rc.routes, ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+	if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}

 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}

-	a.UpdateDomains([]string{"example.com"})
+	a.updateDomains([]string{"example.com"})
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
+	a.Wait(ctx)
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
+
+	// a CNAME record chain should result in a route being added if the chain
+	// matches a routed domain.
+	a.updateDomains([]string{"www.example.com", "example.com"})
+	a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
+	a.Wait(ctx)
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}
+
+	// a CNAME record chain should result in a route being added if the chain
+	// even if only found in the middle of the chain
+	a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
+	a.Wait(ctx)
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}

 	wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))

 	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
+	a.Wait(ctx)
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}

 	// don't re-advertise routes that have already been advertised
 	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-	if !slices.Equal(rc.routes, wantRoutes) {
-		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
+	a.Wait(ctx)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
+
+	// don't advertise addresses that are already in a control provided route
+	pfx := netip.MustParsePrefix("192.0.2.0/24")
+	a.updateRoutes([]netip.Prefix{pfx})
+	wantRoutes = append(wantRoutes, pfx)
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
+	a.Wait(ctx)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
+	if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
+		t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
 	}
 }

 func TestWildcardDomains(t *testing.T) {
-	rc := &routeCollector{}
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
 	a := NewAppConnector(t.Logf, rc)

-	a.UpdateDomains([]string{"*.example.com"})
+	a.updateDomains([]string{"*.example.com"})
 	a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
-	if got, want := rc.routes, []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+	a.Wait(ctx)
+	if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
 		t.Errorf("routes: got %v; want %v", got, want)
 	}
 	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
 		t.Errorf("wildcards: got %v; want %v", got, want)
 	}

-	a.UpdateDomains([]string{"*.example.com", "example.com"})
+	a.updateDomains([]string{"*.example.com", "example.com"})
 	if _, ok := a.domains["foo.example.com"]; !ok {
 		t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
 	}
@@ -105,7 +202,7 @@ func TestWildcardDomains(t *testing.T) {
 	}

 	// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-	a.UpdateDomains([]string{"*.example.com", "example.com"})
+	a.updateDomains([]string{"*.example.com", "example.com"})
 	if len(a.wildcards) != 1 {
 		t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
 	}
@@ -148,15 +245,68 @@ func dnsResponse(domain, address string) []byte {
 	return must.Get(b.Finish())
 }

-// routeCollector is a test helper that collects the list of routes advertised
-type routeCollector struct {
-	routes []netip.Prefix
+func dnsCNAMEResponse(address string, domains ...string) []byte {
+	addr := netip.MustParseAddr(address)
+	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
+	b.EnableCompression()
+	b.StartAnswers()
+
+	if len(domains) >= 2 {
+		for i, domain := range domains[:len(domains)-1] {
+			b.CNAMEResource(
+				dnsmessage.ResourceHeader{
+					Name:  dnsmessage.MustNewName(domain),
+					Type:  dnsmessage.TypeCNAME,
+					Class: dnsmessage.ClassINET,
+					TTL:   0,
+				},
+				dnsmessage.CNAMEResource{
+					CNAME: dnsmessage.MustNewName(domains[i+1]),
+				},
+			)
+		}
+	}
+
+	domain := domains[len(domains)-1]
+
+	switch addr.BitLen() {
+	case 32:
+		b.AResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AResource{
+				A: addr.As4(),
+			},
+		)
+	case 128:
+		b.AAAAResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeAAAA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AAAAResource{
+				AAAA: addr.As16(),
+			},
+		)
+	default:
+		panic("invalid address length")
+	}
+	return must.Get(b.Finish())
 }

-// routeCollector implements RouteAdvertiser
-var _ RouteAdvertiser = (*routeCollector)(nil)
-
-func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
-	rc.routes = append(rc.routes, pfx)
-	return nil
+func prefixEqual(a, b netip.Prefix) bool {
+	return a == b
+}
+
+func prefixCompare(a, b netip.Prefix) int {
+	if a.Addr().Compare(b.Addr()) == 0 {
+		return a.Bits() - b.Bits()
+	}
+	return a.Addr().Compare(b.Addr())
 }
--- a/appc/appctest/appctest.go
+++ b/appc/appctest/appctest.go
@@ -0,0 +1,49 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appctest
+
+import (
+	"net/netip"
+	"slices"
+)
+
+// RouteCollector is a test helper that collects the list of routes advertised
+type RouteCollector struct {
+	routes        []netip.Prefix
+	removedRoutes []netip.Prefix
+}
+
+func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx...)
+	return nil
+}
+
+func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
+	routes := rc.routes
+	rc.routes = rc.routes[:0]
+	for _, r := range routes {
+		if !slices.Contains(toRemove, r) {
+			rc.routes = append(rc.routes, r)
+		} else {
+			rc.removedRoutes = append(rc.removedRoutes, r)
+		}
+	}
+	return nil
+}
+
+// RemovedRoutes returns the list of routes that were removed.
+func (rc *RouteCollector) RemovedRoutes() []netip.Prefix {
+	return rc.removedRoutes
+}
+
+// Routes returns the ordered list of routes that were added, including
+// possible duplicates.
+func (rc *RouteCollector) Routes() []netip.Prefix {
+	return rc.routes
+}
+
+func (rc *RouteCollector) SetRoutes(routes []netip.Prefix) error {
+	rc.routes = routes
+	return nil
+}
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -20,9 +20,9 @@
 set -eu

 # Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH=$PWD/tool:$PATH
+export PATH="$PWD"/tool:"$PATH"

-eval $(./build_dist.sh shellvars)
+eval "$(./build_dist.sh shellvars)"

 DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
@@ -74,4 +74,4 @@ case "$TARGET" in
    echo "unknown target: $TARGET"
    exit 1
    ;;
-esac
+esac
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -270,6 +270,14 @@ type UserRuleMatch struct {
 	Users      []string `json:"users"`
 	Ports      []string `json:"ports"`
 	LineNumber int      `json:"lineNumber"`
+
+	// Postures is a list of posture policies that are
+	// associated with this match. The rules can be looked
+	// up in the ACLPreviewResponse parent struct.
+	// The source of the list is from srcPosture on
+	// an ACL or Grant rule:
+	// https://tailscale.com/kb/1288/device-posture#posture-conditions
+	Postures []string `json:"postures"`
 }

 // ACLPreviewResponse is the response type of previewACLPostRequest
@@ -277,6 +285,12 @@ type ACLPreviewResponse struct {
 	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
 	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
 	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
+
+	// Postures is a map of postures and associated rules that apply
+	// to this preview.
+	// For more details about the posture mapping, see:
+	// https://tailscale.com/kb/1288/device-posture#postures
+	Postures map[string][]string `json:"postures,omitempty"`
 }

 // ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
@@ -284,6 +298,12 @@ type ACLPreview struct {
 	Matches []UserRuleMatch `json:"matches"`
 	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
 	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
+
+	// Postures is a map of postures and associated rules that apply
+	// to this preview.
+	// For more details about the posture mapping, see:
+	// https://tailscale.com/kb/1288/device-posture#postures
+	Postures map[string][]string `json:"postures,omitempty"`
 }

 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
@@ -341,8 +361,9 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 	}

 	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
+		Matches:  b.Matches,
+		User:     b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }

@@ -369,8 +390,9 @@ func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.
 	}

 	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
+		Matches:  b.Matches,
+		IPPort:   b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }

@@ -394,8 +416,9 @@ func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, use
 	}

 	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
+		Matches:  b.Matches,
+		User:     b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }

@@ -419,8 +442,9 @@ func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, i
 	}

 	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
+		Matches:  b.Matches,
+		IPPort:   b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }

--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -7,6 +7,7 @@ package tailscale

 import (
 	"bytes"
+	"cmp"
 	"context"
 	"crypto/tls"
 	"encoding/json"
@@ -27,6 +28,7 @@ import (

 	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/drive"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -37,7 +39,6 @@ import (
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
-	"tailscale.com/util/cmpx"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@@ -479,7 +480,7 @@ func (lc *LocalClient) DebugPortmap(ctx context.Context, opts *DebugPortmapOpts)
 		opts = &DebugPortmapOpts{}
 	}

-	vals.Set("duration", cmpx.Or(opts.Duration, 5*time.Second).String())
+	vals.Set("duration", cmp.Or(opts.Duration, 5*time.Second).String())
 	vals.Set("type", opts.Type)
 	vals.Set("log_http", strconv.FormatBool(opts.LogHTTP))

@@ -1417,6 +1418,66 @@ func (lc *LocalClient) CheckUpdate(ctx context.Context) (*tailcfg.ClientVersion,
 	return &cv, nil
 }

+// SetUseExitNode toggles the use of an exit node on or off.
+// To turn it on, there must have been a previously used exit node.
+// The most previously used one is reused.
+// This is a convenience method for GUIs. To select an actual one, update the prefs.
+func (lc *LocalClient) SetUseExitNode(ctx context.Context, on bool) error {
+	_, err := lc.send(ctx, "POST", "/localapi/v0/set-use-exit-node-enabled?enabled="+strconv.FormatBool(on), http.StatusOK, nil)
+	return err
+}
+
+// DriveSetServerAddr instructs Taildrive to use the server at addr to access
+// the filesystem. This is used on platforms like Windows and MacOS to let
+// Taildrive know to use the file server running in the GUI app.
+func (lc *LocalClient) DriveSetServerAddr(ctx context.Context, addr string) error {
+	_, err := lc.send(ctx, "PUT", "/localapi/v0/drive/fileserver-address", http.StatusCreated, strings.NewReader(addr))
+	return err
+}
+
+// DriveShareSet adds or updates the given share in the list of shares that
+// Taildrive will serve to remote nodes. If a share with the same name already
+// exists, the existing share is replaced/updated.
+func (lc *LocalClient) DriveShareSet(ctx context.Context, share *drive.Share) error {
+	_, err := lc.send(ctx, "PUT", "/localapi/v0/drive/shares", http.StatusCreated, jsonBody(share))
+	return err
+}
+
+// DriveShareRemove removes the share with the given name from the list of
+// shares that Taildrive will serve to remote nodes.
+func (lc *LocalClient) DriveShareRemove(ctx context.Context, name string) error {
+	_, err := lc.send(
+		ctx,
+		"DELETE",
+		"/localapi/v0/drive/shares",
+		http.StatusNoContent,
+		strings.NewReader(name))
+	return err
+}
+
+// DriveShareRename renames the share from old to new name.
+func (lc *LocalClient) DriveShareRename(ctx context.Context, oldName, newName string) error {
+	_, err := lc.send(
+		ctx,
+		"POST",
+		"/localapi/v0/drive/shares",
+		http.StatusNoContent,
+		jsonBody([2]string{oldName, newName}))
+	return err
+}
+
+// DriveShareList returns the list of shares that drive is currently serving
+// to remote nodes.
+func (lc *LocalClient) DriveShareList(ctx context.Context) ([]*drive.Share, error) {
+	result, err := lc.get200(ctx, "/localapi/v0/drive/shares")
+	if err != nil {
+		return nil, err
+	}
+	var shares []*drive.Share
+	err = json.Unmarshal(result, &shares)
+	return shares, err
+}
+
 // IPNBusWatcher is an active subscription (watch) of the local tailscaled IPN bus.
 // It's returned by LocalClient.WatchIPNBus.
 //
--- a/client/tailscale/localclient_test.go
+++ b/client/tailscale/localclient_test.go
@@ -5,7 +5,11 @@

 package tailscale

-import "testing"
+import (
+	"testing"
+
+	"tailscale.com/tstest/deptest"
+)

 func TestGetServeConfigFromJSON(t *testing.T) {
 	sc, err := getServeConfigFromJSON([]byte("null"))
@@ -25,3 +29,14 @@ func TestGetServeConfigFromJSON(t *testing.T) {
 		t.Errorf("want non-nil TCP for object")
 	}
 }
+
+func TestDeps(t *testing.T) {
+	deptest.DepChecker{
+		BadDeps: map[string]string{
+			// Make sure we don't again accidentally bring in a dependency on
+			// drive or its transitive dependencies
+			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
+			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
+		},
+	}.Check(t)
+}
--- a/client/web/auth.go
+++ b/client/web/auth.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 	"time"

@@ -234,7 +235,12 @@ func (s *Server) newSessionID() (string, error) {
 	return "", errors.New("too many collisions generating new session; please refresh page")
 }

-type peerCapabilities map[capFeature]bool // value is true if the peer can edit the given feature
+// peerCapabilities holds information about what a source
+// peer is allowed to edit via the web UI.
+//
+// map value is true if the peer can edit the given feature.
+// Only capFeatures included in validCaps will be included.
+type peerCapabilities map[capFeature]bool

 // canEdit is true if the peerCapabilities grant edit access
 // to the given feature.
@@ -248,39 +254,85 @@ func (p peerCapabilities) canEdit(feature capFeature) bool {
 	return p[feature]
 }

+// isEmpty is true if p is either nil or has no capabilities
+// with value true.
+func (p peerCapabilities) isEmpty() bool {
+	if p == nil {
+		return true
+	}
+	for _, v := range p {
+		if v == true {
+			return false
+		}
+	}
+	return true
+}
+
 type capFeature string

 const (
 	// The following values should not be edited.
 	// New caps can be added, but existing ones should not be changed,
 	// as these exact values are used by users in tailnet policy files.
+	//
+	// IMPORTANT: When adding a new cap, also update validCaps slice below.

-	capFeatureAll      capFeature = "*"        // grants peer management of all features
-	capFeatureFunnel   capFeature = "funnel"   // grants peer serve/funnel management
-	capFeatureSSH      capFeature = "ssh"      // grants peer SSH server management
-	capFeatureSubnet   capFeature = "subnet"   // grants peer subnet routes management
-	capFeatureExitNode capFeature = "exitnode" // grants peer ability to advertise-as and use exit nodes
-	capFeatureAccount  capFeature = "account"  // grants peer ability to turn on auto updates and log out of node
+	capFeatureAll       capFeature = "*"         // grants peer management of all features
+	capFeatureSSH       capFeature = "ssh"       // grants peer SSH server management
+	capFeatureSubnets   capFeature = "subnets"   // grants peer subnet routes management
+	capFeatureExitNodes capFeature = "exitnodes" // grants peer ability to advertise-as and use exit nodes
+	capFeatureAccount   capFeature = "account"   // grants peer ability to turn on auto updates and log out of node
 )

+// validCaps contains the list of valid capabilities used in the web client.
+// Any capabilities included in a peer's grants that do not fall into this
+// list will be ignored.
+var validCaps []capFeature = []capFeature{
+	capFeatureAll,
+	capFeatureSSH,
+	capFeatureSubnets,
+	capFeatureExitNodes,
+	capFeatureAccount,
+}
+
 type capRule struct {
 	CanEdit []string `json:"canEdit,omitempty"` // list of features peer is allowed to edit
 }

 // toPeerCapabilities parses out the web ui capabilities from the
 // given whois response.
-func toPeerCapabilities(whois *apitype.WhoIsResponse) (peerCapabilities, error) {
-	caps := peerCapabilities{}
-	if whois == nil {
-		return caps, nil
+func toPeerCapabilities(status *ipnstate.Status, whois *apitype.WhoIsResponse) (peerCapabilities, error) {
+	if whois == nil || status == nil {
+		return peerCapabilities{}, nil
 	}
+	if whois.Node.IsTagged() {
+		// We don't allow management *from* tagged nodes, so ignore caps.
+		// The web client auth flow relies on having a true user identity
+		// that can be verified through login.
+		return peerCapabilities{}, nil
+	}
+
+	if !status.Self.IsTagged() {
+		// User owned nodes are only ever manageable by the owner.
+		if status.Self.UserID != whois.UserProfile.ID {
+			return peerCapabilities{}, nil
+		} else {
+			return peerCapabilities{capFeatureAll: true}, nil // owner can edit all features
+		}
+	}
+
+	// For tagged nodes, we actually look at the granted capabilities.
+	caps := peerCapabilities{}
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](whois.CapMap, tailcfg.PeerCapabilityWebUI)
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal capability: %v", err)
 	}
 	for _, c := range rules {
 		for _, f := range c.CanEdit {
-			caps[capFeature(strings.ToLower(f))] = true
+			cap := capFeature(strings.ToLower(f))
+			if slices.Contains(validCaps, cap) {
+				caps[cap] = true
+			}
 		}
 	}
 	return caps, nil
--- a/client/web/package.json
+++ b/client/web/package.json
@@ -6,6 +6,7 @@
    "node": "18.16.1",
    "yarn": "1.22.19"
  },
+  "type": "module",
  "private": true,
  "dependencies": {
    "@radix-ui/react-collapsible": "^1.0.3",
@@ -19,23 +20,28 @@
    "zustand": "^4.4.7"
  },
  "devDependencies": {
+    "@types/node": "^18.16.1",
    "@types/react": "^18.0.20",
    "@types/react-dom": "^18.0.6",
-    "@vitejs/plugin-react-swc": "^3.3.2",
+    "@vitejs/plugin-react-swc": "^3.6.0",
    "autoprefixer": "^10.4.15",
    "eslint": "^8.23.1",
    "eslint-config-react-app": "^7.0.1",
+    "eslint-plugin-curly-quotes": "^1.0.4",
    "jsdom": "^23.0.1",
    "postcss": "^8.4.31",
    "prettier": "^2.5.1",
    "prettier-plugin-organize-imports": "^3.2.2",
    "tailwindcss": "^3.3.3",
-    "typescript": "^4.7.4",
-    "vite": "^4.3.9",
-    "vite-plugin-rewrite-all": "^1.0.1",
-    "vite-plugin-svgr": "^3.2.0",
+    "typescript": "^5.3.3",
+    "vite": "^5.1.4",
+    "vite-plugin-svgr": "^4.2.0",
    "vite-tsconfig-paths": "^3.5.0",
-    "vitest": "^0.32.0"
+    "vitest": "^1.3.1"
+  },
+  "resolutions": {
+    "@typescript-eslint/eslint-plugin": "^6.2.1",
+    "@typescript-eslint/parser": "^6.2.1"
  },
  "scripts": {
    "build": "vite build",
@@ -50,9 +56,11 @@
      "react-app"
    ],
    "plugins": [
+      "curly-quotes",
      "react-hooks"
    ],
    "rules": {
+      "curly-quotes/no-straight-quotes": "warn",
      "react-hooks/rules-of-hooks": "error",
      "react-hooks/exhaustive-deps": "error"
    },
--- a/client/web/src/components/address-copy-card.tsx
+++ b/client/web/src/components/address-copy-card.tsx
@@ -4,8 +4,8 @@
 import * as Primitive from "@radix-ui/react-popover"
 import cx from "classnames"
 import React, { useCallback } from "react"
-import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
-import { ReactComponent as Copy } from "src/assets/icons/copy.svg"
+import ChevronDown from "src/assets/icons/chevron-down.svg?react"
+import Copy from "src/assets/icons/copy.svg?react"
 import NiceIP from "src/components/nice-ip"
 import useToaster from "src/hooks/toaster"
 import Button from "src/ui/button"
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import React from "react"
-import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
+import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
 import LoginToggle from "src/components/login-toggle"
 import DeviceDetailsView from "src/components/views/device-details-view"
 import DisconnectedView from "src/components/views/disconnected-view"
@@ -11,8 +11,8 @@ import LoginView from "src/components/views/login-view"
 import SSHView from "src/components/views/ssh-view"
 import SubnetRouterView from "src/components/views/subnet-router-view"
 import { UpdatingView } from "src/components/views/updating-view"
-import useAuth, { AuthResponse } from "src/hooks/auth"
-import { Feature, featureDescription, NodeData } from "src/types"
+import useAuth, { AuthResponse, canEdit } from "src/hooks/auth"
+import { Feature, NodeData, featureDescription } from "src/types"
 import Card from "src/ui/card"
 import EmptyState from "src/ui/empty-state"
 import LoadingDots from "src/ui/loading-dots"
@@ -56,16 +56,19 @@ function WebClient({
        <Header node={node} auth={auth} newSession={newSession} />
        <Switch>
          <Route path="/">
-            <HomeView readonly={!auth.canManageNode} node={node} />
+            <HomeView node={node} auth={auth} />
          </Route>
          <Route path="/details">
-            <DeviceDetailsView readonly={!auth.canManageNode} node={node} />
+            <DeviceDetailsView node={node} auth={auth} />
          </Route>
          <FeatureRoute path="/subnets" feature="advertise-routes" node={node}>
-            <SubnetRouterView readonly={!auth.canManageNode} node={node} />
+            <SubnetRouterView
+              readonly={!canEdit("subnets", auth)}
+              node={node}
+            />
          </FeatureRoute>
          <FeatureRoute path="/ssh" feature="ssh" node={node}>
-            <SSHView readonly={!auth.canManageNode} node={node} />
+            <SSHView readonly={!canEdit("ssh", auth)} node={node} />
          </FeatureRoute>
          {/* <Route path="/serve">Share local content</Route> */}
          <FeatureRoute path="/update" feature="auto-update" node={node}>
--- a/client/web/src/components/exit-node-selector.tsx
+++ b/client/web/src/components/exit-node-selector.tsx
@@ -4,8 +4,8 @@
 import cx from "classnames"
 import React, { useCallback, useEffect, useMemo, useRef, useState } from "react"
 import { useAPI } from "src/api"
-import { ReactComponent as Check } from "src/assets/icons/check.svg"
-import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
+import Check from "src/assets/icons/check.svg?react"
+import ChevronDown from "src/assets/icons/chevron-down.svg?react"
 import useExitNodes, {
  noExitNode,
  runAsExitNode,
@@ -180,7 +180,7 @@ export default function ExitNodeSelector({
      )}
      {pending && (
        <p className="text-white p-3">
-          Pending approval to run as exit node. This device won't be usable as
+          Pending approval to run as exit node. This device won’t be usable as
          an exit node until then.
        </p>
      )}
--- a/client/web/src/components/login-toggle.tsx
+++ b/client/web/src/components/login-toggle.tsx
@@ -2,15 +2,17 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import cx from "classnames"
-import React, { useCallback, useEffect, useState } from "react"
-import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
-import { ReactComponent as Eye } from "src/assets/icons/eye.svg"
-import { ReactComponent as User } from "src/assets/icons/user.svg"
-import { AuthResponse, AuthType } from "src/hooks/auth"
+import React, { useCallback, useMemo, useState } from "react"
+import ChevronDown from "src/assets/icons/chevron-down.svg?react"
+import Eye from "src/assets/icons/eye.svg?react"
+import User from "src/assets/icons/user.svg?react"
+import { AuthResponse, hasAnyEditCapabilities } from "src/hooks/auth"
+import { useTSWebConnected } from "src/hooks/ts-web-connected"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Popover from "src/ui/popover"
 import ProfilePic from "src/ui/profile-pic"
+import { assertNever, isHTTPS } from "src/utils/util"

 export default function LoginToggle({
  node,
@@ -22,12 +24,29 @@ export default function LoginToggle({
  newSession: () => Promise<void>
 }) {
  const [open, setOpen] = useState<boolean>(false)
+  const { tsWebConnected, checkTSWebConnection } = useTSWebConnected(
+    auth.serverMode,
+    node.IPv4
+  )

  return (
    <Popover
-      className="p-3 bg-white rounded-lg shadow flex flex-col gap-2 max-w-[317px]"
+      className="p-3 bg-white rounded-lg shadow flex flex-col max-w-[317px]"
      content={
-        <LoginPopoverContent node={node} auth={auth} newSession={newSession} />
+        auth.serverMode === "readonly" ? (
+          <ReadonlyModeContent auth={auth} />
+        ) : auth.serverMode === "login" ? (
+          <LoginModeContent
+            auth={auth}
+            node={node}
+            tsWebConnected={tsWebConnected}
+            checkTSWebConnection={checkTSWebConnection}
+          />
+        ) : auth.serverMode === "manage" ? (
+          <ManageModeContent auth={auth} node={node} newSession={newSession} />
+        ) : (
+          assertNever(auth.serverMode)
+        )
      }
      side="bottom"
      align="end"
@@ -35,216 +54,303 @@ export default function LoginToggle({
      onOpenChange={setOpen}
      asChild
    >
-      {!auth.canManageNode ? (
-        <button
-          className={cx(
-            "pl-3 py-1 bg-gray-700 rounded-full flex justify-start items-center h-[34px]",
-            { "pr-1": auth.viewerIdentity, "pr-3": !auth.viewerIdentity }
-          )}
-          onClick={() => setOpen(!open)}
-        >
-          <Eye />
-          <div className="text-white leading-snug ml-2 mr-1">Viewing</div>
-          <ChevronDown className="stroke-white w-[15px] h-[15px]" />
-          {auth.viewerIdentity && (
-            <ProfilePic
-              className="ml-2"
-              size="medium"
-              url={auth.viewerIdentity.profilePicUrl}
-            />
-          )}
-        </button>
-      ) : (
-        <div
-          className={cx(
-            "w-[34px] h-[34px] p-1 rounded-full justify-center items-center inline-flex hover:bg-gray-300",
-            {
-              "bg-transparent": !open,
-              "bg-gray-300": open,
-            }
-          )}
-        >
-          <button onClick={() => setOpen(!open)}>
-            <ProfilePic
-              size="medium"
-              url={auth.viewerIdentity?.profilePicUrl}
-            />
-          </button>
-        </div>
-      )}
+      <div>
+        {auth.authorized ? (
+          <TriggerWhenManaging auth={auth} open={open} setOpen={setOpen} />
+        ) : (
+          <TriggerWhenReading auth={auth} open={open} setOpen={setOpen} />
+        )}
+      </div>
    </Popover>
  )
 }

-function LoginPopoverContent({
+/**
+ * TriggerWhenManaging is displayed as the trigger for the login popover
+ * when the user has an active authorized managment session.
+ */
+function TriggerWhenManaging({
+  auth,
+  open,
+  setOpen,
+}: {
+  auth: AuthResponse
+  open: boolean
+  setOpen: (next: boolean) => void
+}) {
+  return (
+    <div
+      className={cx(
+        "w-[34px] h-[34px] p-1 rounded-full justify-center items-center inline-flex hover:bg-gray-300",
+        {
+          "bg-transparent": !open,
+          "bg-gray-300": open,
+        }
+      )}
+    >
+      <button onClick={() => setOpen(!open)}>
+        <ProfilePic size="medium" url={auth.viewerIdentity?.profilePicUrl} />
+      </button>
+    </div>
+  )
+}
+
+/**
+ * TriggerWhenReading is displayed as the trigger for the login popover
+ * when the user is currently in read mode (doesn't have an authorized
+ * management session).
+ */
+function TriggerWhenReading({
+  auth,
+  open,
+  setOpen,
+}: {
+  auth: AuthResponse
+  open: boolean
+  setOpen: (next: boolean) => void
+}) {
+  return (
+    <button
+      className={cx(
+        "pl-3 py-1 bg-gray-700 rounded-full flex justify-start items-center h-[34px]",
+        { "pr-1": auth.viewerIdentity, "pr-3": !auth.viewerIdentity }
+      )}
+      onClick={() => setOpen(!open)}
+    >
+      <Eye />
+      <div className="text-white leading-snug ml-2 mr-1">Viewing</div>
+      <ChevronDown className="stroke-white w-[15px] h-[15px]" />
+      {auth.viewerIdentity && (
+        <ProfilePic
+          className="ml-2"
+          size="medium"
+          url={auth.viewerIdentity.profilePicUrl}
+        />
+      )}
+    </button>
+  )
+}
+
+/**
+ * PopoverContentHeader is the header for the login popover.
+ */
+function PopoverContentHeader({ auth }: { auth: AuthResponse }) {
+  return (
+    <div className="text-black text-sm font-medium leading-tight mb-1">
+      {auth.authorized ? "Managing" : "Viewing"}
+      {auth.viewerIdentity && ` as ${auth.viewerIdentity.loginName}`}
+    </div>
+  )
+}
+
+/**
+ * PopoverContentFooter is the footer for the login popover.
+ */
+function PopoverContentFooter({ auth }: { auth: AuthResponse }) {
+  return auth.viewerIdentity ? (
+    <>
+      <hr className="my-2" />
+      <div className="flex items-center">
+        <User className="flex-shrink-0" />
+        <p className="text-gray-500 text-xs ml-2">
+          We recognize you because you are accessing this page from{" "}
+          <span className="font-medium">
+            {auth.viewerIdentity.nodeName || auth.viewerIdentity.nodeIP}
+          </span>
+        </p>
+      </div>
+    </>
+  ) : null
+}
+
+/**
+ * ReadonlyModeContent is the body of the login popover when the web
+ * client is being run in "readonly" server mode.
+ */
+function ReadonlyModeContent({ auth }: { auth: AuthResponse }) {
+  return (
+    <>
+      <PopoverContentHeader auth={auth} />
+      <p className="text-gray-500 text-xs">
+        This web interface is running in read-only mode.{" "}
+        <a
+          href="https://tailscale.com/s/web-client-read-only"
+          className="text-blue-700"
+          target="_blank"
+          rel="noreferrer"
+        >
+          Learn more &rarr;
+        </a>
+      </p>
+      <PopoverContentFooter auth={auth} />
+    </>
+  )
+}
+
+/**
+ * LoginModeContent is the body of the login popover when the web
+ * client is being run in "login" server mode.
+ */
+function LoginModeContent({
  node,
+  auth,
+  tsWebConnected,
+  checkTSWebConnection,
+}: {
+  node: NodeData
+  auth: AuthResponse
+  tsWebConnected: boolean
+  checkTSWebConnection: () => void
+}) {
+  const https = isHTTPS()
+  // We can't run the ts web connection test when the webpage is loaded
+  // over HTTPS. So in this case, we default to presenting a login button
+  // with some helper text reminding the user to check their connection
+  // themselves.
+  const hasACLAccess = https || tsWebConnected
+
+  const hasEditCaps = useMemo(() => {
+    if (!auth.viewerIdentity) {
+      // If not connected to login client over tailscale, we won't know the viewer's
+      // identity. So we must assume they may be able to edit something and have the
+      // management client handle permissions once the user gets there.
+      return true
+    }
+    return hasAnyEditCapabilities(auth)
+  }, [auth])
+
+  const handleLogin = useCallback(() => {
+    // Must be connected over Tailscale to log in.
+    // Send user to Tailscale IP and start check mode
+    const manageURL = `http://${node.IPv4}:5252/?check=now`
+    if (window.self !== window.top) {
+      // If we're inside an iframe, open management client in new window.
+      window.open(manageURL, "_blank")
+    } else {
+      window.location.href = manageURL
+    }
+  }, [node.IPv4])
+
+  return (
+    <div
+      onMouseEnter={
+        hasEditCaps && !hasACLAccess ? checkTSWebConnection : undefined
+      }
+    >
+      <PopoverContentHeader auth={auth} />
+      {!hasACLAccess || !hasEditCaps ? (
+        <>
+          <p className="text-gray-500 text-xs">
+            {!hasEditCaps ? (
+              // ACLs allow access, but user isn't allowed to edit any features,
+              // restricted to readonly. No point in sending them over to the
+              // tailscaleIP:5252 address.
+              <>
+                You don’t have permission to make changes to this device, but
+                you can view most of its details.
+              </>
+            ) : !node.ACLAllowsAnyIncomingTraffic ? (
+              // Tailnet ACLs don't allow access to anyone.
+              <>
+                The current tailnet policy file does not allow connecting to
+                this device.
+              </>
+            ) : (
+              // ACLs don't allow access to this user specifically.
+              <>
+                Cannot access this device’s Tailscale IP. Make sure you are
+                connected to your tailnet, and that your policy file allows
+                access.
+              </>
+            )}{" "}
+            <a
+              href="https://tailscale.com/s/web-client-access"
+              className="text-blue-700"
+              target="_blank"
+              rel="noreferrer"
+            >
+              Learn more &rarr;
+            </a>
+          </p>
+        </>
+      ) : (
+        // User can connect to Tailcale IP; sign in when ready.
+        <>
+          <p className="text-gray-500 text-xs">
+            You can see most of this device’s details. To make changes, you need
+            to sign in.
+          </p>
+          {https && (
+            // we don't know if the user can connect over TS, so
+            // provide extra tips in case they have trouble.
+            <p className="text-gray-500 text-xs font-semibold pt-2">
+              Make sure you are connected to your tailnet, and that your policy
+              file allows access.
+            </p>
+          )}
+          <SignInButton auth={auth} onClick={handleLogin} />
+        </>
+      )}
+      <PopoverContentFooter auth={auth} />
+    </div>
+  )
+}
+
+/**
+ * ManageModeContent is the body of the login popover when the web
+ * client is being run in "manage" server mode.
+ */
+function ManageModeContent({
  auth,
  newSession,
 }: {
  node: NodeData
  auth: AuthResponse
-  newSession: () => Promise<void>
+  newSession: () => void
 }) {
-  /**
-   * canConnectOverTS indicates whether the current viewer
-   * is able to hit the node's web client that's being served
-   * at http://${node.IP}:5252. If false, this means that the
-   * viewer must connect to the correct tailnet before being
-   * able to sign in.
-   */
-  const [canConnectOverTS, setCanConnectOverTS] = useState<boolean>(false)
-  const [isRunningCheck, setIsRunningCheck] = useState<boolean>(false)
-
-  // Whether the current page is loaded over HTTPS.
-  // If it is, then the connectivity check to the management client
-  // will fail with a mixed-content error.
-  const isHTTPS = window.location.protocol === "https:"
-
-  const checkTSConnection = useCallback(() => {
-    if (auth.viewerIdentity || isHTTPS) {
-      // Skip the connectivity check if we either already know we're connected over Tailscale,
-      // or know the connectivity check will fail because the current page is loaded over HTTPS.
-      setCanConnectOverTS(true)
-      return
-    }
-    // Otherwise, test connection to the ts IP.
-    if (isRunningCheck) {
-      return // already checking
-    }
-    setIsRunningCheck(true)
-    fetch(`http://${node.IPv4}:5252/ok`, { mode: "no-cors" })
-      .then(() => {
-        setCanConnectOverTS(true)
-        setIsRunningCheck(false)
-      })
-      .catch(() => setIsRunningCheck(false))
-  }, [auth.viewerIdentity, isRunningCheck, node.IPv4, isHTTPS])
-
-  /**
-   * Checking connection for first time on page load.
-   *
-   * While not connected, we check again whenever the mouse
-   * enters the popover component, to pick up on the user
-   * leaving to turn on Tailscale then returning to the view.
-   * See `onMouseEnter` on the div below.
-   */
-  // eslint-disable-next-line react-hooks/exhaustive-deps
-  useEffect(() => checkTSConnection(), [])
-
-  const handleSignInClick = useCallback(() => {
-    if (auth.viewerIdentity && auth.serverMode === "manage") {
-      if (window.self !== window.top) {
-        // if we're inside an iframe, start session in new window
-        let url = new URL(window.location.href)
-        url.searchParams.set("check", "now")
-        window.open(url, "_blank")
-      } else {
-        newSession()
-      }
+  const handleLogin = useCallback(() => {
+    if (window.self !== window.top) {
+      // If we're inside an iframe, start session in new window.
+      let url = new URL(window.location.href)
+      url.searchParams.set("check", "now")
+      window.open(url, "_blank")
    } else {
-      // Must be connected over Tailscale to log in.
-      // Send user to Tailscale IP and start check mode
-      const manageURL = `http://${node.IPv4}:5252/?check=now`
-      if (window.self !== window.top) {
-        // if we're inside an iframe, open management client in new window
-        window.open(manageURL, "_blank")
-      } else {
-        window.location.href = manageURL
-      }
+      newSession()
    }
-  }, [auth.viewerIdentity, auth.serverMode, newSession, node.IPv4])
+  }, [newSession])
+
+  const hasAnyPermissions = useMemo(() => hasAnyEditCapabilities(auth), [auth])

  return (
-    <div onMouseEnter={!canConnectOverTS ? checkTSConnection : undefined}>
-      <div className="text-black text-sm font-medium leading-tight mb-1">
-        {!auth.canManageNode ? "Viewing" : "Managing"}
-        {auth.viewerIdentity && ` as ${auth.viewerIdentity.loginName}`}
-      </div>
-      {!auth.canManageNode && (
-        <>
-          {!auth.viewerIdentity ? (
-            // User is not connected over Tailscale.
-            // These states are only possible on the login client.
-            <>
-              {!canConnectOverTS ? (
-                <>
-                  <p className="text-gray-500 text-xs">
-                    {!node.ACLAllowsAnyIncomingTraffic ? (
-                      // Tailnet ACLs don't allow access.
-                      <>
-                        The current tailnet policy file does not allow
-                        connecting to this device.
-                      </>
-                    ) : (
-                      // ACLs allow access, but user can't connect.
-                      <>
-                        Cannot access this device's Tailscale IP. Make sure you
-                        are connected to your tailnet, and that your policy file
-                        allows access.
-                      </>
-                    )}{" "}
-                    <a
-                      href="https://tailscale.com/s/web-client-connection"
-                      className="text-blue-700"
-                      target="_blank"
-                      rel="noreferrer"
-                    >
-                      Learn more &rarr;
-                    </a>
-                  </p>
-                </>
-              ) : (
-                // User can connect to Tailcale IP; sign in when ready.
-                <>
-                  <p className="text-gray-500 text-xs">
-                    You can see most of this device's details. To make changes,
-                    you need to sign in.
-                  </p>
-                  {isHTTPS && (
-                    // we don't know if the user can connect over TS, so
-                    // provide extra tips in case they have trouble.
-                    <p className="text-gray-500 text-xs font-semibold pt-2">
-                      Make sure you are connected to your tailnet, and that your
-                      policy file allows access.
-                    </p>
-                  )}
-                  <SignInButton auth={auth} onClick={handleSignInClick} />
-                </>
-              )}
-            </>
-          ) : auth.authNeeded === AuthType.tailscale ? (
-            // User is connected over Tailscale, but needs to complete check mode.
-            <>
-              <p className="text-gray-500 text-xs">
-                To make changes, sign in to confirm your identity. This extra
-                step helps us keep your device secure.
-              </p>
-              <SignInButton auth={auth} onClick={handleSignInClick} />
-            </>
-          ) : (
-            // User is connected over tailscale, but doesn't have permission to manage.
+    <>
+      <PopoverContentHeader auth={auth} />
+      {!auth.authorized &&
+        (hasAnyPermissions ? (
+          // User is connected over Tailscale, but needs to complete check mode.
+          <>
            <p className="text-gray-500 text-xs">
-              You don’t have permission to make changes to this device, but you
-              can view most of its details.
+              To make changes, sign in to confirm your identity. This extra step
+              helps us keep your device secure.
            </p>
-          )}
-        </>
-      )}
-      {auth.viewerIdentity && (
-        <>
-          <hr className="my-2" />
-          <div className="flex items-center">
-            <User className="flex-shrink-0" />
-            <p className="text-gray-500 text-xs ml-2">
-              We recognize you because you are accessing this page from{" "}
-              <span className="font-medium">
-                {auth.viewerIdentity.nodeName || auth.viewerIdentity.nodeIP}
-              </span>
-            </p>
-          </div>
-        </>
-      )}
-    </div>
+            <SignInButton auth={auth} onClick={handleLogin} />
+          </>
+        ) : (
+          // User is connected over tailscale, but doesn't have permission to manage.
+          <p className="text-gray-500 text-xs">
+            You don’t have permission to make changes to this device, but you
+            can view most of its details.{" "}
+            <a
+              href="https://tailscale.com/s/web-client-access"
+              className="text-blue-700"
+              target="_blank"
+              rel="noreferrer"
+            >
+              Learn more &rarr;
+            </a>
+          </p>
+        ))}
+      <PopoverContentFooter auth={auth} />
+    </>
  )
 }

--- a/client/web/src/components/update-available.tsx
+++ b/client/web/src/components/update-available.tsx
@@ -61,7 +61,7 @@ export function ChangelogText({ version }: { version?: string }) {
      <a href="https://tailscale.com/changelog/" className="link">
        release notes
      </a>{" "}
-      to find out what's new!
+      to find out what’s new!
    </>
  )
 }
--- a/client/web/src/components/views/device-details-view.tsx
+++ b/client/web/src/components/views/device-details-view.tsx
@@ -8,6 +8,7 @@ import ACLTag from "src/components/acl-tag"
 import * as Control from "src/components/control-components"
 import NiceIP from "src/components/nice-ip"
 import { UpdateAvailableNotification } from "src/components/update-available"
+import { AuthResponse, canEdit } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Card from "src/ui/card"
@@ -16,11 +17,11 @@ import QuickCopy from "src/ui/quick-copy"
 import { useLocation } from "wouter"

 export default function DeviceDetailsView({
-  readonly,
  node,
+  auth,
 }: {
-  readonly: boolean
  node: NodeData
+  auth: AuthResponse
 }) {
  return (
    <>
@@ -37,11 +38,11 @@ export default function DeviceDetailsView({
                })}
              />
            </div>
-            {!readonly && <DisconnectDialog />}
+            {canEdit("account", auth) && <DisconnectDialog />}
          </div>
        </Card>
        {node.Features["auto-update"] &&
-          !readonly &&
+          canEdit("account", auth) &&
          node.ClientVersion &&
          !node.ClientVersion.RunningLatest && (
            <UpdateAvailableNotification details={node.ClientVersion} />
--- a/client/web/src/components/views/disconnected-view.tsx
+++ b/client/web/src/components/views/disconnected-view.tsx
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import React from "react"
-import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
+import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"

 /**
 * DisconnectedView is rendered after node logout.
--- a/client/web/src/components/views/home-view.tsx
+++ b/client/web/src/components/views/home-view.tsx
@@ -4,21 +4,22 @@
 import cx from "classnames"
 import React, { useMemo } from "react"
 import { apiFetch } from "src/api"
-import { ReactComponent as ArrowRight } from "src/assets/icons/arrow-right.svg"
-import { ReactComponent as Machine } from "src/assets/icons/machine.svg"
+import ArrowRight from "src/assets/icons/arrow-right.svg?react"
+import Machine from "src/assets/icons/machine.svg?react"
 import AddressCard from "src/components/address-copy-card"
 import ExitNodeSelector from "src/components/exit-node-selector"
+import { AuthResponse, canEdit } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Card from "src/ui/card"
 import { pluralize } from "src/utils/util"
 import { Link, useLocation } from "wouter"

 export default function HomeView({
-  readonly,
  node,
+  auth,
 }: {
-  readonly: boolean
  node: NodeData
+  auth: AuthResponse
 }) {
  const [allSubnetRoutes, pendingSubnetRoutes] = useMemo(
    () => [
@@ -63,7 +64,11 @@ export default function HomeView({
        </div>
        {(node.Features["advertise-exit-node"] ||
          node.Features["use-exit-node"]) && (
-          <ExitNodeSelector className="mb-5" node={node} disabled={readonly} />
+          <ExitNodeSelector
+            className="mb-5"
+            node={node}
+            disabled={!canEdit("exitnodes", auth)}
+          />
        )}
        <Link
          className="link font-medium"
--- a/client/web/src/components/views/login-view.tsx
+++ b/client/web/src/components/views/login-view.tsx
@@ -3,7 +3,7 @@

 import React, { useState } from "react"
 import { useAPI } from "src/api"
-import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
+import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Collapsible from "src/ui/collapsible"
@@ -41,7 +41,7 @@ export default function LoginView({ data }: { data: NodeData }) {
        <>
          <div className="mb-6">
            <p className="text-gray-700">
-              Your device's key has expired. Reauthenticate this device by
+              Your device’s key has expired. Reauthenticate this device by
              logging in again, or{" "}
              <a
                href="https://tailscale.com/kb/1028/key-expiry"
--- a/client/web/src/components/views/subnet-router-view.tsx
+++ b/client/web/src/components/views/subnet-router-view.tsx
@@ -4,9 +4,9 @@
 import cx from "classnames"
 import React, { useCallback, useMemo, useState } from "react"
 import { useAPI } from "src/api"
-import { ReactComponent as CheckCircle } from "src/assets/icons/check-circle.svg"
-import { ReactComponent as Clock } from "src/assets/icons/clock.svg"
-import { ReactComponent as Plus } from "src/assets/icons/plus.svg"
+import CheckCircle from "src/assets/icons/check-circle.svg?react"
+import Clock from "src/assets/icons/clock.svg?react"
+import Plus from "src/assets/icons/plus.svg?react"
 import * as Control from "src/components/control-components"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
--- a/client/web/src/components/views/updating-view.tsx
+++ b/client/web/src/components/views/updating-view.tsx
@@ -2,8 +2,8 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import React from "react"
-import { ReactComponent as CheckCircleIcon } from "src/assets/icons/check-circle.svg"
-import { ReactComponent as XCircleIcon } from "src/assets/icons/x-circle.svg"
+import CheckCircleIcon from "src/assets/icons/check-circle.svg?react"
+import XCircleIcon from "src/assets/icons/x-circle.svg?react"
 import { ChangelogText } from "src/components/update-available"
 import { UpdateState, useInstallUpdate } from "src/hooks/self-update"
 import { VersionInfo } from "src/types"
@@ -35,7 +35,7 @@ export function UpdatingView({
            <Spinner size="sm" className="text-gray-400" />
            <h1 className="text-2xl m-3">Update in progress</h1>
            <p className="text-gray-400">
-              The update shouldn't take more than a couple of minutes. Once it's
+              The update shouldn’t take more than a couple of minutes. Once it’s
              completed, you will be asked to log in again.
            </p>
          </>
--- a/client/web/src/hooks/auth.ts
+++ b/client/web/src/hooks/auth.ts
@@ -4,25 +4,50 @@
 import { useCallback, useEffect, useState } from "react"
 import { apiFetch, setSynoToken } from "src/api"

-export enum AuthType {
-  synology = "synology",
-  tailscale = "tailscale",
-}
-
 export type AuthResponse = {
-  authNeeded?: AuthType
-  canManageNode: boolean
-  serverMode: "login" | "manage"
+  serverMode: AuthServerMode
+  authorized: boolean
  viewerIdentity?: {
    loginName: string
    nodeName: string
    nodeIP: string
    profilePicUrl?: string
+    capabilities: { [key in PeerCapability]: boolean }
  }
+  needsSynoAuth?: boolean
 }

-// useAuth reports and refreshes Tailscale auth status
-// for the web client.
+export type AuthServerMode = "login" | "readonly" | "manage"
+
+export type PeerCapability = "*" | "ssh" | "subnets" | "exitnodes" | "account"
+
+/**
+ * canEdit reports whether the given auth response specifies that the viewer
+ * has the ability to edit the given capability.
+ */
+export function canEdit(cap: PeerCapability, auth: AuthResponse): boolean {
+  if (!auth.authorized || !auth.viewerIdentity) {
+    return false
+  }
+  if (auth.viewerIdentity.capabilities["*"] === true) {
+    return true // can edit all features
+  }
+  return auth.viewerIdentity.capabilities[cap] === true
+}
+
+/**
+ * hasAnyEditCapabilities reports whether the given auth response specifies
+ * that the viewer has at least one edit capability. If this is true, the
+ * user is able to go through the auth flow to authenticate a management
+ * session.
+ */
+export function hasAnyEditCapabilities(auth: AuthResponse): boolean {
+  return Object.values(auth.viewerIdentity?.capabilities || {}).includes(true)
+}
+
+/**
+ * useAuth reports and refreshes Tailscale auth status for the web client.
+ */
 export default function useAuth() {
  const [data, setData] = useState<AuthResponse>()
  const [loading, setLoading] = useState<boolean>(true)
@@ -33,18 +58,16 @@ export default function useAuth() {
    return apiFetch<AuthResponse>("/auth", "GET")
      .then((d) => {
        setData(d)
-        switch (d.authNeeded) {
-          case AuthType.synology:
-            fetch("/webman/login.cgi")
-              .then((r) => r.json())
-              .then((a) => {
-                setSynoToken(a.SynoToken)
-                setRanSynoAuth(true)
-                setLoading(false)
-              })
-            break
-          default:
-            setLoading(false)
+        if (d.needsSynoAuth) {
+          fetch("/webman/login.cgi")
+            .then((r) => r.json())
+            .then((a) => {
+              setSynoToken(a.SynoToken)
+              setRanSynoAuth(true)
+              setLoading(false)
+            })
+        } else {
+          setLoading(false)
        }
        return d
      })
@@ -72,8 +95,13 @@ export default function useAuth() {

  useEffect(() => {
    loadAuth().then((d) => {
+      if (!d) {
+        return
+      }
      if (
-        !d?.canManageNode &&
+        !d.authorized &&
+        hasAnyEditCapabilities(d) &&
+        // Start auth flow immediately if browser has requested it.
        new URLSearchParams(window.location.search).get("check") === "now"
      ) {
        newSession()
--- a/client/web/src/hooks/ts-web-connected.ts
+++ b/client/web/src/hooks/ts-web-connected.ts
@@ -0,0 +1,46 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+import { useCallback, useEffect, useState } from "react"
+import { isHTTPS } from "src/utils/util"
+import { AuthServerMode } from "./auth"
+
+/**
+ * useTSWebConnected hook is used to check whether the browser is able to
+ * connect to the web client served at http://${nodeIPv4}:5252
+ */
+export function useTSWebConnected(mode: AuthServerMode, nodeIPv4: string) {
+  const [tsWebConnected, setTSWebConnected] = useState<boolean>(
+    mode === "manage" // browser already on the web client
+  )
+  const [isLoading, setIsLoading] = useState<boolean>(false)
+
+  const checkTSWebConnection = useCallback(() => {
+    if (mode === "manage") {
+      // Already connected to the web client.
+      setTSWebConnected(true)
+      return
+    }
+    if (isHTTPS()) {
+      // When page is loaded over HTTPS, the connectivity check will always
+      // fail with a mixed-content error. In this case don't bother doing
+      // the check.
+      return
+    }
+    if (isLoading) {
+      return // already checking
+    }
+    setIsLoading(true)
+    fetch(`http://${nodeIPv4}:5252/ok`, { mode: "no-cors" })
+      .then(() => {
+        setTSWebConnected(true)
+        setIsLoading(false)
+      })
+      .catch(() => setIsLoading(false))
+  }, [isLoading, mode, nodeIPv4])
+
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  useEffect(() => checkTSWebConnection(), []) // checking connection for first time on page load
+
+  return { tsWebConnected, checkTSWebConnection, isLoading }
+}
--- a/client/web/src/ui/collapsible.tsx
+++ b/client/web/src/ui/collapsible.tsx
@@ -3,7 +3,7 @@

 import * as Primitive from "@radix-ui/react-collapsible"
 import React, { useState } from "react"
-import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
+import ChevronDown from "src/assets/icons/chevron-down.svg?react"

 type CollapsibleProps = {
  trigger?: string
--- a/client/web/src/ui/dialog.tsx
+++ b/client/web/src/ui/dialog.tsx
@@ -4,7 +4,7 @@
 import * as DialogPrimitive from "@radix-ui/react-dialog"
 import cx from "classnames"
 import React, { Component, ComponentProps, FormEvent } from "react"
-import { ReactComponent as X } from "src/assets/icons/x.svg"
+import X from "src/assets/icons/x.svg?react"
 import Button from "src/ui/button"
 import PortalContainerContext from "src/ui/portal-container-context"
 import { isObject } from "src/utils/util"
--- a/client/web/src/ui/search-input.tsx
+++ b/client/web/src/ui/search-input.tsx
@@ -3,7 +3,7 @@

 import cx from "classnames"
 import React, { forwardRef, InputHTMLAttributes } from "react"
-import { ReactComponent as Search } from "src/assets/icons/search.svg"
+import Search from "src/assets/icons/search.svg?react"

 type Props = {
  className?: string
--- a/client/web/src/ui/toaster.tsx
+++ b/client/web/src/ui/toaster.tsx
@@ -10,7 +10,7 @@ import React, {
  useState,
 } from "react"
 import { createPortal } from "react-dom"
-import { ReactComponent as X } from "src/assets/icons/x.svg"
+import X from "src/assets/icons/x.svg?react"
 import { noop } from "src/utils/util"
 import { create } from "zustand"
 import { shallow } from "zustand/shallow"
--- a/client/web/src/utils/util.ts
+++ b/client/web/src/utils/util.ts
@@ -49,3 +49,10 @@ export function isPromise<T = unknown>(val: unknown): val is Promise<T> {
  }
  return typeof val === "object" && "then" in val
 }
+
+/**
+ * isHTTPS reports whether the current page is loaded over HTTPS.
+ */
+export function isHTTPS() {
+  return window.location.protocol === "https:"
+}
--- a/client/web/tailwind.config.js
+++ b/client/web/tailwind.config.js
@@ -1,7 +1,7 @@
-const plugin = require("tailwindcss/plugin")
-const styles = require("./styles.json")
+import plugin from "tailwindcss/plugin"
+import styles from "./styles.json"

-module.exports = {
+const config = {
  theme: {
    screens: {
      sm: "420px",
@@ -96,20 +96,22 @@ module.exports = {
  plugins: [
    plugin(function ({ addVariant }) {
      addVariant("state-open", [
-        '&[data-state="open"]',
-        '[data-state="open"] &',
+        "&[data-state=“open”]",
+        "[data-state=“open”] &",
      ])
      addVariant("state-closed", [
-        '&[data-state="closed"]',
-        '[data-state="closed"] &',
+        "&[data-state=“closed”]",
+        "[data-state=“closed”] &",
      ])
      addVariant("state-delayed-open", [
-        '&[data-state="delayed-open"]',
-        '[data-state="delayed-open"] &',
+        "&[data-state=“delayed-open”]",
+        "[data-state=“delayed-open”] &",
      ])
-      addVariant("state-active", ['&[data-state="active"]'])
-      addVariant("state-inactive", ['&[data-state="inactive"]'])
+      addVariant("state-active", ["&[data-state=“active”]"])
+      addVariant("state-inactive", ["&[data-state=“inactive”]"])
    }),
  ],
  content: ["./src/**/*.html", "./src/**/*.{ts,tsx}", "./index.html"],
 }
+
+export default config
--- a/client/web/tsconfig.json
+++ b/client/web/tsconfig.json
@@ -5,6 +5,7 @@
    "module": "ES2020",
    "strict": true,
    "sourceMap": true,
+    "skipLibCheck": true,
    "isolatedModules": true,
    "moduleResolution": "node",
    "forceConsistentCasingInFileNames": true,
--- a/client/web/vite.config.ts
+++ b/client/web/vite.config.ts
@@ -1,6 +1,5 @@
 /// <reference types="vitest" />
 import { createLogger, defineConfig } from "vite"
-import rewrite from "vite-plugin-rewrite-all"
 import svgr from "vite-plugin-svgr"
 import paths from "vite-tsconfig-paths"

@@ -24,11 +23,6 @@ export default defineConfig({
  plugins: [
    paths(),
    svgr(),
-    // By default, the Vite dev server doesn't handle dots
-    // in path names and treats them as static files.
-    // This plugin changes Vite's routing logic to fix this.
-    // See: https://github.com/vitejs/vite/issues/2415
-    rewrite(),
  ],
  build: {
    outDir: "build",
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -95,6 +95,14 @@ const (
 	// In this mode, API calls are authenticated via platform auth.
 	LoginServerMode ServerMode = "login"

+	// ReadOnlyServerMode is identical to LoginServerMode,
+	// but does not present a login button to switch to manage mode,
+	// even if the management client is running and reachable.
+	//
+	// This is designed for platforms where the device is configured by other means,
+	// such as Home Assistant's declarative YAML configuration.
+	ReadOnlyServerMode ServerMode = "readonly"
+
 	// ManageServerMode serves a management client for editing tailscale
 	// settings of a node.
 	//
@@ -154,7 +162,7 @@ type ServerOpts struct {
 // and not the lifespan of the web server.
 func NewServer(opts ServerOpts) (s *Server, err error) {
 	switch opts.Mode {
-	case LoginServerMode, ManageServerMode:
+	case LoginServerMode, ReadOnlyServerMode, ManageServerMode:
 		// valid types
 	case "":
 		return nil, fmt.Errorf("must specify a Mode")
@@ -207,10 +215,14 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	// The client is secured by limiting the interface it listens on,
 	// or by authenticating requests before they reach the web client.
 	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-	if s.mode == LoginServerMode {
+	switch s.mode {
+	case LoginServerMode:
 		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
 		metric = "web_login_client_initialization"
-	} else {
+	case ReadOnlyServerMode:
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
+		metric = "web_readonly_client_initialization"
+	case ManageServerMode:
 		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
 		metric = "web_client_initialization"
 	}
@@ -433,18 +445,188 @@ func (s *Server) serveLoginAPI(w http.ResponseWriter, r *http.Request) {
 	}
 }

-type authType string
+type apiHandler[data any] struct {
+	s *Server
+	w http.ResponseWriter
+	r *http.Request

-var (
-	synoAuth      authType = "synology"  // user needs a SynoToken for subsequent API calls
-	tailscaleAuth authType = "tailscale" // user needs to complete Tailscale check mode
-)
+	// permissionCheck allows for defining whether a requesting peer's
+	// capabilities grant them access to make the given data update.
+	// If permissionCheck reports false, the request fails as unauthorized.
+	permissionCheck func(data data, peer peerCapabilities) bool
+}
+
+// newHandler constructs a new api handler which restricts the given request
+// to the specified permission check. If the permission check fails for
+// the peer associated with the request, an unauthorized error is returned
+// to the client.
+func newHandler[data any](s *Server, w http.ResponseWriter, r *http.Request, permissionCheck func(data data, peer peerCapabilities) bool) *apiHandler[data] {
+	return &apiHandler[data]{
+		s:               s,
+		w:               w,
+		r:               r,
+		permissionCheck: permissionCheck,
+	}
+}
+
+// alwaysAllowed can be passed as the permissionCheck argument to newHandler
+// for requests that are always allowed to complete regardless of a peer's
+// capabilities.
+func alwaysAllowed[data any](_ data, _ peerCapabilities) bool { return true }
+
+func (a *apiHandler[data]) getPeer() (peerCapabilities, error) {
+	// TODO(tailscale/corp#16695,sonia): We also call StatusWithoutPeers and
+	// WhoIs when originally checking for a session from authorizeRequest.
+	// Would be nice if we could pipe those through to here so we don't end
+	// up having to re-call them to grab the peer capabilities.
+	status, err := a.s.lc.StatusWithoutPeers(a.r.Context())
+	if err != nil {
+		return nil, err
+	}
+	whois, err := a.s.lc.WhoIs(a.r.Context(), a.r.RemoteAddr)
+	if err != nil {
+		return nil, err
+	}
+	peer, err := toPeerCapabilities(status, whois)
+	if err != nil {
+		return nil, err
+	}
+	return peer, nil
+}
+
+type noBodyData any // empty type, for use from serveAPI for endpoints with empty body
+
+// handle runs the given handler if the source peer satisfies the
+// constraints for running this request.
+//
+// handle is expected for use when `data` type is empty, or set to
+// `noBodyData` in practice. For requests that expect JSON body data
+// to be attached, use handleJSON instead.
+func (a *apiHandler[data]) handle(h http.HandlerFunc) {
+	peer, err := a.getPeer()
+	if err != nil {
+		http.Error(a.w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	var body data // not used
+	if !a.permissionCheck(body, peer) {
+		http.Error(a.w, "not allowed", http.StatusUnauthorized)
+		return
+	}
+	h(a.w, a.r)
+}
+
+// handleJSON manages decoding the request's body JSON and passing
+// it on to the provided function if the source peer satisfies the
+// constraints for running this request.
+func (a *apiHandler[data]) handleJSON(h func(ctx context.Context, data data) error) {
+	defer a.r.Body.Close()
+	var body data
+	if err := json.NewDecoder(a.r.Body).Decode(&body); err != nil {
+		http.Error(a.w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	peer, err := a.getPeer()
+	if err != nil {
+		http.Error(a.w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if !a.permissionCheck(body, peer) {
+		http.Error(a.w, "not allowed", http.StatusUnauthorized)
+		return
+	}
+
+	if err := h(a.r.Context(), body); err != nil {
+		http.Error(a.w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	a.w.WriteHeader(http.StatusOK)
+}
+
+// serveAPI serves requests for the web client api.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
+	if r.Method == httpm.PATCH {
+		// Enforce that PATCH requests are always application/json.
+		if ct := r.Header.Get("Content-Type"); ct != "application/json" {
+			http.Error(w, "invalid request", http.StatusBadRequest)
+			return
+		}
+	}
+
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	path := strings.TrimPrefix(r.URL.Path, "/api")
+	switch {
+	case path == "/data" && r.Method == httpm.GET:
+		newHandler[noBodyData](s, w, r, alwaysAllowed).
+			handle(s.serveGetNodeData)
+		return
+	case path == "/exit-nodes" && r.Method == httpm.GET:
+		newHandler[noBodyData](s, w, r, alwaysAllowed).
+			handle(s.serveGetExitNodes)
+		return
+	case path == "/routes" && r.Method == httpm.POST:
+		peerAllowed := func(d postRoutesRequest, p peerCapabilities) bool {
+			if d.SetExitNode && !p.canEdit(capFeatureExitNodes) {
+				return false
+			} else if d.SetRoutes && !p.canEdit(capFeatureSubnets) {
+				return false
+			}
+			return true
+		}
+		newHandler[postRoutesRequest](s, w, r, peerAllowed).
+			handleJSON(s.servePostRoutes)
+		return
+	case path == "/device-details-click" && r.Method == httpm.POST:
+		newHandler[noBodyData](s, w, r, alwaysAllowed).
+			handle(s.serveDeviceDetailsClick)
+		return
+	case path == "/local/v0/logout" && r.Method == httpm.POST:
+		peerAllowed := func(_ noBodyData, peer peerCapabilities) bool {
+			return peer.canEdit(capFeatureAccount)
+		}
+		newHandler[noBodyData](s, w, r, peerAllowed).
+			handle(s.proxyRequestToLocalAPI)
+		return
+	case path == "/local/v0/prefs" && r.Method == httpm.PATCH:
+		peerAllowed := func(data maskedPrefs, peer peerCapabilities) bool {
+			if data.RunSSHSet && !peer.canEdit(capFeatureSSH) {
+				return false
+			}
+			return true
+		}
+		newHandler[maskedPrefs](s, w, r, peerAllowed).
+			handleJSON(s.serveUpdatePrefs)
+		return
+	case path == "/local/v0/update/check" && r.Method == httpm.GET:
+		newHandler[noBodyData](s, w, r, alwaysAllowed).
+			handle(s.proxyRequestToLocalAPI)
+		return
+	case path == "/local/v0/update/check" && r.Method == httpm.POST:
+		peerAllowed := func(_ noBodyData, peer peerCapabilities) bool {
+			return peer.canEdit(capFeatureAccount)
+		}
+		newHandler[noBodyData](s, w, r, peerAllowed).
+			handle(s.proxyRequestToLocalAPI)
+		return
+	case path == "/local/v0/update/progress" && r.Method == httpm.POST:
+		newHandler[noBodyData](s, w, r, alwaysAllowed).
+			handle(s.proxyRequestToLocalAPI)
+		return
+	case path == "/local/v0/upload-client-metrics" && r.Method == httpm.POST:
+		newHandler[noBodyData](s, w, r, alwaysAllowed).
+			handle(s.proxyRequestToLocalAPI)
+		return
+	}
+	http.Error(w, "invalid endpoint", http.StatusNotFound)
+}

 type authResponse struct {
-	AuthNeeded     authType        `json:"authNeeded,omitempty"` // filled when user needs to complete a specific type of auth
-	CanManageNode  bool            `json:"canManageNode"`
-	ViewerIdentity *viewerIdentity `json:"viewerIdentity,omitempty"`
 	ServerMode     ServerMode      `json:"serverMode"`
+	Authorized     bool            `json:"authorized"` // has an authorized management session
+	ViewerIdentity *viewerIdentity `json:"viewerIdentity,omitempty"`
+	NeedsSynoAuth  bool            `json:"needsSynoAuth,omitempty"`
 }

 // viewerIdentity is the Tailscale identity of the source node
@@ -463,9 +645,11 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	var resp authResponse
 	resp.ServerMode = s.mode
 	session, whois, status, sErr := s.getSession(r)
+	var caps peerCapabilities

 	if whois != nil {
-		caps, err := toPeerCapabilities(whois)
+		var err error
+		caps, err = toPeerCapabilities(status, whois)
 		if err != nil {
 			http.Error(w, sErr.Error(), http.StatusInternalServerError)
 			return
@@ -483,7 +667,7 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {

 	// First verify platform auth.
 	// If platform auth is needed, this should happen first.
-	if s.mode == LoginServerMode {
+	if s.mode == LoginServerMode || s.mode == ReadOnlyServerMode {
 		switch distro.Get() {
 		case distro.Synology:
 			authorized, err := authorizeSynology(r)
@@ -492,7 +676,7 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 			if !authorized {
-				resp.AuthNeeded = synoAuth
+				resp.NeedsSynoAuth = true
 				writeJSON(w, resp)
 				return
 			}
@@ -508,21 +692,17 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {

 	switch {
 	case sErr != nil && errors.Is(sErr, errNotUsingTailscale):
-		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
-		resp.AuthNeeded = ""
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && errors.Is(sErr, errNotOwner):
-		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_not_owner", 1)
-		resp.AuthNeeded = ""
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && errors.Is(sErr, errTaggedLocalSource):
-		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local_tag", 1)
-		resp.AuthNeeded = ""
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && errors.Is(sErr, errTaggedRemoteSource):
-		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote_tag", 1)
-		resp.AuthNeeded = ""
+		resp.Authorized = false // restricted to the readonly view
 	case sErr != nil && !errors.Is(sErr, errNoSession):
 		// Any other error.
 		http.Error(w, sErr.Error(), http.StatusInternalServerError)
@@ -533,16 +713,26 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 		} else {
 			s.lc.IncrementCounter(r.Context(), "web_client_managing_remote", 1)
 		}
-		resp.CanManageNode = true
-		resp.AuthNeeded = ""
+		// User has a valid session. They're now authorized to edit if they
+		// have any edit capabilities. In practice, they won't be sent through
+		// the auth flow if they don't have edit caps, but their ACL granted
+		// permissions may change at any time. The frontend views and backend
+		// endpoints are always restricted to their current capabilities in
+		// addition to a valid session.
+		//
+		// But, we also check the caps here for a better user experience on
+		// the frontend login toggle, which uses resp.Authorized to display
+		// "viewing" vs "managing" copy. If they don't have caps, we want to
+		// display "viewing" even if they have a valid session.
+		resp.Authorized = !caps.isEmpty()
 	default:
-		// whois being nil implies local as the request did not come over Tailscale
 		if whois == nil || (whois.Node.StableID == status.Self.ID) {
+			// whois being nil implies local as the request did not come over Tailscale.
 			s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
 		} else {
 			s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote", 1)
 		}
-		resp.AuthNeeded = tailscaleAuth
+		resp.Authorized = false // not yet authorized
 	}

 	writeJSON(w, resp)
@@ -606,32 +796,6 @@ func (s *Server) serveAPIAuthSessionWait(w http.ResponseWriter, r *http.Request)
 	}
 }

-// serveAPI serves requests for the web client api.
-// It should only be called by Server.ServeHTTP, via Server.apiHandler,
-// which protects the handler using gorilla csrf.
-func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-CSRF-Token", csrf.Token(r))
-	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch {
-	case path == "/data" && r.Method == httpm.GET:
-		s.serveGetNodeData(w, r)
-		return
-	case path == "/exit-nodes" && r.Method == httpm.GET:
-		s.serveGetExitNodes(w, r)
-		return
-	case path == "/routes" && r.Method == httpm.POST:
-		s.servePostRoutes(w, r)
-		return
-	case path == "/device-details-click" && r.Method == httpm.POST:
-		s.serveDeviceDetailsClick(w, r)
-		return
-	case strings.HasPrefix(path, "/local/"):
-		s.proxyRequestToLocalAPI(w, r)
-		return
-	}
-	http.Error(w, "invalid endpoint", http.StatusNotFound)
-}
-
 type nodeData struct {
 	ID          tailcfg.StableNodeID
 	Status      string
@@ -868,6 +1032,23 @@ func (s *Server) serveGetExitNodes(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, exitNodes)
 }

+// maskedPrefs is the subset of ipn.MaskedPrefs that are
+// allowed to be editable via the web UI.
+type maskedPrefs struct {
+	RunSSHSet bool
+	RunSSH    bool
+}
+
+func (s *Server) serveUpdatePrefs(ctx context.Context, prefs maskedPrefs) error {
+	_, err := s.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
+		RunSSHSet: prefs.RunSSHSet,
+		Prefs: ipn.Prefs{
+			RunSSH: prefs.RunSSH,
+		},
+	})
+	return err
+}
+
 type postRoutesRequest struct {
 	SetExitNode       bool // when set, UseExitNode and AdvertiseExitNode values are applied
 	SetRoutes         bool // when set, AdvertiseRoutes value is applied
@@ -876,18 +1057,10 @@ type postRoutesRequest struct {
 	AdvertiseRoutes   []string
 }

-func (s *Server) servePostRoutes(w http.ResponseWriter, r *http.Request) {
-	defer r.Body.Close()
-
-	var data postRoutesRequest
-	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	prefs, err := s.lc.GetPrefs(r.Context())
+func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) error {
+	prefs, err := s.lc.GetPrefs(ctx)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
+		return err
 	}
 	var currNonExitRoutes []string
 	var currAdvertisingExitNode bool
@@ -910,8 +1083,7 @@ func (s *Server) servePostRoutes(w http.ResponseWriter, r *http.Request) {
 	routesStr := strings.Join(data.AdvertiseRoutes, ",")
 	routes, err := netutil.CalcAdvertiseRoutes(routesStr, data.AdvertiseExitNode)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
+		return err
 	}

 	hasExitNodeRoute := func(all []netip.Prefix) bool {
@@ -920,8 +1092,7 @@ func (s *Server) servePostRoutes(w http.ResponseWriter, r *http.Request) {
 	}

 	if !data.UseExitNode.IsZero() && hasExitNodeRoute(routes) {
-		http.Error(w, "cannot use and advertise exit node at same time", http.StatusBadRequest)
-		return
+		return errors.New("cannot use and advertise exit node at same time")
 	}

 	// Make prefs update.
@@ -933,12 +1104,8 @@ func (s *Server) servePostRoutes(w http.ResponseWriter, r *http.Request) {
 			AdvertiseRoutes: routes,
 		},
 	}
-	if _, err := s.lc.EditPrefs(r.Context(), p); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	w.WriteHeader(http.StatusOK)
+	_, err = s.lc.EditPrefs(ctx, p)
+	return err
 }

 // tailscaleUp starts the daemon with the provided options.
@@ -1077,26 +1244,12 @@ func (s *Server) serveDeviceDetailsClick(w http.ResponseWriter, r *http.Request)
 //
 // The web API request path is expected to exactly match a localapi path,
 // with prefix /api/local/ rather than /localapi/.
-//
-// If the localapi path is not included in localapiAllowlist,
-// the request is rejected.
 func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimPrefix(r.URL.Path, "/api/local")
 	if r.URL.Path == path { // missing prefix
 		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
 	}
-	if r.Method == httpm.PATCH {
-		// enforce that PATCH requests are always application/json
-		if ct := r.Header.Get("Content-Type"); ct != "application/json" {
-			http.Error(w, "invalid request", http.StatusBadRequest)
-			return
-		}
-	}
-	if !slices.Contains(localapiAllowlist, path) {
-		http.Error(w, fmt.Sprintf("%s not allowed from localapi proxy", path), http.StatusForbidden)
-		return
-	}

 	localAPIURL := "http://" + apitype.LocalAPIHost + "/localapi" + path
 	req, err := http.NewRequestWithContext(r.Context(), r.Method, localAPIURL, r.Body)
@@ -1121,21 +1274,6 @@ func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request)
 	}
 }

-// localapiAllowlist is an allowlist of localapi endpoints the
-// web client is allowed to proxy to the client's localapi.
-//
-// Rather than exposing all localapi endpoints over the proxy,
-// this limits to just the ones actually used from the web
-// client frontend.
-var localapiAllowlist = []string{
-	"/v0/logout",
-	"/v0/prefs",
-	"/v0/update/check",
-	"/v0/update/install",
-	"/v0/update/progress",
-	"/v0/upload-client-metrics",
-}
-
 // csrfKey returns a key that can be used for CSRF protection.
 // If an error occurs during key creation, the error is logged and the active process terminated.
 // If the server is running in CGI mode, the key is cached to disk and reused between requests.
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -4,6 +4,7 @@
 package web

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -86,75 +87,172 @@ func TestQnapAuthnURL(t *testing.T) {

 // TestServeAPI tests the web client api's handling of
 //  1. invalid endpoint errors
-//  2. localapi proxy allowlist
+//  2. permissioning of api endpoints based on node capabilities
 func TestServeAPI(t *testing.T) {
+	selfTags := views.SliceOf([]string{"tag:server"})
+	self := &ipnstate.PeerStatus{ID: "self", Tags: &selfTags}
+	prefs := &ipn.Prefs{}
+
+	remoteUser := &tailcfg.UserProfile{ID: tailcfg.UserID(1)}
+	remoteIPWithAllCapabilities := "100.100.100.101"
+	remoteIPWithNoCapabilities := "100.100.100.102"
+
 	lal := memnet.Listen("local-tailscaled.sock:80")
 	defer lal.Close()
-	// Serve dummy localapi. Just returns "success".
-	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "success")
-	})}
+	localapi := mockLocalAPI(t,
+		map[string]*apitype.WhoIsResponse{
+			remoteIPWithAllCapabilities: {
+				Node:        &tailcfg.Node{StableID: "node1"},
+				UserProfile: remoteUser,
+				CapMap:      tailcfg.PeerCapMap{tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{"{\"canEdit\":[\"*\"]}"}},
+			},
+			remoteIPWithNoCapabilities: {
+				Node:        &tailcfg.Node{StableID: "node2"},
+				UserProfile: remoteUser,
+			},
+		},
+		func() *ipnstate.PeerStatus { return self },
+		func() *ipn.Prefs { return prefs },
+		nil,
+	)
 	defer localapi.Close()
-
 	go localapi.Serve(lal)
-	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}
+
+	s := &Server{
+		mode:    ManageServerMode,
+		lc:      &tailscale.LocalClient{Dial: lal.Dial},
+		timeNow: time.Now,
+	}
+
+	type requestTest struct {
+		remoteIP     string
+		wantResponse string
+		wantStatus   int
+	}

 	tests := []struct {
-		name           string
-		reqMethod      string
 		reqPath        string
+		reqMethod      string
 		reqContentType string
-		wantResp       string
-		wantStatus     int
+		reqBody        string
+		tests          []requestTest
 	}{{
-		name:       "invalid_endpoint",
-		reqMethod:  httpm.POST,
-		reqPath:    "/not-an-endpoint",
-		wantResp:   "invalid endpoint",
-		wantStatus: http.StatusNotFound,
+		reqPath:   "/not-an-endpoint",
+		reqMethod: httpm.POST,
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "invalid endpoint",
+			wantStatus:   http.StatusNotFound,
+		}, {
+			remoteIP:     remoteIPWithAllCapabilities,
+			wantResponse: "invalid endpoint",
+			wantStatus:   http.StatusNotFound,
+		}},
 	}, {
-		name:       "not_in_localapi_allowlist",
-		reqMethod:  httpm.POST,
-		reqPath:    "/local/v0/not-allowlisted",
-		wantResp:   "/v0/not-allowlisted not allowed from localapi proxy",
-		wantStatus: http.StatusForbidden,
+		reqPath:   "/local/v0/not-an-endpoint",
+		reqMethod: httpm.POST,
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "invalid endpoint",
+			wantStatus:   http.StatusNotFound,
+		}, {
+			remoteIP:     remoteIPWithAllCapabilities,
+			wantResponse: "invalid endpoint",
+			wantStatus:   http.StatusNotFound,
+		}},
 	}, {
-		name:       "in_localapi_allowlist",
-		reqMethod:  httpm.POST,
-		reqPath:    "/local/v0/logout",
-		wantResp:   "success", // Successfully allowed to hit localapi.
-		wantStatus: http.StatusOK,
+		reqPath:   "/local/v0/logout",
+		reqMethod: httpm.POST,
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "not allowed", // requesting node has insufficient permissions
+			wantStatus:   http.StatusUnauthorized,
+		}, {
+			remoteIP:     remoteIPWithAllCapabilities,
+			wantResponse: "success", // requesting node has sufficient permissions
+			wantStatus:   http.StatusOK,
+		}},
+	}, {
+		reqPath:   "/exit-nodes",
+		reqMethod: httpm.GET,
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "null",
+			wantStatus:   http.StatusOK, // allowed, no additional capabilities required
+		}, {
+			remoteIP:     remoteIPWithAllCapabilities,
+			wantResponse: "null",
+			wantStatus:   http.StatusOK,
+		}},
+	}, {
+		reqPath:   "/routes",
+		reqMethod: httpm.POST,
+		reqBody:   "{\"setExitNode\":true}",
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "not allowed",
+			wantStatus:   http.StatusUnauthorized,
+		}, {
+			remoteIP:   remoteIPWithAllCapabilities,
+			wantStatus: http.StatusOK,
+		}},
 	}, {
-		name:           "patch_bad_contenttype",
-		reqMethod:      httpm.PATCH,
 		reqPath:        "/local/v0/prefs",
+		reqMethod:      httpm.PATCH,
+		reqBody:        "{\"runSSHSet\":true}",
+		reqContentType: "application/json",
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "not allowed",
+			wantStatus:   http.StatusUnauthorized,
+		}, {
+			remoteIP:   remoteIPWithAllCapabilities,
+			wantStatus: http.StatusOK,
+		}},
+	}, {
+		reqPath:        "/local/v0/prefs",
+		reqMethod:      httpm.PATCH,
 		reqContentType: "multipart/form-data",
-		wantResp:       "invalid request",
-		wantStatus:     http.StatusBadRequest,
+		tests: []requestTest{{
+			remoteIP:     remoteIPWithNoCapabilities,
+			wantResponse: "invalid request",
+			wantStatus:   http.StatusBadRequest,
+		}, {
+			remoteIP:     remoteIPWithAllCapabilities,
+			wantResponse: "invalid request",
+			wantStatus:   http.StatusBadRequest,
+		}},
 	}}
 	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := httptest.NewRequest(tt.reqMethod, "/api"+tt.reqPath, nil)
-			if tt.reqContentType != "" {
-				r.Header.Add("Content-Type", tt.reqContentType)
-			}
-			w := httptest.NewRecorder()
+		for _, req := range tt.tests {
+			t.Run(req.remoteIP+"_requesting_"+tt.reqPath, func(t *testing.T) {
+				var reqBody io.Reader
+				if tt.reqBody != "" {
+					reqBody = bytes.NewBuffer([]byte(tt.reqBody))
+				}
+				r := httptest.NewRequest(tt.reqMethod, "/api"+tt.reqPath, reqBody)
+				r.RemoteAddr = req.remoteIP
+				if tt.reqContentType != "" {
+					r.Header.Add("Content-Type", tt.reqContentType)
+				}
+				w := httptest.NewRecorder()

-			s.serveAPI(w, r)
-			res := w.Result()
-			defer res.Body.Close()
-			if gotStatus := res.StatusCode; tt.wantStatus != gotStatus {
-				t.Errorf("wrong status; want=%v, got=%v", tt.wantStatus, gotStatus)
-			}
-			body, err := io.ReadAll(res.Body)
-			if err != nil {
-				t.Fatal(err)
-			}
-			gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
-			if tt.wantResp != gotResp {
-				t.Errorf("wrong response; want=%q, got=%q", tt.wantResp, gotResp)
-			}
-		})
+				s.serveAPI(w, r)
+				res := w.Result()
+				defer res.Body.Close()
+				if gotStatus := res.StatusCode; req.wantStatus != gotStatus {
+					t.Errorf("wrong status; want=%v, got=%v", req.wantStatus, gotStatus)
+				}
+				body, err := io.ReadAll(res.Body)
+				if err != nil {
+					t.Fatal(err)
+				}
+				gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
+				if req.wantResponse != gotResp {
+					t.Errorf("wrong response; want=%q, got=%q", req.wantResponse, gotResp)
+				}
+			})
+		}
 	}
 }

@@ -450,7 +548,7 @@ func TestServeAuth(t *testing.T) {
 		NodeName:      remoteNode.Node.Name,
 		NodeIP:        remoteIP,
 		ProfilePicURL: user.ProfilePicURL,
-		Capabilities:  peerCapabilities{},
+		Capabilities:  peerCapabilities{capFeatureAll: true},
 	}

 	testControlURL := &defaultControlURL
@@ -524,7 +622,7 @@ func TestServeAuth(t *testing.T) {
 			name:          "no-session",
 			path:          "/api/auth",
 			wantStatus:    http.StatusOK,
-			wantResp:      &authResponse{AuthNeeded: tailscaleAuth, ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:      &authResponse{ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantNewCookie: false,
 			wantSession:   nil,
 		},
@@ -549,7 +647,7 @@ func TestServeAuth(t *testing.T) {
 			path:       "/api/auth",
 			cookie:     successCookie,
 			wantStatus: http.StatusOK,
-			wantResp:   &authResponse{AuthNeeded: tailscaleAuth, ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:   &authResponse{ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantSession: &browserSession{
 				ID:            successCookie,
 				SrcNode:       remoteNode.Node.ID,
@@ -597,7 +695,7 @@ func TestServeAuth(t *testing.T) {
 			path:       "/api/auth",
 			cookie:     successCookie,
 			wantStatus: http.StatusOK,
-			wantResp:   &authResponse{CanManageNode: true, ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:   &authResponse{Authorized: true, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantSession: &browserSession{
 				ID:            successCookie,
 				SrcNode:       remoteNode.Node.ID,
@@ -1099,20 +1197,56 @@ func TestRequireTailscaleIP(t *testing.T) {
 }

 func TestPeerCapabilities(t *testing.T) {
+	userOwnedStatus := &ipnstate.Status{Self: &ipnstate.PeerStatus{UserID: tailcfg.UserID(1)}}
+	tags := views.SliceOf[string]([]string{"tag:server"})
+	tagOwnedStatus := &ipnstate.Status{Self: &ipnstate.PeerStatus{Tags: &tags}}
+
 	// Testing web.toPeerCapabilities
 	toPeerCapsTests := []struct {
 		name     string
+		status   *ipnstate.Status
 		whois    *apitype.WhoIsResponse
 		wantCaps peerCapabilities
 	}{
 		{
 			name:     "empty-whois",
+			status:   userOwnedStatus,
 			whois:    nil,
 			wantCaps: peerCapabilities{},
 		},
 		{
-			name: "no-webui-caps",
+			name:   "user-owned-node-non-owner-caps-ignored",
+			status: userOwnedStatus,
 			whois: &apitype.WhoIsResponse{
+				UserProfile: &tailcfg.UserProfile{ID: tailcfg.UserID(2)},
+				Node:        &tailcfg.Node{ID: tailcfg.NodeID(1)},
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{},
+		},
+		{
+			name:   "user-owned-node-owner-caps-ignored",
+			status: userOwnedStatus,
+			whois: &apitype.WhoIsResponse{
+				UserProfile: &tailcfg.UserProfile{ID: tailcfg.UserID(1)},
+				Node:        &tailcfg.Node{ID: tailcfg.NodeID(1)},
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{capFeatureAll: true}, // should just have wildcard
+		},
+		{
+			name:   "tag-owned-no-webui-caps",
+			status: tagOwnedStatus,
+			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityDebugPeer: []tailcfg.RawMessage{},
 				},
@@ -1120,66 +1254,74 @@ func TestPeerCapabilities(t *testing.T) {
 			wantCaps: peerCapabilities{},
 		},
 		{
-			name: "one-webui-cap",
+			name:   "tag-owned-one-webui-cap",
+			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:    true,
-				capFeatureSubnet: true,
+				capFeatureSSH:     true,
+				capFeatureSubnets: true,
 			},
 		},
 		{
-			name: "multiple-webui-cap",
+			name:   "tag-owned-multiple-webui-cap",
+			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
-						"{\"canEdit\":[\"subnet\",\"exitnode\",\"*\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+						"{\"canEdit\":[\"subnets\",\"exitnodes\",\"*\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:      true,
-				capFeatureSubnet:   true,
-				capFeatureExitNode: true,
-				capFeatureAll:      true,
+				capFeatureSSH:       true,
+				capFeatureSubnets:   true,
+				capFeatureExitNodes: true,
+				capFeatureAll:       true,
 			},
 		},
 		{
-			name: "case=insensitive-caps",
+			name:   "tag-owned-case-insensitive-caps",
+			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"SSH\",\"sUBnet\"]}",
+						"{\"canEdit\":[\"SSH\",\"sUBnets\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:    true,
-				capFeatureSubnet: true,
+				capFeatureSSH:     true,
+				capFeatureSubnets: true,
 			},
 		},
 		{
-			name: "random-canEdit-contents-dont-error",
+			name:   "tag-owned-random-canEdit-contents-get-dropped",
+			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
 						"{\"canEdit\":[\"unknown-feature\"]}",
 					},
 				},
 			},
-			wantCaps: peerCapabilities{
-				"unknown-feature": true,
-			},
+			wantCaps: peerCapabilities{},
 		},
 		{
-			name: "no-canEdit-section",
+			name:   "tag-owned-no-canEdit-section",
+			status: tagOwnedStatus,
 			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
 						"{\"canDoSomething\":[\"*\"]}",
@@ -1188,10 +1330,23 @@ func TestPeerCapabilities(t *testing.T) {
 			},
 			wantCaps: peerCapabilities{},
 		},
+		{
+			name:   "tagged-source-caps-ignored",
+			status: tagOwnedStatus,
+			whois: &apitype.WhoIsResponse{
+				Node: &tailcfg.Node{ID: tailcfg.NodeID(1), Tags: tags.AsSlice()},
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{},
+		},
 	}
 	for _, tt := range toPeerCapsTests {
 		t.Run("toPeerCapabilities-"+tt.name, func(t *testing.T) {
-			got, err := toPeerCapabilities(tt.whois)
+			got, err := toPeerCapabilities(tt.status, tt.whois)
 			if err != nil {
 				t.Fatalf("unexpected: %v", err)
 			}
@@ -1211,36 +1366,33 @@ func TestPeerCapabilities(t *testing.T) {
 			name: "empty-caps",
 			caps: nil,
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:      false,
-				capFeatureFunnel:   false,
-				capFeatureSSH:      false,
-				capFeatureSubnet:   false,
-				capFeatureExitNode: false,
-				capFeatureAccount:  false,
+				capFeatureAll:       false,
+				capFeatureSSH:       false,
+				capFeatureSubnets:   false,
+				capFeatureExitNodes: false,
+				capFeatureAccount:   false,
 			},
 		},
 		{
 			name: "some-caps",
 			caps: peerCapabilities{capFeatureSSH: true, capFeatureAccount: true},
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:      false,
-				capFeatureFunnel:   false,
-				capFeatureSSH:      true,
-				capFeatureSubnet:   false,
-				capFeatureExitNode: false,
-				capFeatureAccount:  true,
+				capFeatureAll:       false,
+				capFeatureSSH:       true,
+				capFeatureSubnets:   false,
+				capFeatureExitNodes: false,
+				capFeatureAccount:   true,
 			},
 		},
 		{
 			name: "wildcard-in-caps",
 			caps: peerCapabilities{capFeatureAll: true, capFeatureAccount: true},
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:      true,
-				capFeatureFunnel:   true,
-				capFeatureSSH:      true,
-				capFeatureSubnet:   true,
-				capFeatureExitNode: true,
-				capFeatureAccount:  true,
+				capFeatureAll:       true,
+				capFeatureSSH:       true,
+				capFeatureSubnets:   true,
+				capFeatureExitNodes: true,
+				capFeatureAccount:   true,
 			},
 		},
 	}
@@ -1301,6 +1453,9 @@ func mockLocalAPI(t *testing.T, whoIs map[string]*apitype.WhoIsResponse, self fu
 			metricCapture(metricNames[0].Name)
 			writeJSON(w, struct{}{})
 			return
+		case "/localapi/v0/logout":
+			fmt.Fprintf(w, "success")
+			return
 		default:
 			t.Fatalf("unhandled localapi test endpoint %q, add to localapi handler func in test", r.URL.Path)
 		}
--- a/client/web/yarn.lock
+++ b/client/web/yarn.lock
--- a/clientupdate/clientupdate.go
+++ b/clientupdate/clientupdate.go
@@ -167,6 +167,10 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 		return up.updateWindows, true
 	case "linux":
 		switch distro.Get() {
+		case distro.NixOS:
+			// NixOS packages are immutable and managed with a system-wide
+			// configuration.
+			return up.updateNixos, false
 		case distro.Synology:
 			// Synology updates use our own pkgs.tailscale.com instead of the
 			// Synology Package Center. We should eventually get to a regular
@@ -522,6 +526,13 @@ func (up *Updater) updateArchLike() error {
 you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`)
 }

+func (up *Updater) updateNixos() error {
+	// NixOS package updates are managed on a system level and not individually.
+	// Direct users to update their nix channel or nixpkgs flake input to
+	// receive the latest version.
+	return errors.New(`individual package updates are not supported on NixOS installations. Update your system channel or flake inputs to get the latest Tailscale version from nixpkgs.`)
+}
+
 const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"

 // updateFedoraLike updates tailscale on any distros in the Fedora family,
@@ -654,6 +665,7 @@ func (up *Updater) updateAlpineLike() (err error) {

 func parseAlpinePackageVersion(out []byte) (string, error) {
 	s := bufio.NewScanner(bytes.NewReader(out))
+	var maxVer string
 	for s.Scan() {
 		// The line should look like this:
 		// tailscale-1.44.2-r0 description:
@@ -665,7 +677,13 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 		if len(parts) < 3 {
 			return "", fmt.Errorf("malformed info line: %q", line)
 		}
-		return parts[1], nil
+		ver := parts[1]
+		if cmpver.Compare(ver, maxVer) == 1 {
+			maxVer = ver
+		}
+	}
+	if maxVer != "" {
+		return maxVer, nil
 	}
 	return "", errors.New("tailscale version not found in output")
 }
@@ -818,7 +836,7 @@ func (up *Updater) switchOutputToFile() (io.Closer, error) {
 func (up *Updater) installMSI(msi string) error {
 	var err error
 	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
+		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/norestart", "/qn")
 		cmd.Dir = filepath.Dir(msi)
 		cmd.Stdout = up.Stdout
 		cmd.Stderr = up.Stderr
--- a/clientupdate/clientupdate_test.go
+++ b/clientupdate/clientupdate_test.go
@@ -251,6 +251,29 @@ tailscale installed size:
 			out:     "",
 			wantErr: true,
 		},
+		{
+			desc: "multiple versions",
+			out: `
+tailscale-1.54.1-r0 description:
+The easiest, most secure way to use WireGuard and 2FA
+
+tailscale-1.54.1-r0 webpage:
+https://tailscale.com/
+
+tailscale-1.54.1-r0 installed size:
+34 MiB
+
+tailscale-1.58.2-r0 description:
+The easiest, most secure way to use WireGuard and 2FA
+
+tailscale-1.58.2-r0 webpage:
+https://tailscale.com/
+
+tailscale-1.58.2-r0 installed size:
+35 MiB
+`,
+			want: "1.58.2",
+		},
 	}

 	for _, tt := range tests {
--- a/clientupdate/systemd_linux.go
+++ b/clientupdate/systemd_linux.go
@@ -19,11 +19,11 @@ func restartSystemdUnit(ctx context.Context) error {
 	}
 	defer c.Close()
 	if err := c.ReloadContext(ctx); err != nil {
-		return fmt.Errorf("failed to reload tailsacled.service: %w", err)
+		return fmt.Errorf("failed to reload tailscaled.service: %w", err)
 	}
 	ch := make(chan string, 1)
 	if _, err := c.RestartUnitContext(ctx, "tailscaled.service", "replace", ch); err != nil {
-		return fmt.Errorf("failed to restart tailsacled.service: %w", err)
+		return fmt.Errorf("failed to restart tailscaled.service: %w", err)
 	}
 	select {
 	case res := <-ch:
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -55,6 +55,15 @@
 //     and not `tailscale up` or `tailscale set`.
 //     The config file contents are currently read once on container start.
 //     NB: This env var is currently experimental and the logic will likely change!
+//   - EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS: if set to true
+//     and if this containerboot instance is an L7 ingress proxy (created by
+//     the Kubernetes operator), set up rules to allow proxying cluster traffic,
+//     received on the Pod IP of this node, to the ingress target in the cluster.
+//     This, in conjunction with MagicDNS name resolution in cluster, can be
+//     useful for cases where a cluster workload needs to access a target in
+//     cluster using the same hostname (in this case, the MagicDNS name of the ingress proxy)
+//     as a non-cluster workload on tailnet.
+//     This is only meant to be configured by the Kubernetes operator.
 //
 // When running on Kubernetes, containerboot defaults to storing state in the
 // "tailscale" kube secret. To store state on local disk instead, set
@@ -108,29 +117,31 @@ func newNetfilterRunner(logf logger.Logf) (linuxfw.NetfilterRunner, error) {
 func main() {
 	log.SetPrefix("boot: ")
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true
-
 	cfg := &settings{
-		AuthKey:                  defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:                 defaultEnv("TS_HOSTNAME", ""),
-		Routes:                   defaultEnvStringPointer("TS_ROUTES"),
-		ServeConfigPath:          defaultEnv("TS_SERVE_CONFIG", ""),
-		ProxyTo:                  defaultEnv("TS_DEST_IP", ""),
-		TailnetTargetIP:          defaultEnv("TS_TAILNET_TARGET_IP", ""),
-		TailnetTargetFQDN:        defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
-		DaemonExtraArgs:          defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:                defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:             os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:            defaultBool("TS_USERSPACE", true),
-		StateDir:                 defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:                defaultEnvBoolPointer("TS_ACCEPT_DNS"),
-		KubeSecret:               defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:           defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:            defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:                   defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:                 defaultBool("TS_AUTH_ONCE", false),
-		Root:                     defaultEnv("TS_TEST_ONLY_ROOT", "/"),
-		TailscaledConfigFilePath: defaultEnv("EXPERIMENTAL_TS_CONFIGFILE_PATH", ""),
+		AuthKey:                               defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
+		Hostname:                              defaultEnv("TS_HOSTNAME", ""),
+		Routes:                                defaultEnvStringPointer("TS_ROUTES"),
+		ServeConfigPath:                       defaultEnv("TS_SERVE_CONFIG", ""),
+		ProxyTo:                               defaultEnv("TS_DEST_IP", ""),
+		TailnetTargetIP:                       defaultEnv("TS_TAILNET_TARGET_IP", ""),
+		TailnetTargetFQDN:                     defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
+		DaemonExtraArgs:                       defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
+		ExtraArgs:                             defaultEnv("TS_EXTRA_ARGS", ""),
+		InKubernetes:                          os.Getenv("KUBERNETES_SERVICE_HOST") != "",
+		UserspaceMode:                         defaultBool("TS_USERSPACE", true),
+		StateDir:                              defaultEnv("TS_STATE_DIR", ""),
+		AcceptDNS:                             defaultEnvBoolPointer("TS_ACCEPT_DNS"),
+		KubeSecret:                            defaultEnv("TS_KUBE_SECRET", "tailscale"),
+		SOCKSProxyAddr:                        defaultEnv("TS_SOCKS5_SERVER", ""),
+		HTTPProxyAddr:                         defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
+		Socket:                                defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
+		AuthOnce:                              defaultBool("TS_AUTH_ONCE", false),
+		Root:                                  defaultEnv("TS_TEST_ONLY_ROOT", "/"),
+		TailscaledConfigFilePath:              defaultEnv("EXPERIMENTAL_TS_CONFIGFILE_PATH", ""),
+		AllowProxyingClusterTrafficViaIngress: defaultBool("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS", false),
+		PodIP:                                 defaultEnv("POD_IP", ""),
 	}
+
 	if err := cfg.validate(); err != nil {
 		log.Fatalf("invalid configuration: %v", err)
 	}
@@ -330,7 +341,7 @@ authLoop:
 	}

 	var (
-		wantProxy         = cfg.ProxyTo != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != ""
+		wantProxy         = cfg.ProxyTo != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress
 		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
 		startupTasksDone  = false
 		currentIPs        deephash.Sum // tailscale IPs assigned to device
@@ -365,6 +376,7 @@ authLoop:
 		}
 	}()
 	var wg sync.WaitGroup
+
 runLoop:
 	for {
 		select {
@@ -451,6 +463,18 @@ runLoop:
 						log.Fatalf("installing egress proxy rules: %v", err)
 					}
 				}
+				// If this is a L7 cluster ingress proxy (set up
+				// by Kubernetes operator) and proxying of
+				// cluster traffic to the ingress target is
+				// enabled, set up proxy rule each time the
+				// tailnet IPs of this node change (including
+				// the first time they become available).
+				if cfg.AllowProxyingClusterTrafficViaIngress && cfg.ServeConfigPath != "" && ipsHaveChanged && len(addrs) > 0 {
+					log.Printf("installing rules to forward traffic for %s to node's tailnet IP", cfg.PodIP)
+					if err := installTSForwardingRuleForDestination(ctx, cfg.PodIP, addrs, nfr); err != nil {
+						log.Fatalf("installing rules to forward traffic to node's tailnet IP: %v", err)
+					}
+				}
 				currentIPs = newCurrentIPs

 				deviceInfo := []any{n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()}
@@ -837,6 +861,35 @@ func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []net
 	return nil
 }

+// installTSForwardingRuleForDestination accepts a destination address and a
+// list of node's tailnet addresses, sets up rules to forward traffic for
+// destination to the tailnet IP matching the destination IP family.
+// Destination can be Pod IP of this node.
+func installTSForwardingRuleForDestination(ctx context.Context, dstFilter string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
+	dst, err := netip.ParseAddr(dstFilter)
+	if err != nil {
+		return err
+	}
+	var local netip.Addr
+	for _, pfx := range tsIPs {
+		if !pfx.IsSingleIP() {
+			continue
+		}
+		if pfx.Addr().Is4() != dst.Is4() {
+			continue
+		}
+		local = pfx.Addr()
+		break
+	}
+	if !local.IsValid() {
+		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstFilter, tsIPs)
+	}
+	if err := nfr.AddDNATRule(dst, local); err != nil {
+		return fmt.Errorf("installing rule for forwarding traffic to tailnet IP: %w", err)
+	}
+	return nil
+}
+
 func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
@@ -897,6 +950,14 @@ type settings struct {
 	Root                     string
 	KubernetesCanPatch       bool
 	TailscaledConfigFilePath string
+	// If set to true and, if this containerboot instance is a Kubernetes
+	// ingress proxy, set up rules to forward incoming cluster traffic to be
+	// forwarded to the ingress target in cluster.
+	AllowProxyingClusterTrafficViaIngress bool
+	// PodIP is the IP of the Pod if running in Kubernetes. This is used
+	// when setting up rules to proxy cluster traffic to cluster ingress
+	// target.
+	PodIP string
 }

 func (s *settings) validate() error {
@@ -920,6 +981,15 @@ func (s *settings) validate() error {
 	if s.TailscaledConfigFilePath != "" && (s.AcceptDNS != nil || s.AuthKey != "" || s.Routes != nil || s.ExtraArgs != "" || s.Hostname != "") {
 		return errors.New("EXPERIMENTAL_TS_CONFIGFILE_PATH cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
 	}
+	if s.AllowProxyingClusterTrafficViaIngress && s.UserspaceMode {
+		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is not supported in userspace mode")
+	}
+	if s.AllowProxyingClusterTrafficViaIngress && s.ServeConfigPath == "" {
+		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is set but this is not a cluster ingress proxy")
+	}
+	if s.AllowProxyingClusterTrafficViaIngress && s.PodIP == "" {
+		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is set but POD_IP is not set")
+	}
 	return nil
 }

--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -11,21 +11,18 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
   L    github.com/google/nftables/expr                              from github.com/google/nftables+
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/google/uuid                                       from tailscale.com/tsweb
+        github.com/google/uuid                                       from tailscale.com/util/fastuuid
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
-        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
@@ -49,10 +46,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter+
+        go4.org/netipx                                               from tailscale.com/net/tsaddr+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
+        google.golang.org/protobuf/encoding/prototext                from github.com/prometheus/common/expfmt+
+        google.golang.org/protobuf/encoding/protowire                from google.golang.org/protobuf/encoding/protodelim+
        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
@@ -71,16 +69,15 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/proto                             from github.com/prometheus/client_golang/prometheus+
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/prometheus/client_model/go+
+        google.golang.org/protobuf/reflect/protoregistry             from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/runtime/protoiface                from google.golang.org/protobuf/internal/impl+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/prometheus/client_model/go+
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/util                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
        tailscale.com                                                from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
@@ -89,7 +86,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/derp                                           from tailscale.com/cmd/derper+
        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/envknob                                        from tailscale.com/derp+
+        tailscale.com/drive                                          from tailscale.com/client/tailscale+
+        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
        tailscale.com/health                                         from tailscale.com/net/tlsdial
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/client/tailscale
@@ -97,10 +95,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/metrics                                        from tailscale.com/cmd/derper+
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netmon+
+        tailscale.com/net/ktimeout                                   from tailscale.com/cmd/derper
        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
+        tailscale.com/net/netmon                                     from tailscale.com/derp/derphttp+
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
@@ -120,14 +119,14 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/derp+
        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
+        tailscale.com/tstime/rate                                    from tailscale.com/derp+
        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
+        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
@@ -136,33 +135,34 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/types/preftype                                 from tailscale.com/ipn
        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
-        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-        tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy+
+        tailscale.com/types/tkatype                                  from tailscale.com/client/tailscale+
+        tailscale.com/types/views                                    from tailscale.com/ipn+
+        tailscale.com/util/clientmetric                              from tailscale.com/net/netmon+
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
+        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
+        tailscale.com/util/fastuuid                                  from tailscale.com/tsweb
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
-        tailscale.com/util/mak                                       from tailscale.com/syncs+
+        tailscale.com/util/mak                                       from tailscale.com/net/interfaces+
        tailscale.com/util/multierr                                  from tailscale.com/health+
        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
-        tailscale.com/util/set                                       from tailscale.com/health+
+        tailscale.com/util/set                                       from tailscale.com/derp+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
-        tailscale.com/util/vizerror                                  from tailscale.com/tsweb+
+        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
-        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
+        tailscale.com/version/distro                                 from tailscale.com/envknob+
        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
@@ -182,10 +182,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        golang.org/x/sys/cpu                                         from github.com/josharian/native+
+  LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
+   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
+   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
@@ -197,10 +197,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        bytes                                                        from bufio+
        cmp                                                          from slices+
        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from internal/profile+
+        compress/gzip                                                from google.golang.org/protobuf/internal/impl+
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdsa+
+        crypto                                                       from crypto/ecdh+
        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
@@ -225,14 +225,14 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka+
+        encoding/base32                                              from github.com/fxamacker/cbor/v2+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
        errors                                                       from bufio+
-        expvar                                                       from tailscale.com/cmd/derper+
+        expvar                                                       from github.com/prometheus/client_golang/prometheus+
        flag                                                         from tailscale.com/cmd/derper+
        fmt                                                          from compress/flate+
        go/token                                                     from google.golang.org/protobuf/internal/strs
@@ -246,12 +246,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        io/ioutil                                                    from github.com/mitchellh/go-ps+
        log                                                          from expvar+
        log/internal                                                 from log
-        maps                                                         from tailscale.com/types/views+
+        maps                                                         from tailscale.com/ipn+
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
        math/rand                                                    from github.com/mdlayher/netlink+
-        mime                                                         from mime/multipart+
+        math/rand/v2                                                 from tailscale.com/util/fastuuid
+        mime                                                         from github.com/prometheus/common/expfmt+
        mime/multipart                                               from net/http
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
@@ -263,15 +264,15 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
-        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        os/exec                                                      from github.com/coreos/go-iptables/iptables+
        os/signal                                                    from tailscale.com/cmd/derper
   W    os/user                                                      from tailscale.com/util/winutil
-        path                                                         from golang.org/x/crypto/acme/autocert+
+        path                                                         from github.com/prometheus/client_golang/prometheus/internal+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from internal/profile+
+        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
-        runtime/debug                                                from golang.org/x/crypto/acme+
+        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -5,6 +5,7 @@
 package main // import "tailscale.com/cmd/derper"

 import (
+	"cmp"
 	"context"
 	"crypto/tls"
 	"encoding/json"
@@ -25,38 +26,47 @@ import (
 	"syscall"
 	"time"

-	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/metrics"
+	"tailscale.com/net/ktimeout"
 	"tailscale.com/net/stunserver"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/util/cmpx"
+	"tailscale.com/types/logger"
+	"tailscale.com/version"
 )

 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
-	addr       = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
-	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath = flag.String("c", "", "config file path")
-	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
+	dev         = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
+	versionFlag = flag.Bool("version", false, "print version and exit")
+	addr        = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
+	httpPort    = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort    = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	configPath  = flag.String("c", "", "config file path")
+	certMode    = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
+	certDir     = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname    = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	runSTUN     = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
+	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")

-	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
-	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS    = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
+	verifyClients   = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	verifyClientURL = flag.String("verify-client-url", "", "if non-empty, an admission controller URL for permitting client connections; see tailcfg.DERPAdmitClientRequest")
+	verifyFailOpen  = flag.Bool("verify-client-url-fail-open", true, "whether we fail open if --verify-client-url is unreachable")

 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
+
+	// tcpKeepAlive is intentionally long, to reduce battery cost. There is an L7 keepalive on a higher frequency schedule.
+	tcpKeepAlive = flag.Duration("tcp-keepalive-time", 10*time.Minute, "TCP keepalive time")
+	// tcpUserTimeout is intentionally short, so that hung connections are cleaned up promptly. DERPs should be nearby users.
+	tcpUserTimeout = flag.Duration("tcp-user-timeout", 15*time.Second, "TCP user timeout")
 )

 var (
@@ -121,6 +131,10 @@ func writeNewConfig() config {

 func main() {
 	flag.Parse()
+	if *versionFlag {
+		fmt.Println(version.Long())
+		return
+	}

 	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer cancel()
@@ -147,6 +161,8 @@ func main() {

 	s := derp.NewServer(cfg.PrivateKey, log.Printf)
 	s.SetVerifyClient(*verifyClients)
+	s.SetVerifyClientURL(*verifyClientURL)
+	s.SetVerifyClientURLFailOpen(*verifyFailOpen)

 	if *meshPSKFile != "" {
 		b, err := os.ReadFile(*meshPSKFile)
@@ -216,7 +232,16 @@ func main() {
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

-	quietLogger := log.New(logFilter{}, "", 0)
+	// Longer lived DERP connections send an application layer keepalive. Note
+	// if the keepalive is hit, the user timeout will take precedence over the
+	// keepalive counter, so the probe if unanswered will take effect promptly,
+	// this is less tolerant of high loss, but high loss is unexpected.
+	lc := net.ListenConfig{
+		Control:   ktimeout.UserTimeout(*tcpUserTimeout),
+		KeepAlive: *tcpKeepAlive,
+	}
+
+	quietLogger := log.New(logger.HTTPServerLogFilter{Inner: log.Printf}, "", 0)
 	httpsrv := &http.Server{
 		Addr:     *addr,
 		Handler:  mux,
@@ -292,7 +317,12 @@ func main() {
 					// duration exceeds server's WriteTimeout".
 					WriteTimeout: 5 * time.Minute,
 				}
-				err := port80srv.ListenAndServe()
+				ln, err := lc.Listen(context.Background(), "tcp", port80srv.Addr)
+				if err != nil {
+					log.Fatal(err)
+				}
+				defer ln.Close()
+				err = port80srv.Serve(ln)
 				if err != nil {
 					if err != http.ErrServerClosed {
 						log.Fatal(err)
@@ -300,10 +330,15 @@ func main() {
 				}
 			}()
 		}
-		err = rateLimitedListenAndServeTLS(httpsrv)
+		err = rateLimitedListenAndServeTLS(httpsrv, &lc)
 	} else {
 		log.Printf("derper: serving on %s", *addr)
-		err = httpsrv.ListenAndServe()
+		var ln net.Listener
+		ln, err = lc.Listen(context.Background(), "tcp", httpsrv.Addr)
+		if err != nil {
+			log.Fatal(err)
+		}
+		err = httpsrv.Serve(ln)
 	}
 	if err != nil && err != http.ErrServerClosed {
 		log.Fatalf("derper: %v", err)
@@ -368,8 +403,8 @@ func defaultMeshPSKFile() string {
 	return ""
 }

-func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
+func rateLimitedListenAndServeTLS(srv *http.Server, lc *net.ListenConfig) error {
+	ln, err := lc.Listen(context.Background(), "tcp", cmp.Or(srv.Addr, ":https"))
 	if err != nil {
 		return err
 	}
@@ -423,22 +458,3 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
-
-// logFilter is used to filter out useless error logs that are logged to
-// the net/http.Server.ErrorLog logger.
-type logFilter struct{}
-
-func (logFilter) Write(p []byte) (int, error) {
-	b := mem.B(p)
-	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
-		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
-		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
-		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
-		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
-		// Skip this log message, but say that we processed it
-		return len(p), nil
-	}
-
-	log.Printf("%s", p)
-	return len(p), nil
-}
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -16,21 +16,40 @@ import (

 	"tailscale.com/prober"
 	"tailscale.com/tsweb"
+	"tailscale.com/version"
 )

 var (
-	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
-	listen     = flag.String("listen", ":8030", "HTTP listen address")
-	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-	spread     = flag.Bool("spread", true, "whether to spread probing over time")
-	interval   = flag.Duration("interval", 15*time.Second, "probe interval")
+	derpMapURL   = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
+	versionFlag  = flag.Bool("version", false, "print version and exit")
+	listen       = flag.String("listen", ":8030", "HTTP listen address")
+	probeOnce    = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
+	spread       = flag.Bool("spread", true, "whether to spread probing over time")
+	interval     = flag.Duration("interval", 15*time.Second, "probe interval")
+	meshInterval = flag.Duration("mesh-interval", 15*time.Second, "mesh probe interval")
+	stunInterval = flag.Duration("stun-interval", 15*time.Second, "STUN probe interval")
+	tlsInterval  = flag.Duration("tls-interval", 15*time.Second, "TLS probe interval")
+	bwInterval   = flag.Duration("bw-interval", 0, "bandwidth probe interval (0 = no bandwidth probing)")
+	bwSize       = flag.Int64("bw-probe-size-bytes", 1_000_000, "bandwidth probe size")
 )

 func main() {
 	flag.Parse()
+	if *versionFlag {
+		fmt.Println(version.Long())
+		return
+	}

 	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
-	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
+	opts := []prober.DERPOpt{
+		prober.WithMeshProbing(*meshInterval),
+		prober.WithSTUNProbing(*stunInterval),
+		prober.WithTLSProbing(*tlsInterval),
+	}
+	if *bwInterval > 0 {
+		opts = append(opts, prober.WithBandwidthProbing(*bwInterval, *bwSize))
+	}
+	dp, err := prober.DERP(p, *derpMapURL, opts...)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -53,6 +72,7 @@ func main() {
 	mux := http.NewServeMux()
 	tsweb.Debugger(mux)
 	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
+	log.Printf("Listening on %s", *listen)
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }

--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -33,6 +33,9 @@ func getTargets() ([]dist.Target, error) {
 	// Since only we can provide packages to Synology for
 	// distribution, we default to building the "sideload" variant of
 	// packages that we distribute on pkgs.tailscale.com.
+	//
+	// To build for package center, run
+	// ./tool/go run ./cmd/dist build --synology-package-center synology
 	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
 	return ret, nil
 }
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@@ -7,6 +7,7 @@
 package main

 import (
+	"cmp"
 	"context"
 	"flag"
 	"fmt"
@@ -16,7 +17,6 @@ import (

 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/util/cmpx"
 )

 func main() {
@@ -40,7 +40,7 @@ func main() {
 		log.Fatal("at least one tag must be specified")
 	}

-	baseURL := cmpx.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
+	baseURL := cmp.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")

 	credentials := clientcredentials.Config{
 		ClientID:     clientID,
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -158,11 +158,13 @@ func main() {
 	if !ok && (!oiok || !osok) {
 		log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
 	}
-	if ok && (oiok || osok) {
+	if apiKey != "" && (oauthId != "" || oauthSecret != "") {
 		log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
 	}
 	var client *http.Client
-	if oiok {
+	if oiok && (oauthId != "" || oauthSecret != "") {
+		// Both should ideally be set, but if either are non-empty it means the user had an intent
+		// to set _something_, so they should receive the oauth error flow.
 		oauthConfig := &clientcredentials.Config{
 			ClientID:     oauthId,
 			ClientSecret: oauthSecret,
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -31,10 +31,12 @@ var (
 //go:embed hello.tmpl.html
 var embeddedTemplate string

+var localClient tailscale.LocalClient
+
 func main() {
 	flag.Parse()
 	if *testIP != "" {
-		res, err := tailscale.WhoIs(context.Background(), *testIP)
+		res, err := localClient.WhoIs(context.Background(), *testIP)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -76,7 +78,7 @@ func main() {
 					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 						switch hi.ServerName {
 						case "hello.ts.net":
-							return tailscale.GetCertificate(hi)
+							return localClient.GetCertificate(hi)
 						case "hello.ipn.dev":
 							c, err := tls.LoadX509KeyPair(
 								"/etc/hello/hello.ipn.dev.crt",
@@ -170,7 +172,7 @@ func root(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	who, err := tailscale.WhoIs(r.Context(), r.RemoteAddr)
+	who, err := localClient.WhoIs(r.Context(), r.RemoteAddr)
 	var data tmplData
 	if err != nil {
 		if devMode() {
--- a/cmd/hello/hello.tmpl.html
+++ b/cmd/hello/hello.tmpl.html
@@ -430,6 +430,8 @@
    <footer class="footer text-gray-600 text-center mb-12">
      <p>Read about <a href="https://tailscale.com/kb/1017/install#advanced-features" class="text-blue-600 hover:text-blue-800"
          target="_blank">what you can do next &rarr;</a></p>
+      <p>Read about <a href="https://tailscale.com/kb/1073/hello" class="text-blue-600 hover:text-blue-800"
+          target="_blank">the Hello service &rarr;</a></p>
    </footer>
  </main>
 </body>
--- a/cmd/k8s-operator/connector.go
+++ b/cmd/k8s-operator/connector.go
@@ -164,6 +164,17 @@ func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logge
 		hostname = string(cn.Spec.Hostname)
 	}
 	crl := childResourceLabels(cn.Name, a.tsnamespace, "connector")
+
+	proxyClass := cn.Spec.ProxyClass
+	if proxyClass != "" {
+		if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
+			return fmt.Errorf("error verifying ProxyClass for Connector: %w", err)
+		} else if !ready {
+			logger.Infof("ProxyClass %s specified for the Connector, but is not (yet) Ready, waiting..", proxyClass)
+			return nil
+		}
+	}
+
 	sts := &tailscaleSTSConfig{
 		ParentResourceName:  cn.Name,
 		ParentResourceUID:   string(cn.UID),
@@ -173,6 +184,7 @@ func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logge
 		Connector: &connector{
 			isExitNode: cn.Spec.ExitNode,
 		},
+		ProxyClass: proxyClass,
 	}

 	if cn.Spec.SubnetRouter != nil && len(cn.Spec.SubnetRouter.AdvertiseRoutes) > 0 {
--- a/cmd/k8s-operator/connector_test.go
+++ b/cmd/k8s-operator/connector_test.go
@@ -67,45 +67,40 @@ func TestConnector(t *testing.T) {
 	fullName, shortName := findGenName(t, fc, "", "test", "connector")

 	opts := configOpts{
-		stsName:                    shortName,
-		secretName:                 fullName,
-		parentType:                 "connector",
-		hostname:                   "test-connector",
-		shouldUseDeclarativeConfig: true,
-		isExitNode:                 true,
-		subnetRoutes:               "10.40.0.0/14",
-		confFileHash:               "9321660203effb80983eaecc7b5ac5a8c53934926f46e895b9fe295dcfc5a904",
+		stsName:      shortName,
+		secretName:   fullName,
+		parentType:   "connector",
+		hostname:     "test-connector",
+		isExitNode:   true,
+		subnetRoutes: "10.40.0.0/14",
 	}
-	expectEqual(t, fc, expectedSecret(t, opts))
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Add another route to be advertised.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
 	})
 	opts.subnetRoutes = "10.40.0.0/14,10.44.0.0/20"
-	opts.confFileHash = "fb6c4daf67425f983985750cd8d6f2beae77e614fcb34176604571f5623d6862"
 	expectReconciled(t, cr, "", "test")

-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Remove a route.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.44.0.0/20"}
 	})
 	opts.subnetRoutes = "10.44.0.0/20"
-	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Remove the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter = nil
 	})
 	opts.subnetRoutes = ""
-	opts.confFileHash = "7c421a99128eb80e79a285a82702f19f8f720615542a15bd794858a6275d8079"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Re-add the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -114,9 +109,8 @@ func TestConnector(t *testing.T) {
 		}
 	})
 	opts.subnetRoutes = "10.44.0.0/20"
-	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -152,25 +146,22 @@ func TestConnector(t *testing.T) {
 	fullName, shortName = findGenName(t, fc, "", "test", "connector")

 	opts = configOpts{
-		stsName:                    shortName,
-		secretName:                 fullName,
-		parentType:                 "connector",
-		shouldUseDeclarativeConfig: true,
-		subnetRoutes:               "10.40.0.0/14",
-		hostname:                   "test-connector",
-		confFileHash:               "57d922331890c9b1c8c6ae664394cb254334c551d9cd9db14537b5d9da9fb17e",
+		stsName:      shortName,
+		secretName:   fullName,
+		parentType:   "connector",
+		subnetRoutes: "10.40.0.0/14",
+		hostname:     "test-connector",
 	}
-	expectEqual(t, fc, expectedSecret(t, opts))
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Add an exit node.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.ExitNode = true
 	})
 	opts.isExitNode = true
-	opts.confFileHash = "1499b591fd97a50f0330db6ec09979792c49890cf31f5da5bb6a3f50dba1e77a"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -183,3 +174,103 @@ func TestConnector(t *testing.T) {
 	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
+
+func TestConnectorWithProxyClass(t *testing.T) {
+	// Setup
+	pc := &tsapi.ProxyClass{
+		ObjectMeta: metav1.ObjectMeta{Name: "custom-metadata"},
+		Spec: tsapi.ProxyClassSpec{StatefulSet: &tsapi.StatefulSet{
+			Labels:      map[string]string{"foo": "bar"},
+			Annotations: map[string]string{"bar.io/foo": "some-val"},
+			Pod:         &tsapi.Pod{Annotations: map[string]string{"foo.io/bar": "some-val"}}}},
+	}
+	cn := &tsapi.Connector{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+			UID:  types.UID("1234-UID"),
+		},
+		TypeMeta: metav1.TypeMeta{
+			Kind:       tsapi.ConnectorKind,
+			APIVersion: "tailscale.io/v1alpha1",
+		},
+		Spec: tsapi.ConnectorSpec{
+			SubnetRouter: &tsapi.SubnetRouter{
+				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
+			},
+			ExitNode: true,
+		},
+	}
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(pc, cn).
+		WithStatusSubresource(pc, cn).
+		Build()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cl := tstest.NewClock(tstest.ClockOpts{})
+	cr := &ConnectorReconciler{
+		Client: fc,
+		clock:  cl,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger: zl.Sugar(),
+	}
+
+	// 1. Connector is created with no ProxyClass specified, create
+	// resources with the default configuration.
+	expectReconciled(t, cr, "", "test")
+	fullName, shortName := findGenName(t, fc, "", "test", "connector")
+
+	opts := configOpts{
+		stsName:      shortName,
+		secretName:   fullName,
+		parentType:   "connector",
+		hostname:     "test-connector",
+		isExitNode:   true,
+		subnetRoutes: "10.40.0.0/14",
+	}
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 2. Update Connector to specify a ProxyClass. ProxyClass is not yet
+	// ready, so its configuration is NOT applied to the Connector
+	// resources.
+	mustUpdate(t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.ProxyClass = "custom-metadata"
+	})
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 3. ProxyClass is set to Ready by proxy-class reconciler. Connector
+	// get reconciled and configuration from the ProxyClass is applied to
+	// its resources.
+	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
+		pc.Status = tsapi.ProxyClassStatus{
+			Conditions: []tsapi.ConnectorCondition{{
+				Status:             metav1.ConditionTrue,
+				Type:               tsapi.ProxyClassready,
+				ObservedGeneration: pc.Generation,
+			}}}
+	})
+	opts.proxyClass = pc.Name
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 4. Connector.spec.proxyClass field is unset, Connector gets
+	// reconciled and configuration from the ProxyClass is removed from the
+	// cluster resources for the Connector.
+	mustUpdate(t, fc, "", "test", func(conn *tsapi.Connector) {
+		conn.Spec.ProxyClass = ""
+	})
+	opts.proxyClass = ""
+	expectReconciled(t, cr, "", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+}
--- a/cmd/k8s-operator/deploy/chart/templates/deployment.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/deployment.yaml
@@ -49,6 +49,8 @@ spec:
          image: {{ .Values.operatorConfig.image.repo }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }}
          imagePullPolicy: {{ .Values.operatorConfig.image.pullPolicy }}
          env:
+            - name: OPERATOR_INITIAL_TAGS
+              value: {{ join "," .Values.operatorConfig.defaultTags }}
            - name: OPERATOR_HOSTNAME
              value: {{ .Values.operatorConfig.hostname }}
            - name: OPERATOR_SECRET
--- a/cmd/k8s-operator/deploy/chart/templates/ingressclass.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/ingressclass.yaml
@@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: tailscale # class name currently can not be changed
+  annotations: {} # we do not support default IngressClass annotation https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
+spec:
+  controller: tailscale.com/ts-ingress # controller name currently can not be changed
+  # parameters: {} # currently no parameters are supported
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@@ -18,8 +18,11 @@ rules:
 - apiGroups: ["networking.k8s.io"]
  resources: ["ingresses", "ingresses/status"]
  verbs: ["*"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingressclasses"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["tailscale.com"]
-  resources: ["connectors", "connectors/status"]
+  resources: ["connectors", "connectors/status", "proxyclasses", "proxyclasses/status"]
  verbs: ["get", "list", "watch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/cmd/k8s-operator/deploy/chart/values.yaml
+++ b/cmd/k8s-operator/deploy/chart/values.yaml
@@ -12,9 +12,16 @@ oauth: {}
 # of chart installation. We do not use Helm's CRD installation mechanism as that
 # does not allow for upgrading CRDs.
 # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
-installCRDs: "true"
+installCRDs: true

 operatorConfig:
+  # ACL tag that operator will be tagged with. Operator must be made owner of
+  # these tags
+  # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
+  # Multiple tags are defined as array items and passed to the operator as a comma-separated string
+  defaultTags:
+    - "tag:k8s-operator"
+
  image:
    repo: tailscale/k8s-operator
    # Digest will be prioritized over tag. If neither are set appVersion will be
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
@@ -54,6 +54,9 @@ spec:
                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
                  type: string
                  pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
+                proxyClass:
+                  description: ProxyClass is the name of the ProxyClass custom resource that contains configuration options that should be applied to the resources created for this Connector. If unset, the operator will create resources with the default configuration.
+                  type: string
                subnetRouter:
                  description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
                  type: object
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
@@ -0,0 +1,494 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: proxyclasses.tailscale.com
+spec:
+  group: tailscale.com
+  names:
+    kind: ProxyClass
+    listKind: ProxyClassList
+    plural: proxyclasses
+    singular: proxyclass
+  scope: Cluster
+  versions:
+    - additionalPrinterColumns:
+        - description: Status of the ProxyClass.
+          jsonPath: .status.conditions[?(@.type == "ProxyClassReady")].reason
+          name: Status
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              required:
+                - statefulSet
+              properties:
+                statefulSet:
+                  description: Proxy's StatefulSet spec.
+                  type: object
+                  properties:
+                    annotations:
+                      description: Annotations that will be added to the StatefulSet created for the proxy. Any Annotations specified here will be merged with the default annotations applied to the StatefulSet by the Tailscale Kubernetes operator as well as any other annotations that might have been applied by other actors. Annotations must be valid Kubernetes annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+                      type: object
+                      additionalProperties:
+                        type: string
+                    labels:
+                      description: Labels that will be added to the StatefulSet created for the proxy. Any labels specified here will be merged with the default labels applied to the StatefulSet by the Tailscale Kubernetes operator as well as any other labels that might have been applied by other actors. Label keys and values must be valid Kubernetes label keys and values. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+                      type: object
+                      additionalProperties:
+                        type: string
+                    pod:
+                      description: Configuration for the proxy Pod.
+                      type: object
+                      properties:
+                        annotations:
+                          description: Annotations that will be added to the proxy Pod. Any annotations specified here will be merged with the default annotations applied to the Pod by the Tailscale Kubernetes operator. Annotations must be valid Kubernetes annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+                          type: object
+                          additionalProperties:
+                            type: string
+                        imagePullSecrets:
+                          description: Proxy Pod's image pull Secrets. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+                          type: array
+                          items:
+                            description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+                            type: object
+                            properties:
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                                type: string
+                            x-kubernetes-map-type: atomic
+                        labels:
+                          description: Labels that will be added to the proxy Pod. Any labels specified here will be merged with the default labels applied to the Pod by the Tailscale Kubernetes operator. Label keys and values must be valid Kubernetes label keys and values. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+                          type: object
+                          additionalProperties:
+                            type: string
+                        nodeName:
+                          description: Proxy Pod's node name. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+                          type: string
+                        nodeSelector:
+                          description: Proxy Pod's node selector. By default Tailscale Kubernetes operator does not apply any node selector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+                          type: object
+                          additionalProperties:
+                            type: string
+                        securityContext:
+                          description: Proxy Pod's security context. By default Tailscale Kubernetes operator does not apply any Pod security context. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2
+                          type: object
+                          properties:
+                            fsGroup:
+                              description: "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \n If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows."
+                              type: integer
+                              format: int64
+                            fsGroupChangePolicy:
+                              description: 'fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.'
+                              type: string
+                            runAsGroup:
+                              description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+                              type: integer
+                              format: int64
+                            runAsNonRoot:
+                              description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                              type: boolean
+                            runAsUser:
+                              description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+                              type: integer
+                              format: int64
+                            seLinuxOptions:
+                              description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+                              type: object
+                              properties:
+                                level:
+                                  description: Level is SELinux level label that applies to the container.
+                                  type: string
+                                role:
+                                  description: Role is a SELinux role label that applies to the container.
+                                  type: string
+                                type:
+                                  description: Type is a SELinux type label that applies to the container.
+                                  type: string
+                                user:
+                                  description: User is a SELinux user label that applies to the container.
+                                  type: string
+                            seccompProfile:
+                              description: The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
+                              type: object
+                              required:
+                                - type
+                              properties:
+                                localhostProfile:
+                                  description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
+                                  type: string
+                                type:
+                                  description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
+                                  type: string
+                            supplementalGroups:
+                              description: A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.
+                              type: array
+                              items:
+                                type: integer
+                                format: int64
+                            sysctls:
+                              description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.
+                              type: array
+                              items:
+                                description: Sysctl defines a kernel parameter to be set
+                                type: object
+                                required:
+                                  - name
+                                  - value
+                                properties:
+                                  name:
+                                    description: Name of a property to set
+                                    type: string
+                                  value:
+                                    description: Value of a property to set
+                                    type: string
+                            windowsOptions:
+                              description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
+                              type: object
+                              properties:
+                                gmsaCredentialSpec:
+                                  description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+                                  type: string
+                                gmsaCredentialSpecName:
+                                  description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+                                  type: string
+                                hostProcess:
+                                  description: HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
+                                  type: boolean
+                                runAsUserName:
+                                  description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                  type: string
+                        tailscaleContainer:
+                          description: Configuration for the proxy container running tailscale.
+                          type: object
+                          properties:
+                            resources:
+                              description: Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
+                              type: object
+                              properties:
+                                claims:
+                                  description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
+                                  type: array
+                                  items:
+                                    description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                                    type: object
+                                    required:
+                                      - name
+                                    properties:
+                                      name:
+                                        description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
+                                        type: string
+                                  x-kubernetes-list-map-keys:
+                                    - name
+                                  x-kubernetes-list-type: map
+                                limits:
+                                  description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                  type: object
+                                  additionalProperties:
+                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                    anyOf:
+                                      - type: integer
+                                      - type: string
+                                    x-kubernetes-int-or-string: true
+                                requests:
+                                  description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                  type: object
+                                  additionalProperties:
+                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                    anyOf:
+                                      - type: integer
+                                      - type: string
+                                    x-kubernetes-int-or-string: true
+                            securityContext:
+                              description: 'Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets ''privileged: true'' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context'
+                              type: object
+                              properties:
+                                allowPrivilegeEscalation:
+                                  description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.'
+                                  type: boolean
+                                capabilities:
+                                  description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
+                                  type: object
+                                  properties:
+                                    add:
+                                      description: Added capabilities
+                                      type: array
+                                      items:
+                                        description: Capability represent POSIX capabilities type
+                                        type: string
+                                    drop:
+                                      description: Removed capabilities
+                                      type: array
+                                      items:
+                                        description: Capability represent POSIX capabilities type
+                                        type: string
+                                privileged:
+                                  description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
+                                  type: boolean
+                                procMount:
+                                  description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
+                                  type: string
+                                readOnlyRootFilesystem:
+                                  description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
+                                  type: boolean
+                                runAsGroup:
+                                  description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                  type: integer
+                                  format: int64
+                                runAsNonRoot:
+                                  description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                  type: boolean
+                                runAsUser:
+                                  description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                  type: integer
+                                  format: int64
+                                seLinuxOptions:
+                                  description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                  type: object
+                                  properties:
+                                    level:
+                                      description: Level is SELinux level label that applies to the container.
+                                      type: string
+                                    role:
+                                      description: Role is a SELinux role label that applies to the container.
+                                      type: string
+                                    type:
+                                      description: Type is a SELinux type label that applies to the container.
+                                      type: string
+                                    user:
+                                      description: User is a SELinux user label that applies to the container.
+                                      type: string
+                                seccompProfile:
+                                  description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
+                                  type: object
+                                  required:
+                                    - type
+                                  properties:
+                                    localhostProfile:
+                                      description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
+                                      type: string
+                                    type:
+                                      description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
+                                      type: string
+                                windowsOptions:
+                                  description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
+                                  type: object
+                                  properties:
+                                    gmsaCredentialSpec:
+                                      description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+                                      type: string
+                                    gmsaCredentialSpecName:
+                                      description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+                                      type: string
+                                    hostProcess:
+                                      description: HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
+                                      type: boolean
+                                    runAsUserName:
+                                      description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                      type: string
+                        tailscaleInitContainer:
+                          description: Configuration for the proxy init container that enables forwarding.
+                          type: object
+                          properties:
+                            resources:
+                              description: Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
+                              type: object
+                              properties:
+                                claims:
+                                  description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
+                                  type: array
+                                  items:
+                                    description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                                    type: object
+                                    required:
+                                      - name
+                                    properties:
+                                      name:
+                                        description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
+                                        type: string
+                                  x-kubernetes-list-map-keys:
+                                    - name
+                                  x-kubernetes-list-type: map
+                                limits:
+                                  description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                  type: object
+                                  additionalProperties:
+                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                    anyOf:
+                                      - type: integer
+                                      - type: string
+                                    x-kubernetes-int-or-string: true
+                                requests:
+                                  description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                  type: object
+                                  additionalProperties:
+                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                    anyOf:
+                                      - type: integer
+                                      - type: string
+                                    x-kubernetes-int-or-string: true
+                            securityContext:
+                              description: 'Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets ''privileged: true'' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context'
+                              type: object
+                              properties:
+                                allowPrivilegeEscalation:
+                                  description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.'
+                                  type: boolean
+                                capabilities:
+                                  description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
+                                  type: object
+                                  properties:
+                                    add:
+                                      description: Added capabilities
+                                      type: array
+                                      items:
+                                        description: Capability represent POSIX capabilities type
+                                        type: string
+                                    drop:
+                                      description: Removed capabilities
+                                      type: array
+                                      items:
+                                        description: Capability represent POSIX capabilities type
+                                        type: string
+                                privileged:
+                                  description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
+                                  type: boolean
+                                procMount:
+                                  description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
+                                  type: string
+                                readOnlyRootFilesystem:
+                                  description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
+                                  type: boolean
+                                runAsGroup:
+                                  description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                  type: integer
+                                  format: int64
+                                runAsNonRoot:
+                                  description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                  type: boolean
+                                runAsUser:
+                                  description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                  type: integer
+                                  format: int64
+                                seLinuxOptions:
+                                  description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                  type: object
+                                  properties:
+                                    level:
+                                      description: Level is SELinux level label that applies to the container.
+                                      type: string
+                                    role:
+                                      description: Role is a SELinux role label that applies to the container.
+                                      type: string
+                                    type:
+                                      description: Type is a SELinux type label that applies to the container.
+                                      type: string
+                                    user:
+                                      description: User is a SELinux user label that applies to the container.
+                                      type: string
+                                seccompProfile:
+                                  description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
+                                  type: object
+                                  required:
+                                    - type
+                                  properties:
+                                    localhostProfile:
+                                      description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
+                                      type: string
+                                    type:
+                                      description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
+                                      type: string
+                                windowsOptions:
+                                  description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
+                                  type: object
+                                  properties:
+                                    gmsaCredentialSpec:
+                                      description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+                                      type: string
+                                    gmsaCredentialSpecName:
+                                      description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+                                      type: string
+                                    hostProcess:
+                                      description: HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
+                                      type: boolean
+                                    runAsUserName:
+                                      description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                      type: string
+                        tolerations:
+                          description: Proxy Pod's tolerations. By default Tailscale Kubernetes operator does not apply any tolerations. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+                          type: array
+                          items:
+                            description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+                            type: object
+                            properties:
+                              effect:
+                                description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                                type: string
+                              key:
+                                description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                                type: string
+                              operator:
+                                description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+                                type: string
+                              tolerationSeconds:
+                                description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+                                type: integer
+                                format: int64
+                              value:
+                                description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+                                type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  description: List of status conditions to indicate the status of the ProxyClass. Known condition types are `ProxyClassReady`.
+                  type: array
+                  items:
+                    description: ConnectorCondition contains condition information for a Connector.
+                    type: object
+                    required:
+                      - status
+                      - type
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+                        type: string
+                        format: date-time
+                      message:
+                        description: Message is a human readable description of the details of the last transition, complementing reason.
+                        type: string
+                      observedGeneration:
+                        description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
+                        type: integer
+                        format: int64
+                      reason:
+                        description: Reason is a brief machine readable explanation for the condition's last transition.
+                        type: string
+                      status:
+                        description: Status of the condition, one of ('True', 'False', 'Unknown').
+                        type: string
+                      type:
+                        description: Type of the condition, known values are (`SubnetRouterReady`).
+                        type: string
+                  x-kubernetes-list-map-keys:
+                    - type
+                  x-kubernetes-list-type: map
+      served: true
+      storage: true
+      subresources:
+        status: {}
--- a/cmd/k8s-operator/deploy/examples/proxyclass.yaml
+++ b/cmd/k8s-operator/deploy/examples/proxyclass.yaml
@@ -0,0 +1,15 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: prod
+spec:
+  statefulSet:
+    annotations:
+      platform-component: infra 
+    pod:
+      labels:
+        team: eng
+      nodeSelector:
+        beta.kubernetes.io/os: "linux"
+      imagePullSecrets:
+      - name: "foo"
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@@ -79,6 +79,9 @@ spec:
                                description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
                                pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
                                type: string
+                            proxyClass:
+                                description: ProxyClass is the name of the ProxyClass custom resource that contains configuration options that should be applied to the resources created for this Connector. If unset, the operator will create resources with the default configuration.
+                                type: string
                            subnetRouter:
                                description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
                                properties:
@@ -153,6 +156,501 @@ spec:
          subresources:
            status: {}
 ---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+    annotations:
+        controller-gen.kubebuilder.io/version: v0.13.0
+    name: proxyclasses.tailscale.com
+spec:
+    group: tailscale.com
+    names:
+        kind: ProxyClass
+        listKind: ProxyClassList
+        plural: proxyclasses
+        singular: proxyclass
+    scope: Cluster
+    versions:
+        - additionalPrinterColumns:
+            - description: Status of the ProxyClass.
+              jsonPath: .status.conditions[?(@.type == "ProxyClassReady")].reason
+              name: Status
+              type: string
+          name: v1alpha1
+          schema:
+            openAPIV3Schema:
+                properties:
+                    apiVersion:
+                        description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                    kind:
+                        description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                    metadata:
+                        type: object
+                    spec:
+                        properties:
+                            statefulSet:
+                                description: Proxy's StatefulSet spec.
+                                properties:
+                                    annotations:
+                                        additionalProperties:
+                                            type: string
+                                        description: Annotations that will be added to the StatefulSet created for the proxy. Any Annotations specified here will be merged with the default annotations applied to the StatefulSet by the Tailscale Kubernetes operator as well as any other annotations that might have been applied by other actors. Annotations must be valid Kubernetes annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+                                        type: object
+                                    labels:
+                                        additionalProperties:
+                                            type: string
+                                        description: Labels that will be added to the StatefulSet created for the proxy. Any labels specified here will be merged with the default labels applied to the StatefulSet by the Tailscale Kubernetes operator as well as any other labels that might have been applied by other actors. Label keys and values must be valid Kubernetes label keys and values. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+                                        type: object
+                                    pod:
+                                        description: Configuration for the proxy Pod.
+                                        properties:
+                                            annotations:
+                                                additionalProperties:
+                                                    type: string
+                                                description: Annotations that will be added to the proxy Pod. Any annotations specified here will be merged with the default annotations applied to the Pod by the Tailscale Kubernetes operator. Annotations must be valid Kubernetes annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
+                                                type: object
+                                            imagePullSecrets:
+                                                description: Proxy Pod's image pull Secrets. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+                                                items:
+                                                    description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
+                                                    properties:
+                                                        name:
+                                                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
+                                                            type: string
+                                                    type: object
+                                                    x-kubernetes-map-type: atomic
+                                                type: array
+                                            labels:
+                                                additionalProperties:
+                                                    type: string
+                                                description: Labels that will be added to the proxy Pod. Any labels specified here will be merged with the default labels applied to the Pod by the Tailscale Kubernetes operator. Label keys and values must be valid Kubernetes label keys and values. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
+                                                type: object
+                                            nodeName:
+                                                description: Proxy Pod's node name. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+                                                type: string
+                                            nodeSelector:
+                                                additionalProperties:
+                                                    type: string
+                                                description: Proxy Pod's node selector. By default Tailscale Kubernetes operator does not apply any node selector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+                                                type: object
+                                            securityContext:
+                                                description: Proxy Pod's security context. By default Tailscale Kubernetes operator does not apply any Pod security context. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2
+                                                properties:
+                                                    fsGroup:
+                                                        description: "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \n If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows."
+                                                        format: int64
+                                                        type: integer
+                                                    fsGroupChangePolicy:
+                                                        description: 'fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.'
+                                                        type: string
+                                                    runAsGroup:
+                                                        description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+                                                        format: int64
+                                                        type: integer
+                                                    runAsNonRoot:
+                                                        description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                                        type: boolean
+                                                    runAsUser:
+                                                        description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+                                                        format: int64
+                                                        type: integer
+                                                    seLinuxOptions:
+                                                        description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+                                                        properties:
+                                                            level:
+                                                                description: Level is SELinux level label that applies to the container.
+                                                                type: string
+                                                            role:
+                                                                description: Role is a SELinux role label that applies to the container.
+                                                                type: string
+                                                            type:
+                                                                description: Type is a SELinux type label that applies to the container.
+                                                                type: string
+                                                            user:
+                                                                description: User is a SELinux user label that applies to the container.
+                                                                type: string
+                                                        type: object
+                                                    seccompProfile:
+                                                        description: The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
+                                                        properties:
+                                                            localhostProfile:
+                                                                description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
+                                                                type: string
+                                                            type:
+                                                                description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
+                                                                type: string
+                                                        required:
+                                                            - type
+                                                        type: object
+                                                    supplementalGroups:
+                                                        description: A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.
+                                                        items:
+                                                            format: int64
+                                                            type: integer
+                                                        type: array
+                                                    sysctls:
+                                                        description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.
+                                                        items:
+                                                            description: Sysctl defines a kernel parameter to be set
+                                                            properties:
+                                                                name:
+                                                                    description: Name of a property to set
+                                                                    type: string
+                                                                value:
+                                                                    description: Value of a property to set
+                                                                    type: string
+                                                            required:
+                                                                - name
+                                                                - value
+                                                            type: object
+                                                        type: array
+                                                    windowsOptions:
+                                                        description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
+                                                        properties:
+                                                            gmsaCredentialSpec:
+                                                                description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+                                                                type: string
+                                                            gmsaCredentialSpecName:
+                                                                description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+                                                                type: string
+                                                            hostProcess:
+                                                                description: HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
+                                                                type: boolean
+                                                            runAsUserName:
+                                                                description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                                                type: string
+                                                        type: object
+                                                type: object
+                                            tailscaleContainer:
+                                                description: Configuration for the proxy container running tailscale.
+                                                properties:
+                                                    resources:
+                                                        description: Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
+                                                        properties:
+                                                            claims:
+                                                                description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
+                                                                items:
+                                                                    description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                                                                    properties:
+                                                                        name:
+                                                                            description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
+                                                                            type: string
+                                                                    required:
+                                                                        - name
+                                                                    type: object
+                                                                type: array
+                                                                x-kubernetes-list-map-keys:
+                                                                    - name
+                                                                x-kubernetes-list-type: map
+                                                            limits:
+                                                                additionalProperties:
+                                                                    anyOf:
+                                                                        - type: integer
+                                                                        - type: string
+                                                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                                    x-kubernetes-int-or-string: true
+                                                                description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                                                type: object
+                                                            requests:
+                                                                additionalProperties:
+                                                                    anyOf:
+                                                                        - type: integer
+                                                                        - type: string
+                                                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                                    x-kubernetes-int-or-string: true
+                                                                description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                                                type: object
+                                                        type: object
+                                                    securityContext:
+                                                        description: 'Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets ''privileged: true'' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context'
+                                                        properties:
+                                                            allowPrivilegeEscalation:
+                                                                description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.'
+                                                                type: boolean
+                                                            capabilities:
+                                                                description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
+                                                                properties:
+                                                                    add:
+                                                                        description: Added capabilities
+                                                                        items:
+                                                                            description: Capability represent POSIX capabilities type
+                                                                            type: string
+                                                                        type: array
+                                                                    drop:
+                                                                        description: Removed capabilities
+                                                                        items:
+                                                                            description: Capability represent POSIX capabilities type
+                                                                            type: string
+                                                                        type: array
+                                                                type: object
+                                                            privileged:
+                                                                description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
+                                                                type: boolean
+                                                            procMount:
+                                                                description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
+                                                                type: string
+                                                            readOnlyRootFilesystem:
+                                                                description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
+                                                                type: boolean
+                                                            runAsGroup:
+                                                                description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                                                format: int64
+                                                                type: integer
+                                                            runAsNonRoot:
+                                                                description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                                                type: boolean
+                                                            runAsUser:
+                                                                description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                                                format: int64
+                                                                type: integer
+                                                            seLinuxOptions:
+                                                                description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                                                properties:
+                                                                    level:
+                                                                        description: Level is SELinux level label that applies to the container.
+                                                                        type: string
+                                                                    role:
+                                                                        description: Role is a SELinux role label that applies to the container.
+                                                                        type: string
+                                                                    type:
+                                                                        description: Type is a SELinux type label that applies to the container.
+                                                                        type: string
+                                                                    user:
+                                                                        description: User is a SELinux user label that applies to the container.
+                                                                        type: string
+                                                                type: object
+                                                            seccompProfile:
+                                                                description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
+                                                                properties:
+                                                                    localhostProfile:
+                                                                        description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
+                                                                        type: string
+                                                                    type:
+                                                                        description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
+                                                                        type: string
+                                                                required:
+                                                                    - type
+                                                                type: object
+                                                            windowsOptions:
+                                                                description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
+                                                                properties:
+                                                                    gmsaCredentialSpec:
+                                                                        description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+                                                                        type: string
+                                                                    gmsaCredentialSpecName:
+                                                                        description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+                                                                        type: string
+                                                                    hostProcess:
+                                                                        description: HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
+                                                                        type: boolean
+                                                                    runAsUserName:
+                                                                        description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                                                        type: string
+                                                                type: object
+                                                        type: object
+                                                type: object
+                                            tailscaleInitContainer:
+                                                description: Configuration for the proxy init container that enables forwarding.
+                                                properties:
+                                                    resources:
+                                                        description: Container resource requirements. By default Tailscale Kubernetes operator does not apply any resource requirements. The amount of resources required wil depend on the amount of resources the operator needs to parse, usage patterns and cluster size. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
+                                                        properties:
+                                                            claims:
+                                                                description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers."
+                                                                items:
+                                                                    description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                                                                    properties:
+                                                                        name:
+                                                                            description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.
+                                                                            type: string
+                                                                    required:
+                                                                        - name
+                                                                    type: object
+                                                                type: array
+                                                                x-kubernetes-list-map-keys:
+                                                                    - name
+                                                                x-kubernetes-list-type: map
+                                                            limits:
+                                                                additionalProperties:
+                                                                    anyOf:
+                                                                        - type: integer
+                                                                        - type: string
+                                                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                                    x-kubernetes-int-or-string: true
+                                                                description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                                                type: object
+                                                            requests:
+                                                                additionalProperties:
+                                                                    anyOf:
+                                                                        - type: integer
+                                                                        - type: string
+                                                                    pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                                                    x-kubernetes-int-or-string: true
+                                                                description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+                                                                type: object
+                                                        type: object
+                                                    securityContext:
+                                                        description: 'Container security context. Security context specified here will override the security context by the operator. By default the operator: - sets ''privileged: true'' for the init container - set NET_ADMIN capability for tailscale container for proxies that are created for Services or Connector. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context'
+                                                        properties:
+                                                            allowPrivilegeEscalation:
+                                                                description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.'
+                                                                type: boolean
+                                                            capabilities:
+                                                                description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
+                                                                properties:
+                                                                    add:
+                                                                        description: Added capabilities
+                                                                        items:
+                                                                            description: Capability represent POSIX capabilities type
+                                                                            type: string
+                                                                        type: array
+                                                                    drop:
+                                                                        description: Removed capabilities
+                                                                        items:
+                                                                            description: Capability represent POSIX capabilities type
+                                                                            type: string
+                                                                        type: array
+                                                                type: object
+                                                            privileged:
+                                                                description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
+                                                                type: boolean
+                                                            procMount:
+                                                                description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
+                                                                type: string
+                                                            readOnlyRootFilesystem:
+                                                                description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.
+                                                                type: boolean
+                                                            runAsGroup:
+                                                                description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                                                format: int64
+                                                                type: integer
+                                                            runAsNonRoot:
+                                                                description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                                                type: boolean
+                                                            runAsUser:
+                                                                description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                                                format: int64
+                                                                type: integer
+                                                            seLinuxOptions:
+                                                                description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
+                                                                properties:
+                                                                    level:
+                                                                        description: Level is SELinux level label that applies to the container.
+                                                                        type: string
+                                                                    role:
+                                                                        description: Role is a SELinux role label that applies to the container.
+                                                                        type: string
+                                                                    type:
+                                                                        description: Type is a SELinux type label that applies to the container.
+                                                                        type: string
+                                                                    user:
+                                                                        description: User is a SELinux user label that applies to the container.
+                                                                        type: string
+                                                                type: object
+                                                            seccompProfile:
+                                                                description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
+                                                                properties:
+                                                                    localhostProfile:
+                                                                        description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.
+                                                                        type: string
+                                                                    type:
+                                                                        description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied."
+                                                                        type: string
+                                                                required:
+                                                                    - type
+                                                                type: object
+                                                            windowsOptions:
+                                                                description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
+                                                                properties:
+                                                                    gmsaCredentialSpec:
+                                                                        description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.
+                                                                        type: string
+                                                                    gmsaCredentialSpecName:
+                                                                        description: GMSACredentialSpecName is the name of the GMSA credential spec to use.
+                                                                        type: string
+                                                                    hostProcess:
+                                                                        description: HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.
+                                                                        type: boolean
+                                                                    runAsUserName:
+                                                                        description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+                                                                        type: string
+                                                                type: object
+                                                        type: object
+                                                type: object
+                                            tolerations:
+                                                description: Proxy Pod's tolerations. By default Tailscale Kubernetes operator does not apply any tolerations. https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+                                                items:
+                                                    description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
+                                                    properties:
+                                                        effect:
+                                                            description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+                                                            type: string
+                                                        key:
+                                                            description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+                                                            type: string
+                                                        operator:
+                                                            description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
+                                                            type: string
+                                                        tolerationSeconds:
+                                                            description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
+                                                            format: int64
+                                                            type: integer
+                                                        value:
+                                                            description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
+                                                            type: string
+                                                    type: object
+                                                type: array
+                                        type: object
+                                type: object
+                        required:
+                            - statefulSet
+                        type: object
+                    status:
+                        properties:
+                            conditions:
+                                description: List of status conditions to indicate the status of the ProxyClass. Known condition types are `ProxyClassReady`.
+                                items:
+                                    description: ConnectorCondition contains condition information for a Connector.
+                                    properties:
+                                        lastTransitionTime:
+                                            description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+                                            format: date-time
+                                            type: string
+                                        message:
+                                            description: Message is a human readable description of the details of the last transition, complementing reason.
+                                            type: string
+                                        observedGeneration:
+                                            description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
+                                            format: int64
+                                            type: integer
+                                        reason:
+                                            description: Reason is a brief machine readable explanation for the condition's last transition.
+                                            type: string
+                                        status:
+                                            description: Status of the condition, one of ('True', 'False', 'Unknown').
+                                            type: string
+                                        type:
+                                            description: Type of the condition, known values are (`SubnetRouterReady`).
+                                            type: string
+                                    required:
+                                        - status
+                                        - type
+                                    type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                    - type
+                                x-kubernetes-list-type: map
+                        type: object
+                required:
+                    - spec
+                type: object
+          served: true
+          storage: true
+          subresources:
+            status: {}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -173,11 +671,21 @@ rules:
        - ingresses/status
      verbs:
        - '*'
+    - apiGroups:
+        - networking.k8s.io
+      resources:
+        - ingressclasses
+      verbs:
+        - get
+        - list
+        - watch
    - apiGroups:
        - tailscale.com
      resources:
        - connectors
        - connectors/status
+        - proxyclasses
+        - proxyclasses/status
      verbs:
        - get
        - list
@@ -276,6 +784,8 @@ spec:
        spec:
            containers:
                - env:
+                    - name: OPERATOR_INITIAL_TAGS
+                      value: tag:k8s-operator
                    - name: OPERATOR_HOSTNAME
                      value: tailscale-operator
                    - name: OPERATOR_SECRET
@@ -312,3 +822,11 @@ spec:
                - name: oauth
                  secret:
                    secretName: operator-oauth
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+    annotations: {}
+    name: tailscale
+spec:
+    controller: tailscale.com/ts-ingress
--- a/cmd/k8s-operator/deploy/manifests/proxy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/proxy.yaml
@@ -28,8 +28,10 @@ spec:
          env:
            - name: TS_USERSPACE
              value: "false"
-            - name: TS_AUTH_ONCE
-              value: "true"
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
          securityContext:
            capabilities:
              add:
--- a/cmd/k8s-operator/deploy/manifests/userspace-proxy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/userspace-proxy.yaml
@@ -20,5 +20,3 @@ spec:
          env:
            - name: TS_USERSPACE
              value: "true"
-            - name: TS_AUTH_ONCE
-              value: "true"
--- a/cmd/k8s-operator/generate/main.go
+++ b/cmd/k8s-operator/generate/main.go
@@ -19,10 +19,12 @@ import (
 )

 const (
-	operatorDeploymentFilesPath = "cmd/k8s-operator/deploy"
-	crdPath                     = operatorDeploymentFilesPath + "/crds/tailscale.com_connectors.yaml"
-	helmTemplatesPath           = operatorDeploymentFilesPath + "/chart/templates"
-	crdTemplatePath             = helmTemplatesPath + "/connectors.yaml"
+	operatorDeploymentFilesPath   = "cmd/k8s-operator/deploy"
+	connectorCRDPath              = operatorDeploymentFilesPath + "/crds/tailscale.com_connectors.yaml"
+	proxyClassCRDPath             = operatorDeploymentFilesPath + "/crds/tailscale.com_proxyclasses.yaml"
+	helmTemplatesPath             = operatorDeploymentFilesPath + "/chart/templates"
+	connectorCRDHelmTemplatePath  = helmTemplatesPath + "/connector.yaml"
+	proxyClassCRDHelmTemplatePath = helmTemplatesPath + "/proxyclass.yaml"

 	helmConditionalStart = "{{ if .Values.installCRDs -}}\n"
 	helmConditionalEnd   = "{{- end -}}"
@@ -44,9 +46,9 @@ func main() {
 	default:
 		log.Fatalf("unknown option %s, known options are 'staticmanifests', 'helmcrd'", os.Args[1])
 	}
-	log.Printf("Inserting CRD into the Helm templates")
+	log.Printf("Inserting CRDs Helm templates")
 	if err := generate(repoRoot); err != nil {
-		log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
+		log.Fatalf("error adding CRDs to Helm templates: %v", err)
 	}
 	defer func() {
 		if err := cleanup(repoRoot); err != nil {
@@ -106,34 +108,48 @@ func main() {
 	}
 }

+// generate places tailscale.com CRDs (currently Connector and ProxyClass) into
+// the Helm chart templates behind .Values.installCRDs=true condition (true by
+// default).
 func generate(baseDir string) error {
-	log.Print("Placing Connector CRD into Helm templates..")
-	chartBytes, err := os.ReadFile(filepath.Join(baseDir, crdPath))
-	if err != nil {
-		return fmt.Errorf("error reading CRD contents: %w", err)
+	addCRDToHelm := func(crdPath, crdTemplatePath string) error {
+		chartBytes, err := os.ReadFile(filepath.Join(baseDir, crdPath))
+		if err != nil {
+			return fmt.Errorf("error reading CRD contents: %w", err)
+		}
+		// Place a new temporary Helm template file with the templated CRD
+		// contents into Helm templates.
+		file, err := os.Create(filepath.Join(baseDir, crdTemplatePath))
+		if err != nil {
+			return fmt.Errorf("error creating CRD template file: %w", err)
+		}
+		if _, err := file.Write([]byte(helmConditionalStart)); err != nil {
+			return fmt.Errorf("error writing helm if statement start: %w", err)
+		}
+		if _, err := file.Write(chartBytes); err != nil {
+			return fmt.Errorf("error writing chart bytes: %w", err)
+		}
+		if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
+			return fmt.Errorf("error writing helm if-statement end: %w", err)
+		}
+		return nil
 	}
-	// Place a new temporary Helm template file with the templated CRD
-	// contents into Helm templates.
-	file, err := os.Create(filepath.Join(baseDir, crdTemplatePath))
-	if err != nil {
-		return fmt.Errorf("error creating CRD template file: %w", err)
+	if err := addCRDToHelm(connectorCRDPath, connectorCRDHelmTemplatePath); err != nil {
+		return fmt.Errorf("error adding Connector CRD to Helm templates: %w", err)
 	}
-	if _, err := file.Write([]byte(helmConditionalStart)); err != nil {
-		return fmt.Errorf("error writing helm if statement start: %w", err)
-	}
-	if _, err := file.Write(chartBytes); err != nil {
-		return fmt.Errorf("error writing chart bytes: %w", err)
-	}
-	if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
-		return fmt.Errorf("error writing helm if-statement end: %w", err)
+	if err := addCRDToHelm(proxyClassCRDPath, proxyClassCRDHelmTemplatePath); err != nil {
+		return fmt.Errorf("error adding ProxyClass CRD to Helm templates: %w", err)
 	}
 	return nil
 }

 func cleanup(baseDir string) error {
 	log.Print("Cleaning up CRD from Helm templates")
-	if err := os.Remove(filepath.Join(baseDir, crdTemplatePath)); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("error cleaning up CRD template: %w", err)
+	if err := os.Remove(filepath.Join(baseDir, connectorCRDHelmTemplatePath)); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("error cleaning up Connector CRD template: %w", err)
+	}
+	if err := os.Remove(filepath.Join(baseDir, proxyClassCRDHelmTemplatePath)); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("error cleaning up ProxyClass CRD template: %w", err)
 	}
 	return nil
 }
--- a/cmd/k8s-operator/generate/main_test.go
+++ b/cmd/k8s-operator/generate/main_test.go
@@ -42,7 +42,7 @@ func Test_generate(t *testing.T) {
 		t.Fatalf("Helm chart linter failed: %v", err)
 	}

-	// Test that default Helm install contains the CRD
+	// Test that default Helm install contains the Connector and ProxyClass CRDs.
 	installContentsWithCRD := bytes.NewBuffer([]byte{})
 	helmTemplateWithCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath)
 	helmTemplateWithCRDCmd.Stderr = os.Stderr
@@ -51,10 +51,13 @@ func Test_generate(t *testing.T) {
 		t.Fatalf("templating Helm chart with CRDs failed: %v", err)
 	}
 	if !strings.Contains(installContentsWithCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("CRD not found in default chart install")
+		t.Errorf("Connector CRD not found in default chart install")
+	}
+	if !strings.Contains(installContentsWithCRD.String(), "name: proxyclasses.tailscale.com") {
+		t.Errorf("ProxyClass CRD not found in default chart install")
 	}

-	// Test that CRD can be excluded from Helm chart install
+	// Test that CRDs can be excluded from Helm chart install
 	installContentsWithoutCRD := bytes.NewBuffer([]byte{})
 	helmTemplateWithoutCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath, "--set", "installCRDs=false")
 	helmTemplateWithoutCRDCmd.Stderr = os.Stderr
@@ -63,6 +66,9 @@ func Test_generate(t *testing.T) {
 		t.Fatalf("templating Helm chart without CRDs failed: %v", err)
 	}
 	if strings.Contains(installContentsWithoutCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("CRD found in chart install that should not contain a CRD")
+		t.Errorf("Connector CRD found in chart install that should not contain a CRD")
+	}
+	if strings.Contains(installContentsWithoutCRD.String(), "name: connectors.tailscale.com") {
+		t.Errorf("ProxyClass CRD found in chart install that should not contain a CRD")
 	}
 }
--- a/cmd/k8s-operator/ingress.go
+++ b/cmd/k8s-operator/ingress.go
@@ -12,10 +12,12 @@ import (
 	"strings"
 	"sync"

+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -26,6 +28,12 @@ import (
 	"tailscale.com/util/set"
 )

+const (
+	tailscaleIngressClassName      = "tailscale"                                   // ingressClass.metadata.name for tailscale IngressClass resource
+	tailscaleIngressControllerName = "tailscale.com/ts-ingress"                    // ingressClass.spec.controllerName for tailscale IngressClass resource
+	ingressClassDefaultAnnotation  = "ingressclass.kubernetes.io/is-default-class" // we do not support this https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
+)
+
 type IngressReconciler struct {
 	client.Client

@@ -109,6 +117,10 @@ func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 // This function adds a finalizer to ing, ensuring that we can handle orderly
 // deprovisioning later.
 func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, ing *networkingv1.Ingress) error {
+	if err := a.validateIngressClass(ctx); err != nil {
+		logger.Warnf("error validating tailscale IngressClass: %v. In future this might be a terminal error.", err)
+
+	}
 	if !slices.Contains(ing.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -120,6 +132,17 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 			return fmt.Errorf("failed to add finalizer: %w", err)
 		}
 	}
+
+	proxyClass := proxyClassForObject(ing)
+	if proxyClass != "" {
+		if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
+			return fmt.Errorf("error verifying ProxyClass for Ingress: %w", err)
+		} else if !ready {
+			logger.Infof("ProxyClass %s specified for the Ingress, but is not (yet) Ready, waiting..", proxyClass)
+			return nil
+		}
+	}
+
 	a.mu.Lock()
 	a.managedIngresses.Add(ing.UID)
 	gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
@@ -205,10 +228,25 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 			continue
 		}
 		for _, p := range rule.HTTP.Paths {
+			// Send a warning if folks use Exact path type - to make
+			// it easier for us to support Exact path type matching
+			// in the future if needed.
+			// https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
+			if *p.PathType == networkingv1.PathTypeExact {
+				msg := "Exact path type strict matching is currently not supported and requests will be routed as for Prefix path type. This behaviour might change in the future."
+				logger.Warnf(fmt.Sprintf("Unsupported Path type exact for path %s. %s", p.Path, msg))
+				a.recorder.Eventf(ing, corev1.EventTypeWarning, "UnsupportedPathTypeExact", msg)
+			}
 			addIngressBackend(&p.Backend, p.Path)
 		}
 	}

+	if len(web.Handlers) == 0 {
+		logger.Warn("Ingress contains no valid backends")
+		a.recorder.Eventf(ing, corev1.EventTypeWarning, "NoValidBackends", "no valid backends")
+		return nil
+	}
+
 	crl := childResourceLabels(ing.Name, ing.Namespace, "ingress")
 	var tags []string
 	if tstr, ok := ing.Annotations[AnnotationTags]; ok {
@@ -226,6 +264,11 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		ServeConfig:         sc,
 		Tags:                tags,
 		ChildResourceLabels: crl,
+		ProxyClass:          proxyClass,
+	}
+
+	if val := ing.GetAnnotations()[AnnotationExperimentalForwardClusterTrafficViaL7IngresProxy]; val == "true" {
+		sts.ForwardClusterTrafficViaL7IngressProxy = true
 	}

 	if _, err := a.ssr.Provision(ctx, logger, sts); err != nil {
@@ -267,5 +310,28 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 func (a *IngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return ing != nil &&
 		ing.Spec.IngressClassName != nil &&
-		*ing.Spec.IngressClassName == "tailscale"
+		*ing.Spec.IngressClassName == tailscaleIngressClassName
+}
+
+// validateIngressClass attempts to validate that 'tailscale' IngressClass
+// included in Tailscale installation manifests exists and has not been modified
+// to attempt to enable features that we do not support.
+func (a *IngressReconciler) validateIngressClass(ctx context.Context) error {
+	ic := &networkingv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: tailscaleIngressClassName,
+		},
+	}
+	if err := a.Get(ctx, client.ObjectKeyFromObject(ic), ic); apierrors.IsNotFound(err) {
+		return errors.New("Tailscale IngressClass not found in cluster. Latest installation manifests include a tailscale IngressClass - please update")
+	} else if err != nil {
+		return fmt.Errorf("error retrieving 'tailscale' IngressClass: %w", err)
+	}
+	if ic.Spec.Controller != tailscaleIngressControllerName {
+		return fmt.Errorf("Tailscale Ingress class controller name %s does not match tailscale Ingress controller name %s. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ic.Spec.Controller, tailscaleIngressControllerName)
+	}
+	if ic.GetAnnotations()[ingressClassDefaultAnnotation] != "" {
+		return fmt.Errorf("%s annotation is set on 'tailscale' IngressClass, but Tailscale Ingress controller does not support default Ingress class. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ingressClassDefaultAnnotation)
+	}
+	return nil
 }
--- a/cmd/k8s-operator/ingress_test.go
+++ b/cmd/k8s-operator/ingress_test.go
@@ -0,0 +1,270 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+package main
+
+import (
+	"testing"
+
+	"go.uber.org/zap"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"tailscale.com/ipn"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/types/ptr"
+	"tailscale.com/util/mak"
+)
+
+func TestTailscaleIngress(t *testing.T) {
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
+	fc := fake.NewFakeClient(tsIngressClass)
+	ft := &fakeTSClient{}
+	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	ingR := &IngressReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			tsnetServer:       fakeTsnetServer,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger: zl.Sugar(),
+	}
+
+	// 1. Resources get created for regular Ingress
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})
+
+	expectReconciled(t, ingR, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test", "ingress")
+	opts := configOpts{
+		stsName:    shortName,
+		secretName: fullName,
+		namespace:  "default",
+		parentType: "ingress",
+		hostname:   "default-test",
+	}
+	serveConfig := &ipn.ServeConfig{
+		TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+		Web: map[ipn.HostPort]*ipn.WebServerConfig{"${TS_CERT_DOMAIN}:443": {Handlers: map[string]*ipn.HTTPHandler{"/": {Proxy: "http://1.2.3.4:8080/"}}}},
+	}
+	opts.serveConfig = serveConfig
+
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"), nil)
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+
+	// 2. Ingress status gets updated with ingress proxy's MagicDNS name
+	// once that becomes available.
+	mustUpdate(t, fc, "operator-ns", opts.secretName, func(secret *corev1.Secret) {
+		mak.Set(&secret.Data, "device_id", []byte("1234"))
+		mak.Set(&secret.Data, "device_fqdn", []byte("foo.tailnetxyz.ts.net"))
+	})
+	expectReconciled(t, ingR, "default", "test")
+	ing.Finalizers = append(ing.Finalizers, "tailscale.com/finalizer")
+	ing.Status.LoadBalancer = networkingv1.IngressLoadBalancerStatus{
+		Ingress: []networkingv1.IngressLoadBalancerIngress{
+			{Hostname: "foo.tailnetxyz.ts.net", Ports: []networkingv1.IngressPortStatus{{Port: 443, Protocol: "TCP"}}},
+		},
+	}
+	expectEqual(t, fc, ing, nil)
+
+	// 3. Resources get created for Ingress that should allow forwarding
+	// cluster traffic
+	mustUpdate(t, fc, "default", "test", func(ing *networkingv1.Ingress) {
+		mak.Set(&ing.ObjectMeta.Annotations, AnnotationExperimentalForwardClusterTrafficViaL7IngresProxy, "true")
+	})
+	opts.shouldEnableForwardingClusterTrafficViaIngress = true
+	expectReconciled(t, ingR, "default", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 4. Resources get cleaned up when Ingress class is unset
+	mustUpdate(t, fc, "default", "test", func(ing *networkingv1.Ingress) {
+		ing.Spec.IngressClassName = ptr.To("nginx")
+	})
+	expectReconciled(t, ingR, "default", "test")
+	expectReconciled(t, ingR, "default", "test") // deleting Ingress STS requires two reconciles
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+}
+
+func TestTailscaleIngressWithProxyClass(t *testing.T) {
+	// Setup
+	pc := &tsapi.ProxyClass{
+		ObjectMeta: metav1.ObjectMeta{Name: "custom-metadata"},
+		Spec: tsapi.ProxyClassSpec{StatefulSet: &tsapi.StatefulSet{
+			Labels:      map[string]string{"foo": "bar"},
+			Annotations: map[string]string{"bar.io/foo": "some-val"},
+			Pod:         &tsapi.Pod{Annotations: map[string]string{"foo.io/bar": "some-val"}}}},
+	}
+	tsIngressClass := &networkingv1.IngressClass{ObjectMeta: metav1.ObjectMeta{Name: "tailscale"}, Spec: networkingv1.IngressClassSpec{Controller: "tailscale.com/ts-ingress"}}
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(pc, tsIngressClass).
+		WithStatusSubresource(pc).
+		Build()
+	ft := &fakeTSClient{}
+	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	ingR := &IngressReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			tsnetServer:       fakeTsnetServer,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger: zl.Sugar(),
+	}
+
+	// 1. Ingress is created with no ProxyClass specified, default proxy
+	// resources get configured.
+	ing := &networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To("tailscale"),
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{
+					Name: "test",
+					Port: networkingv1.ServiceBackendPort{
+						Number: 8080,
+					},
+				},
+			},
+			TLS: []networkingv1.IngressTLS{
+				{Hosts: []string{"default-test"}},
+			},
+		},
+	}
+	mustCreate(t, fc, ing)
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "1.2.3.4",
+			Ports: []corev1.ServicePort{{
+				Port: 8080,
+				Name: "http"},
+			},
+		},
+	})
+
+	expectReconciled(t, ingR, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test", "ingress")
+	opts := configOpts{
+		stsName:    shortName,
+		secretName: fullName,
+		namespace:  "default",
+		parentType: "ingress",
+		hostname:   "default-test",
+	}
+	serveConfig := &ipn.ServeConfig{
+		TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+		Web: map[ipn.HostPort]*ipn.WebServerConfig{"${TS_CERT_DOMAIN}:443": {Handlers: map[string]*ipn.HTTPHandler{"/": {Proxy: "http://1.2.3.4:8080/"}}}},
+	}
+	opts.serveConfig = serveConfig
+
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "ingress"), nil)
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+
+	// 2. Ingress is updated to specify a ProxyClass, ProxyClass is not yet
+	// ready, so proxy resource configuration does not change.
+	mustUpdate(t, fc, "default", "test", func(ing *networkingv1.Ingress) {
+		mak.Set(&ing.ObjectMeta.Labels, LabelProxyClass, "custom-metadata")
+	})
+	expectReconciled(t, ingR, "default", "test")
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+
+	// 3. ProxyClass is set to Ready by proxy-class reconciler. Ingress get
+	// reconciled and configuration from the ProxyClass is applied to the
+	// created proxy resources.
+	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
+		pc.Status = tsapi.ProxyClassStatus{
+			Conditions: []tsapi.ConnectorCondition{{
+				Status:             metav1.ConditionTrue,
+				Type:               tsapi.ProxyClassready,
+				ObservedGeneration: pc.Generation,
+			}}}
+	})
+	expectReconciled(t, ingR, "default", "test")
+	opts.proxyClass = pc.Name
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+
+	// 4. tailscale.com/proxy-class label is removed from the Ingress, the
+	// Ingress gets reconciled and the custom ProxyClass configuration is
+	// removed from the proxy resources.
+	mustUpdate(t, fc, "default", "test", func(ing *networkingv1.Ingress) {
+		delete(ing.ObjectMeta.Labels, LabelProxyClass)
+	})
+	expectReconciled(t, ingR, "default", "test")
+	opts.proxyClass = ""
+	expectEqual(t, fc, expectedSTSUserspace(t, fc, opts), removeHashAnnotation)
+}
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -47,9 +47,12 @@ import (
 // Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart.
 //go:generate go run tailscale.com/cmd/k8s-operator/generate staticmanifests

-// Generate Connector CustomResourceDefinition yaml from its Go types.
+// Generate Connector and ProxyClass CustomResourceDefinition yamls from their Go types.
 //go:generate go run sigs.k8s.io/controller-tools/cmd/controller-gen crd schemapatch:manifests=./deploy/crds output:dir=./deploy/crds paths=../../k8s-operator/apis/...

+// Generate CRD docs from the yamls
+//go:generate go run fybrik.io/crdoc --resources=./deploy/crds --output=../../k8s-operator/api.md
+
 func main() {
 	// Required to use our client API. We're fine with the instability since the
 	// client lives in the same repo as this code.
@@ -215,6 +218,9 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
 	mgrOpts := manager.Options{
+		// TODO (irbekrm): stricter filtering what we watch/cache/call
+		// reconcilers on. c/r by default starts a watch on any
+		// resources that we GET via the controller manager's client.
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
 				&corev1.Secret{}:      nsFilter,
@@ -230,6 +236,9 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string

 	svcFilter := handler.EnqueueRequestsFromMapFunc(serviceHandler)
 	svcChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("svc"))
+	// If a ProxyClassChanges, enqueue all Services labeled with that
+	// ProxyClass's name.
+	proxyClassFilterForSvc := handler.EnqueueRequestsFromMapFunc(proxyClassHandlerForSvc(mgr.GetClient(), startlog))

 	eventRecorder := mgr.GetEventRecorderFor("tailscale-operator")
 	ssr := &tailscaleSTSReconciler{
@@ -248,6 +257,7 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		Watches(&corev1.Service{}, svcFilter).
 		Watches(&appsv1.StatefulSet{}, svcChildFilter).
 		Watches(&corev1.Secret{}, svcChildFilter).
+		Watches(&tsapi.ProxyClass{}, proxyClassFilterForSvc).
 		Complete(&ServiceReconciler{
 			ssr:                   ssr,
 			Client:                mgr.GetClient(),
@@ -256,15 +266,21 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 			recorder:              eventRecorder,
 		})
 	if err != nil {
-		startlog.Fatalf("could not create controller: %v", err)
+		startlog.Fatalf("could not create service reconciler: %v", err)
 	}
 	ingressChildFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("ingress"))
+	// If a ProxyClassChanges, enqueue all Ingresses labeled with that
+	// ProxyClass's name.
+	proxyClassFilterForIngress := handler.EnqueueRequestsFromMapFunc(proxyClassHandlerForIngress(mgr.GetClient(), startlog))
+	// Enque Ingress if a managed Service or backend Service associated with a tailscale Ingress changes.
+	svcHandlerForIngress := handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngress(mgr.GetClient(), startlog))
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&networkingv1.Ingress{}).
 		Watches(&appsv1.StatefulSet{}, ingressChildFilter).
 		Watches(&corev1.Secret{}, ingressChildFilter).
-		Watches(&corev1.Service{}, ingressChildFilter).
+		Watches(&corev1.Service{}, svcHandlerForIngress).
+		Watches(&tsapi.ProxyClass{}, proxyClassFilterForIngress).
 		Complete(&IngressReconciler{
 			ssr:      ssr,
 			recorder: eventRecorder,
@@ -272,14 +288,18 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 			logger:   zlog.Named("ingress-reconciler"),
 		})
 	if err != nil {
-		startlog.Fatalf("could not create controller: %v", err)
+		startlog.Fatalf("could not create ingress reconciler: %v", err)
 	}

 	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
+	// If a ProxyClassChanges, enqueue all Connectors that have
+	// .spec.proxyClass set to the name of this ProxyClass.
+	proxyClassFilterForConnector := handler.EnqueueRequestsFromMapFunc(proxyClassHandlerForConnector(mgr.GetClient(), startlog))
 	err = builder.ControllerManagedBy(mgr).
 		For(&tsapi.Connector{}).
 		Watches(&appsv1.StatefulSet{}, connectorFilter).
 		Watches(&corev1.Secret{}, connectorFilter).
+		Watches(&tsapi.ProxyClass{}, proxyClassFilterForConnector).
 		Complete(&ConnectorReconciler{
 			ssr:      ssr,
 			recorder: eventRecorder,
@@ -290,6 +310,17 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 	if err != nil {
 		startlog.Fatal("could not create connector reconciler: %v", err)
 	}
+	err = builder.ControllerManagedBy(mgr).
+		For(&tsapi.ProxyClass{}).
+		Complete(&ProxyClassReconciler{
+			Client:   mgr.GetClient(),
+			recorder: eventRecorder,
+			logger:   zlog.Named("proxyclass-reconciler"),
+			clock:    tstime.DefaultClock{},
+		})
+	if err != nil {
+		startlog.Fatal("could not create proxyclass reconciler: %v", err)
+	}
 	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)
@@ -318,6 +349,7 @@ func parentFromObjectLabels(o client.Object) types.NamespacedName {
 		Name:      ls[LabelParentName],
 	}
 }
+
 func managedResourceHandlerForType(typ string) handler.MapFunc {
 	return func(_ context.Context, o client.Object) []reconcile.Request {
 		if !isManagedByType(o, typ) {
@@ -327,14 +359,115 @@ func managedResourceHandlerForType(typ string) handler.MapFunc {
 			{NamespacedName: parentFromObjectLabels(o)},
 		}
 	}
+}

+// proxyClassHandlerForSvc returns a handler that, for a given ProxyClass,
+// returns a list of reconcile requests for all Services labeled with
+// tailscale.com/proxy-class: <proxy class name>.
+func proxyClassHandlerForSvc(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		svcList := new(corev1.ServiceList)
+		labels := map[string]string{
+			LabelProxyClass: o.GetName(),
+		}
+		if err := cl.List(ctx, svcList, client.MatchingLabels(labels)); err != nil {
+			logger.Debugf("error listing Services for ProxyClass: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, svc := range svcList.Items {
+			reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&svc)})
+		}
+		return reqs
+	}
+}
+
+// proxyClassHandlerForIngress returns a handler that, for a given ProxyClass,
+// returns a list of reconcile requests for all Ingresses labeled with
+// tailscale.com/proxy-class: <proxy class name>.
+func proxyClassHandlerForIngress(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		ingList := new(networkingv1.IngressList)
+		labels := map[string]string{
+			LabelProxyClass: o.GetName(),
+		}
+		if err := cl.List(ctx, ingList, client.MatchingLabels(labels)); err != nil {
+			logger.Debugf("error listing Ingresses for ProxyClass: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+		}
+		return reqs
+	}
+}
+
+// proxyClassHandlerForConnector returns a handler that, for a given ProxyClass,
+// returns a list of reconcile requests for all Connectors that have
+// .spec.proxyClass set.
+func proxyClassHandlerForConnector(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		connList := new(tsapi.ConnectorList)
+		if err := cl.List(ctx, connList); err != nil {
+			logger.Debugf("error listing Connectors for ProxyClass: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		proxyClassName := o.GetName()
+		for _, conn := range connList.Items {
+			if conn.Spec.ProxyClass == proxyClassName {
+				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&conn)})
+			}
+		}
+		return reqs
+	}
+}
+
+// serviceHandlerForIngress returns a handler for Service events for ingress
+// reconciler that ensures that if the Service associated with an event is of
+// interest to the reconciler, the associated Ingress(es) gets be reconciled.
+// The Services of interest are backend Services for tailscale Ingress and
+// managed Services for an StatefulSet for a proxy configured for tailscale
+// Ingress
+func serviceHandlerForIngress(cl client.Client, logger *zap.SugaredLogger) handler.MapFunc {
+	return func(ctx context.Context, o client.Object) []reconcile.Request {
+		if isManagedByType(o, "ingress") {
+			ingName := parentFromObjectLabels(o)
+			return []reconcile.Request{{NamespacedName: ingName}}
+		}
+		ingList := networkingv1.IngressList{}
+		if err := cl.List(ctx, &ingList, client.InNamespace(o.GetNamespace())); err != nil {
+			logger.Debugf("error listing Ingresses: %v", err)
+			return nil
+		}
+		reqs := make([]reconcile.Request, 0)
+		for _, ing := range ingList.Items {
+			if ing.Spec.IngressClassName == nil || *ing.Spec.IngressClassName != tailscaleIngressClassName {
+				return nil
+			}
+			if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil && ing.Spec.DefaultBackend.Service.Name == o.GetName() {
+				reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+			}
+			for _, rule := range ing.Spec.Rules {
+				if rule.HTTP == nil {
+					continue
+				}
+				for _, path := range rule.HTTP.Paths {
+					if path.Backend.Service != nil && path.Backend.Service.Name == o.GetName() {
+						reqs = append(reqs, reconcile.Request{NamespacedName: client.ObjectKeyFromObject(&ing)})
+					}
+				}
+			}
+		}
+		return reqs
+	}
 }

 func serviceHandler(_ context.Context, o client.Object) []reconcile.Request {
 	if isManagedByType(o, "svc") {
 		// If this is a Service managed by a Service we want to enqueue its parent
 		return []reconcile.Request{{NamespacedName: parentFromObjectLabels(o)}}
-
 	}
 	if isManagedResource(o) {
 		// If this is a Servce managed by a resource that is not a Service, we leave it alone
@@ -349,7 +482,6 @@ func serviceHandler(_ context.Context, o client.Object) []reconcile.Request {
 			},
 		},
 	}
-
 }

 // isMagicDNSName reports whether name is a full tailnet node FQDN (with or
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -6,16 +6,22 @@
 package main

 import (
+	"context"
 	"fmt"
 	"testing"

+	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/types/ptr"
+	"tailscale.com/util/mak"
 )

 func TestLoadBalancerClass(t *testing.T) {
@@ -67,9 +73,9 @@ func TestLoadBalancerClass(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 	}

-	expectEqual(t, fc, expectedSecret(t, opts))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -112,7 +118,7 @@ func TestLoadBalancerClass(t *testing.T) {
 			},
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)

 	// Turn the service back into a ClusterIP service, which should make the
 	// operator clean up.
@@ -151,7 +157,7 @@ func TestLoadBalancerClass(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)
 }

 func TestTailnetTargetFQDNAnnotation(t *testing.T) {
@@ -208,9 +214,9 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 		hostname:          "default-test",
 	}

-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -231,10 +237,10 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 			Selector:     nil,
 		},
 	}
-	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)

 	// Change the tailscale-target-fqdn annotation which should update the
 	// StatefulSet
@@ -318,9 +324,9 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 		hostname:        "default-test",
 	}

-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -341,10 +347,10 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 			Selector:     nil,
 		},
 	}
-	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, want, nil)
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)

 	// Change the tailscale-target-ip annotation which should update the
 	// StatefulSet
@@ -425,9 +431,9 @@ func TestAnnotations(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 	}

-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -447,7 +453,7 @@ func TestAnnotations(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)

 	// Turn the service back into a ClusterIP service, which should make the
 	// operator clean up.
@@ -479,7 +485,7 @@ func TestAnnotations(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)
 }

 func TestAnnotationIntoLB(t *testing.T) {
@@ -533,9 +539,9 @@ func TestAnnotationIntoLB(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 	}

-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -568,7 +574,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)

 	// Remove Tailscale's annotation, and at the same time convert the service
 	// into a tailscale LoadBalancer.
@@ -579,8 +585,8 @@ func TestAnnotationIntoLB(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@@ -612,7 +618,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 			},
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)
 }

 func TestLBIntoAnnotation(t *testing.T) {
@@ -664,9 +670,9 @@ func TestLBIntoAnnotation(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 	}

-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -709,7 +715,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 			},
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)

 	// Turn the service back into a ClusterIP service, but also add the
 	// tailscale annotation.
@@ -728,8 +734,8 @@ func TestLBIntoAnnotation(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")

-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)

 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -750,7 +756,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)
 }

 func TestCustomHostname(t *testing.T) {
@@ -805,9 +811,9 @@ func TestCustomHostname(t *testing.T) {
 		clusterTargetIP: "10.20.30.40",
 	}

-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSecret(t, o), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -828,7 +834,7 @@ func TestCustomHostname(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)

 	// Turn the service back into a ClusterIP service, which should make the
 	// operator clean up.
@@ -863,7 +869,7 @@ func TestCustomHostname(t *testing.T) {
 			Type:      corev1.ServiceTypeClusterIP,
 		},
 	}
-	expectEqual(t, fc, want)
+	expectEqual(t, fc, want, nil)
 }

 func TestCustomPriorityClassName(t *testing.T) {
@@ -920,7 +926,104 @@ func TestCustomPriorityClassName(t *testing.T) {
 		clusterTargetIP:   "10.20.30.40",
 	}

-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+}
+
+func TestProxyClassForService(t *testing.T) {
+	// Setup
+	pc := &tsapi.ProxyClass{
+		ObjectMeta: metav1.ObjectMeta{Name: "custom-metadata"},
+		Spec: tsapi.ProxyClassSpec{StatefulSet: &tsapi.StatefulSet{
+			Labels:      map[string]string{"foo": "bar"},
+			Annotations: map[string]string{"bar.io/foo": "some-val"},
+			Pod:         &tsapi.Pod{Annotations: map[string]string{"foo.io/bar": "some-val"}}}},
+	}
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(pc).
+		WithStatusSubresource(pc).
+		Build()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger: zl.Sugar(),
+	}
+
+	// 1. A new tailscale LoadBalancer Service is created without any
+	// ProxyClass. Resources get created for it as usual.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+	})
+	expectReconciled(t, sr, "default", "test")
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	opts := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
+	}
+	expectEqual(t, fc, expectedSecret(t, opts), nil)
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 2. The Service gets updated with tailscale.com/proxy-class label
+	// pointing at the 'custom-metadata' ProxyClass. The ProxyClass is not
+	// yet ready, so no changes are actually applied to the proxy resources.
+	mustUpdate(t, fc, "default", "test", func(svc *corev1.Service) {
+		mak.Set(&svc.Labels, LabelProxyClass, "custom-metadata")
+	})
+	expectReconciled(t, sr, "default", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 3. ProxyClass is set to Ready, the Service gets reconciled by the
+	// services-reconciler and the customization from the ProxyClass is
+	// applied to the proxy resources.
+	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
+		pc.Status = tsapi.ProxyClassStatus{
+			Conditions: []tsapi.ConnectorCondition{{
+				Status:             metav1.ConditionTrue,
+				Type:               tsapi.ProxyClassready,
+				ObservedGeneration: pc.Generation,
+			}}}
+	})
+	opts.proxyClass = pc.Name
+	expectReconciled(t, sr, "default", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+
+	// 4. tailscale.com/proxy-class label is removed from the Service, the
+	// configuration from the ProxyClass is removed from the cluster
+	// resources.
+	mustUpdate(t, fc, "default", "test", func(svc *corev1.Service) {
+		delete(svc.Labels, LabelProxyClass)
+	})
+	opts.proxyClass = ""
+	expectReconciled(t, sr, "default", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
 }

 func TestDefaultLoadBalancer(t *testing.T) {
@@ -964,7 +1067,7 @@ func TestDefaultLoadBalancer(t *testing.T) {

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")

-	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
 	o := configOpts{
 		stsName:         shortName,
 		secretName:      fullName,
@@ -973,7 +1076,8 @@ func TestDefaultLoadBalancer(t *testing.T) {
 		hostname:        "default-test",
 		clusterTargetIP: "10.20.30.40",
 	}
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+
 }

 func TestProxyFirewallMode(t *testing.T) {
@@ -1026,8 +1130,69 @@ func TestProxyFirewallMode(t *testing.T) {
 		firewallMode:    "nftables",
 		clusterTargetIP: "10.20.30.40",
 	}
-	expectEqual(t, fc, expectedSTS(o))
+	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
+}

+func TestTailscaledConfigfileHash(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client: fc,
+		ssr: &tailscaleSTSReconciler{
+			Client:            fc,
+			tsClient:          ft,
+			defaultTags:       []string{"tag:k8s"},
+			operatorNamespace: "operator-ns",
+			proxyImage:        "tailscale/tailscale",
+		},
+		logger:                zl.Sugar(),
+		isDefaultLoadBalancer: true,
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeLoadBalancer,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
+	o := configOpts{
+		stsName:         shortName,
+		secretName:      fullName,
+		namespace:       "default",
+		parentType:      "svc",
+		hostname:        "default-test",
+		clusterTargetIP: "10.20.30.40",
+		confFileHash:    "705e5ffd0bd5326237efdf542c850a65a54101284d5daa30775420fcc64d89c1",
+	}
+	expectEqual(t, fc, expectedSTS(t, fc, o), nil)
+
+	// 2. Hostname gets changed, configfile is updated and a new hash value
+	// is produced.
+	mustUpdate(t, fc, "default", "test", func(svc *corev1.Service) {
+		mak.Set(&svc.Annotations, AnnotationHostname, "another-test")
+	})
+	o.hostname = "another-test"
+	o.confFileHash = "1a087f887825d2b75d3673c7c2b0131f8ec1f0b1cb761d33e236dd28350dfe23"
+	expectReconciled(t, sr, "default", "test")
+	expectEqual(t, fc, expectedSTS(t, fc, o), nil)
 }

 func Test_isMagicDNSName(t *testing.T) {
@@ -1056,3 +1221,134 @@ func Test_isMagicDNSName(t *testing.T) {
 		})
 	}
 }
+
+func Test_serviceHandlerForIngress(t *testing.T) {
+	fc := fake.NewFakeClient()
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// 1. An event on a headless Service for a tailscale Ingress results in
+	// the Ingress being reconciled.
+	mustCreate(t, fc, &networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "ing-1",
+			Namespace: "ns-1",
+		},
+		Spec: networkingv1.IngressSpec{IngressClassName: ptr.To(tailscaleIngressClassName)},
+	})
+	svc1 := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "headless-1",
+			Namespace: "tailscale",
+			Labels: map[string]string{
+				LabelManaged:         "true",
+				LabelParentName:      "ing-1",
+				LabelParentNamespace: "ns-1",
+				LabelParentType:      "ingress",
+			},
+		},
+	}
+	mustCreate(t, fc, svc1)
+	wantReqs := []reconcile.Request{{NamespacedName: types.NamespacedName{Namespace: "ns-1", Name: "ing-1"}}}
+	gotReqs := serviceHandlerForIngress(fc, zl.Sugar())(context.Background(), svc1)
+	if diff := cmp.Diff(gotReqs, wantReqs); diff != "" {
+		t.Fatalf("unexpected reconcile requests (-got +want):\n%s", diff)
+	}
+
+	// 2. An event on a Service that is the default backend for a tailscale
+	// Ingress results in the Ingress being reconciled.
+	mustCreate(t, fc, &networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "ing-2",
+			Namespace: "ns-2",
+		},
+		Spec: networkingv1.IngressSpec{
+			DefaultBackend: &networkingv1.IngressBackend{
+				Service: &networkingv1.IngressServiceBackend{Name: "def-backend"},
+			},
+			IngressClassName: ptr.To(tailscaleIngressClassName),
+		},
+	})
+	backendSvc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "def-backend",
+			Namespace: "ns-2",
+		},
+	}
+	mustCreate(t, fc, backendSvc)
+	wantReqs = []reconcile.Request{{NamespacedName: types.NamespacedName{Namespace: "ns-2", Name: "ing-2"}}}
+	gotReqs = serviceHandlerForIngress(fc, zl.Sugar())(context.Background(), backendSvc)
+	if diff := cmp.Diff(gotReqs, wantReqs); diff != "" {
+		t.Fatalf("unexpected reconcile requests (-got +want):\n%s", diff)
+	}
+
+	// 3. An event on a Service that is one of the non-default backends for
+	// a tailscale Ingress results in the Ingress being reconciled.
+	mustCreate(t, fc, &networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "ing-3",
+			Namespace: "ns-3",
+		},
+		Spec: networkingv1.IngressSpec{
+			IngressClassName: ptr.To(tailscaleIngressClassName),
+			Rules: []networkingv1.IngressRule{{IngressRuleValue: networkingv1.IngressRuleValue{HTTP: &networkingv1.HTTPIngressRuleValue{
+				Paths: []networkingv1.HTTPIngressPath{
+					{Backend: networkingv1.IngressBackend{Service: &networkingv1.IngressServiceBackend{Name: "backend"}}}},
+			}}}},
+		},
+	})
+	backendSvc2 := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "backend",
+			Namespace: "ns-3",
+		},
+	}
+	mustCreate(t, fc, backendSvc2)
+	wantReqs = []reconcile.Request{{NamespacedName: types.NamespacedName{Namespace: "ns-3", Name: "ing-3"}}}
+	gotReqs = serviceHandlerForIngress(fc, zl.Sugar())(context.Background(), backendSvc2)
+	if diff := cmp.Diff(gotReqs, wantReqs); diff != "" {
+		t.Fatalf("unexpected reconcile requests (-got +want):\n%s", diff)
+	}
+
+	// 4. An event on a Service that is a backend for an Ingress that is not
+	// tailscale Ingress does not result in an Ingress reconcile.
+	mustCreate(t, fc, &networkingv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "ing-4",
+			Namespace: "ns-4",
+		},
+		Spec: networkingv1.IngressSpec{
+			Rules: []networkingv1.IngressRule{{IngressRuleValue: networkingv1.IngressRuleValue{HTTP: &networkingv1.HTTPIngressRuleValue{
+				Paths: []networkingv1.HTTPIngressPath{
+					{Backend: networkingv1.IngressBackend{Service: &networkingv1.IngressServiceBackend{Name: "non-ts-backend"}}}},
+			}}}},
+		},
+	})
+	nonTSBackend := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "non-ts-backend",
+			Namespace: "ns-4",
+		},
+	}
+	mustCreate(t, fc, nonTSBackend)
+	gotReqs = serviceHandlerForIngress(fc, zl.Sugar())(context.Background(), nonTSBackend)
+	if len(gotReqs) > 0 {
+		t.Errorf("unexpected reconcile request for a Service that does not belong to a Tailscale Ingress: %#+v\n", gotReqs)
+	}
+
+	// 5. An event on a Service not related to any Ingress does not result
+	// in an Ingress reconcile.
+	someSvc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "some-svc",
+			Namespace: "ns-4",
+		},
+	}
+	mustCreate(t, fc, someSvc)
+	gotReqs = serviceHandlerForIngress(fc, zl.Sugar())(context.Background(), someSvc)
+	if len(gotReqs) > 0 {
+		t.Errorf("unexpected reconcile request for a Service that does not belong to any Ingress: %#+v\n", gotReqs)
+	}
+}
--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@@ -6,7 +6,6 @@
 package main

 import (
-	"context"
 	"crypto/tls"
 	"fmt"
 	"log"
@@ -24,22 +23,11 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/ctxkey"
 	"tailscale.com/util/set"
 )

-type whoIsKey struct{}
-
-// whoIsFromRequest returns the WhoIsResponse previously stashed by a call to
-// addWhoIsToRequest.
-func whoIsFromRequest(r *http.Request) *apitype.WhoIsResponse {
-	return r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
-}
-
-// addWhoIsToRequest stashes who in r's context, retrievable by a call to
-// whoIsFromRequest.
-func addWhoIsToRequest(r *http.Request, who *apitype.WhoIsResponse) *http.Request {
-	return r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
-}
+var whoIsKey = ctxkey.New("", (*apitype.WhoIsResponse)(nil))

 var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")

@@ -127,7 +115,7 @@ func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	counterNumRequestsProxied.Add(1)
-	h.rp.ServeHTTP(w, addWhoIsToRequest(r, who))
+	h.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
 }

 // runAPIServerProxy runs an HTTP server that authenticates requests using the
@@ -240,7 +228,7 @@ type impersonateRule struct {
 // in the context by the apiserverProxy.
 func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 	log = log.With("remote", r.RemoteAddr)
-	who := whoIsFromRequest(r)
+	who := whoIsKey.Value(r.Context())
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
 	if len(rules) == 0 && err == nil {
 		// Try the old capability name for backwards compatibility.
--- a/cmd/k8s-operator/proxy_test.go
+++ b/cmd/k8s-operator/proxy_test.go
@@ -95,7 +95,7 @@ func TestImpersonationHeaders(t *testing.T) {

 	for _, tc := range tests {
 		r := must.Get(http.NewRequest("GET", "https://op.ts.net/api/foo", nil))
-		r = addWhoIsToRequest(r, &apitype.WhoIsResponse{
+		r = r.WithContext(whoIsKey.WithValue(r.Context(), &apitype.WhoIsResponse{
 			Node: &tailcfg.Node{
 				Name: "node.ts.net",
 				Tags: tc.tags,
@@ -104,7 +104,7 @@ func TestImpersonationHeaders(t *testing.T) {
 				LoginName: tc.emailish,
 			},
 			CapMap: tc.capMap,
-		})
+		}))
 		addImpersonationHeaders(r, zl.Sugar())

 		if d := cmp.Diff(tc.wantHeaders, r.Header); d != "" {
--- a/cmd/k8s-operator/proxyclass.go
+++ b/cmd/k8s-operator/proxyclass.go
@@ -0,0 +1,108 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+// tailscale-operator provides a way to expose services running in a Kubernetes
+// cluster to your Tailnet.
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	apivalidation "k8s.io/apimachinery/pkg/api/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metavalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	tsoperator "tailscale.com/k8s-operator"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/tstime"
+)
+
+const (
+	reasonProxyClassInvalid  = "ProxyClassInvalid"
+	reasonProxyClassValid    = "ProxyClassValid"
+	messageProxyClassInvalid = "ProxyClass is not valid: %v"
+)
+
+type ProxyClassReconciler struct {
+	client.Client
+
+	recorder record.EventRecorder
+	logger   *zap.SugaredLogger
+	clock    tstime.Clock
+}
+
+func (pcr *ProxyClassReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
+	logger := pcr.logger.With("ProxyClass", req.Name)
+	logger.Debugf("starting reconcile")
+	defer logger.Debugf("reconcile finished")
+
+	pc := new(tsapi.ProxyClass)
+	err = pcr.Get(ctx, req.NamespacedName, pc)
+	if apierrors.IsNotFound(err) {
+		logger.Debugf("ProxyClass not found, assuming it was deleted")
+		return reconcile.Result{}, nil
+	} else if err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to get tailscale.com ProxyClass: %w", err)
+	}
+	if !pc.DeletionTimestamp.IsZero() {
+		logger.Debugf("ProxyClass is being deleted, do nothing")
+		return reconcile.Result{}, nil
+	}
+	oldPCStatus := pc.Status.DeepCopy()
+	if errs := pcr.validate(pc); errs != nil {
+		msg := fmt.Sprintf(messageProxyClassInvalid, errs.ToAggregate().Error())
+		pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonProxyClassInvalid, msg)
+		tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, pc.Generation, pcr.clock, logger)
+	} else {
+		tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionTrue, reasonProxyClassValid, reasonProxyClassValid, pc.Generation, pcr.clock, logger)
+	}
+	if !apiequality.Semantic.DeepEqual(oldPCStatus, pc.Status) {
+		if err := pcr.Client.Status().Update(ctx, pc); err != nil {
+			logger.Errorf("error updating ProxyClass status: %v", err)
+			return reconcile.Result{}, err
+		}
+	}
+	return reconcile.Result{}, nil
+}
+
+func (a *ProxyClassReconciler) validate(pc *tsapi.ProxyClass) (violations field.ErrorList) {
+	if sts := pc.Spec.StatefulSet; sts != nil {
+		if len(sts.Labels) > 0 {
+			if errs := metavalidation.ValidateLabels(sts.Labels, field.NewPath(".spec.statefulSet.labels")); errs != nil {
+				violations = append(violations, errs...)
+			}
+		}
+		if len(sts.Annotations) > 0 {
+			if errs := apivalidation.ValidateAnnotations(sts.Annotations, field.NewPath(".spec.statefulSet.annotations")); errs != nil {
+				violations = append(violations, errs...)
+			}
+		}
+		if pod := sts.Pod; pod != nil {
+			if len(pod.Labels) > 0 {
+				if errs := metavalidation.ValidateLabels(pod.Labels, field.NewPath(".spec.statefulSet.pod.labels")); errs != nil {
+					violations = append(violations, errs...)
+				}
+			}
+			if len(pod.Annotations) > 0 {
+				if errs := apivalidation.ValidateAnnotations(pod.Annotations, field.NewPath(".spec.statefulSet.pod.annotations")); errs != nil {
+					violations = append(violations, errs...)
+				}
+			}
+		}
+	}
+	// We do not validate embedded fields (security context, resource
+	// requirements etc) as we inherit upstream validation for those fields.
+	// Invalid values would get rejected by upstream validations at apply
+	// time.
+	return violations
+}
--- a/cmd/k8s-operator/proxyclass_test.go
+++ b/cmd/k8s-operator/proxyclass_test.go
@@ -0,0 +1,83 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9
+
+// tailscale-operator provides a way to expose services running in a Kubernetes
+// cluster to your Tailnet.
+package main
+
+import (
+	"testing"
+	"time"
+
+	"go.uber.org/zap"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	tsoperator "tailscale.com/k8s-operator"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/tstest"
+)
+
+func TestProxyClass(t *testing.T) {
+	pc := &tsapi.ProxyClass{
+		TypeMeta: metav1.TypeMeta{Kind: "ProxyClass", APIVersion: "tailscale.com/v1alpha1"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+		},
+		Spec: tsapi.ProxyClassSpec{
+			StatefulSet: &tsapi.StatefulSet{
+				Labels:      map[string]string{"foo": "bar", "xyz1234": "abc567"},
+				Annotations: map[string]string{"foo.io/bar": "{'key': 'val1232'}"},
+				Pod: &tsapi.Pod{
+					Labels:      map[string]string{"foo": "bar", "xyz1234": "abc567"},
+					Annotations: map[string]string{"foo.io/bar": "{'key': 'val1232'}"},
+				},
+			},
+		},
+	}
+	fc := fake.NewClientBuilder().
+		WithScheme(tsapi.GlobalScheme).
+		WithObjects(pc).
+		WithStatusSubresource(pc).
+		Build()
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cl := tstest.NewClock(tstest.ClockOpts{})
+	pcr := &ProxyClassReconciler{
+		Client:   fc,
+		logger:   zl.Sugar(),
+		clock:    cl,
+		recorder: record.NewFakeRecorder(1),
+	}
+	expectReconciled(t, pcr, "", "test")
+
+	// 1. A valid ProxyClass resource gets its status updated to Ready.
+	pc.Status.Conditions = append(pc.Status.Conditions, tsapi.ConnectorCondition{
+		Type:               tsapi.ProxyClassready,
+		Status:             metav1.ConditionTrue,
+		Reason:             reasonProxyClassValid,
+		Message:            reasonProxyClassValid,
+		LastTransitionTime: &metav1.Time{Time: cl.Now().Truncate(time.Second)},
+	})
+
+	expectEqual(t, fc, pc, nil)
+
+	// 2. An invalid ProxyClass resource gets its status updated to Invalid.
+	pc.Spec.StatefulSet.Labels["foo"] = "?!someVal"
+	mustUpdate(t, fc, "", "test", func(proxyClass *tsapi.ProxyClass) {
+		proxyClass.Spec.StatefulSet.Labels = pc.Spec.StatefulSet.Labels
+	})
+	expectReconciled(t, pcr, "", "test")
+	msg := `ProxyClass is not valid: .spec.statefulSet.labels: Invalid value: "?!someVal": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')`
+	tsoperator.SetProxyClassCondition(pc, tsapi.ProxyClassready, metav1.ConditionFalse, reasonProxyClassInvalid, msg, 0, cl, zl.Sugar())
+	expectEqual(t, fc, pc, nil)
+}
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -14,6 +14,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"slices"
 	"strings"

 	"go.uber.org/zap"
@@ -22,25 +23,37 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/storage/names"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	tsoperator "tailscale.com/k8s-operator"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsnet"
 	"tailscale.com/types/opt"
+	"tailscale.com/types/ptr"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
 )

 const (
+	// Labels that the operator sets on StatefulSets and Pods. If you add a
+	// new label here, do also add it to tailscaleManagedLabels var to
+	// ensure that it does not get overwritten by ProxyClass configuration.
 	LabelManaged         = "tailscale.com/managed"
 	LabelParentType      = "tailscale.com/parent-resource-type"
 	LabelParentName      = "tailscale.com/parent-resource"
 	LabelParentNamespace = "tailscale.com/parent-resource-ns"

+	// LabelProxyClass can be set by users on Connectors, tailscale
+	// Ingresses and Services that define cluster ingress or cluster egress,
+	// to specify that configuration in this ProxyClass should be applied to
+	// resources created for the Connector, Ingress or Service.
+	LabelProxyClass = "tailscale.com/proxy-class"
+
 	FinalizerName = "tailscale.com/finalizer"

 	// Annotations settable by users on services.
@@ -55,10 +68,25 @@ const (
 	// Annotations settable by users on ingresses.
 	AnnotationFunnel = "tailscale.com/funnel"

+	// If set to true, set up iptables/nftables rules in the proxy forward
+	// cluster traffic to the tailnet IP of that proxy. This can only be set
+	// on an Ingress. This is useful in cases where a cluster target needs
+	// to be able to reach a cluster workload exposed to tailnet via Ingress
+	// using the same hostname as a tailnet workload (in this case, the
+	// MagicDNS name of the ingress proxy). This annotation is experimental.
+	// If it is set to true, the proxy set up for Ingress, will run
+	// tailscale in non-userspace, with NET_ADMIN cap for tailscale
+	// container and will also run a privileged init container that enables
+	// forwarding.
+	// Eventually this behaviour might become the default.
+	AnnotationExperimentalForwardClusterTrafficViaL7IngresProxy = "tailscale.com/experimental-forward-cluster-traffic-via-ingress"
+
 	// Annotations set by the operator on pods to trigger restarts when the
-	// hostname, IP, FQDN or tailscaled config changes.
+	// hostname, IP, FQDN or tailscaled config changes. If you add a new
+	// annotation here, also add it to tailscaleManagedAnnotations var to
+	// ensure that it does not get removed when a ProxyClass configuration
+	// is applied.
 	podAnnotationLastSetClusterIP         = "tailscale.com/operator-last-set-cluster-ip"
-	podAnnotationLastSetHostname          = "tailscale.com/operator-last-set-hostname"
 	podAnnotationLastSetTailnetTargetIP   = "tailscale.com/operator-last-set-ts-tailnet-target-ip"
 	podAnnotationLastSetTailnetTargetFQDN = "tailscale.com/operator-last-set-ts-tailnet-target-fqdn"
 	// podAnnotationLastSetConfigFileHash is sha256 hash of the current tailscaled configuration contents.
@@ -69,13 +97,23 @@ const (
 	tailscaledConfigKey = "tailscaled"
 )

+var (
+	// tailscaleManagedLabels are label keys that tailscale operator sets on StatefulSets and Pods.
+	tailscaleManagedLabels = []string{LabelManaged, LabelParentType, LabelParentName, LabelParentNamespace, "app"}
+	// tailscaleManagedAnnotations are annotation keys that tailscale operator sets on StatefulSets and Pods.
+	tailscaleManagedAnnotations = []string{podAnnotationLastSetClusterIP, podAnnotationLastSetTailnetTargetIP, podAnnotationLastSetTailnetTargetFQDN, podAnnotationLastSetConfigFileHash}
+)
+
 type tailscaleSTSConfig struct {
 	ParentResourceName  string
 	ParentResourceUID   string
 	ChildResourceLabels map[string]string

-	ServeConfig     *ipn.ServeConfig
-	ClusterTargetIP string // ingress target
+	ServeConfig     *ipn.ServeConfig // if serve config is set, this is a proxy for Ingress
+	ClusterTargetIP string           // ingress target
+	// If set to true, operator should configure containerboot to forward
+	// cluster traffic via the proxy set up for Kubernetes Ingress.
+	ForwardClusterTrafficViaL7IngressProxy bool

 	TailnetTargetIP string // egress target IP

@@ -87,6 +125,8 @@ type tailscaleSTSConfig struct {
 	// Connector specifies a configuration of a Connector instance if that's
 	// what this StatefulSet should be created for.
 	Connector *connector
+
+	ProxyClass string
 }

 type connector struct {
@@ -95,10 +135,13 @@ type connector struct {
 	// isExitNode defines whether this Connector should act as an exit node.
 	isExitNode bool
 }
+type tsnetServer interface {
+	CertDomains() []string
+}

 type tailscaleSTSReconciler struct {
 	client.Client
-	tsnetServer            *tsnet.Server
+	tsnetServer            tsnetServer
 	tsClient               tsClient
 	defaultTags            []string
 	operatorNamespace      string
@@ -222,10 +265,8 @@ func statefulSetNameBase(parent string) string {
 		if excess <= 0 {
 			return base
 		}
-		base = base[:len(base)-1-excess]   // cut off the excess chars
-		if !strings.HasSuffix(base, "-") { // dash may have been cut by the generator
-			base = base + "-"
-		}
+		base = base[:len(base)-1-excess] // cut off the excess chars
+		base = base + "-"                // re-instate the dash
 	}
 }

@@ -271,9 +312,9 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		authKey, hash string
 	)
 	if orig == nil {
-		// Secret doesn't exist yet, create one. Initially it contains
-		// only the Tailscale authkey, but once Tailscale starts it'll
-		// also store the daemon state.
+		// Initially it contains only tailscaled config, but when the
+		// proxy starts, it will also store there the state, certs and
+		// ACME account key.
 		sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, stsC.ChildResourceLabels)
 		if err != nil {
 			return "", "", err
@@ -296,17 +337,13 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 			return "", "", err
 		}
 	}
-	if !shouldDoTailscaledDeclarativeConfig(stsC) && authKey != "" {
-		mak.Set(&secret.StringData, "authkey", authKey)
-	}
-	if shouldDoTailscaledDeclarativeConfig(stsC) {
-		confFileBytes, h, err := tailscaledConfig(stsC, authKey, orig)
-		if err != nil {
-			return "", "", fmt.Errorf("error creating tailscaled config: %w", err)
-		}
-		hash = h
-		mak.Set(&secret.StringData, tailscaledConfigKey, string(confFileBytes))
+	confFileBytes, h, err := tailscaledConfig(stsC, authKey, orig)
+	if err != nil {
+		return "", "", fmt.Errorf("error creating tailscaled config: %w", err)
 	}
+	hash = h
+	mak.Set(&secret.StringData, tailscaledConfigKey, string(confFileBytes))
+
 	if stsC.ServeConfig != nil {
 		j, err := json.Marshal(stsC.ServeConfig)
 		if err != nil {
@@ -316,12 +353,12 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 	}

 	if orig != nil {
-		logger.Debugf("patching existing state Secret with values %s", secret.Data[tailscaledConfigKey])
+		logger.Debugf("patching the existing proxy Secret with tailscaled config %s", sanitizeConfigBytes(secret.Data[tailscaledConfigKey]))
 		if err := a.Patch(ctx, secret, client.MergeFrom(orig)); err != nil {
 			return "", "", err
 		}
 	} else {
-		logger.Debugf("creating new state Secret with authkey %s", secret.Data[tailscaledConfigKey])
+		logger.Debugf("creating a new Secret for the proxy with tailscaled config %s", sanitizeConfigBytes([]byte(secret.StringData[tailscaledConfigKey])))
 		if err := a.Create(ctx, secret); err != nil {
 			return "", "", err
 		}
@@ -329,6 +366,23 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 	return secret.Name, hash, nil
 }

+// sanitizeConfigBytes returns ipn.ConfigVAlpha in string form with redacted
+// auth key.
+func sanitizeConfigBytes(bs []byte) string {
+	c := &ipn.ConfigVAlpha{}
+	if err := json.Unmarshal(bs, c); err != nil {
+		return "invalid config"
+	}
+	if c.AuthKey != nil {
+		c.AuthKey = ptr.To("**redacted**")
+	}
+	sanitizedBytes, err := json.Marshal(c)
+	if err != nil {
+		return "invalid config"
+	}
+	return string(sanitizedBytes)
+}
+
 // DeviceInfo returns the device ID and hostname for the Tailscale device
 // associated with the given labels.
 func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map[string]string) (id tailcfg.StableNodeID, hostname string, ips []string, err error) {
@@ -382,10 +436,10 @@ var proxyYaml []byte
 var userspaceProxyYaml []byte

 func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, proxySecret, tsConfigHash string) (*appsv1.StatefulSet, error) {
-	var ss appsv1.StatefulSet
-	if sts.ServeConfig != nil {
+	ss := new(appsv1.StatefulSet)
+	if sts.ServeConfig != nil && sts.ForwardClusterTrafficViaL7IngressProxy != true { // If forwarding cluster traffic via is required we need non-userspace + NET_ADMIN + forwarding
 		if err := yaml.Unmarshal(userspaceProxyYaml, &ss); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
+			return nil, fmt.Errorf("failed to unmarshal userspace proxy spec: %v", err)
 		}
 	} else {
 		if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
@@ -399,12 +453,25 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			}
 		}
 	}
-	container := &ss.Spec.Template.Spec.Containers[0]
+	pod := &ss.Spec.Template
+	container := &pod.Spec.Containers[0]
+	proxyClass := new(tsapi.ProxyClass)
+	if sts.ProxyClass != "" {
+		if err := a.Get(ctx, types.NamespacedName{Name: sts.ProxyClass}, proxyClass); err != nil {
+			return nil, fmt.Errorf("failed to get ProxyClass: %w", err)
+		}
+		if !tsoperator.ProxyClassIsReady(proxyClass) {
+			logger.Infof("ProxyClass %s specified for the proxy, but it is not (yet) in a ready state, waiting..")
+			return nil, nil
+		}
+	}
 	container.Image = a.proxyImage
 	ss.ObjectMeta = metav1.ObjectMeta{
 		Name:      headlessSvc.Name,
 		Namespace: a.operatorNamespace,
-		Labels:    sts.ChildResourceLabels,
+	}
+	for key, val := range sts.ChildResourceLabels {
+		mak.Set(&ss.ObjectMeta.Labels, key, val)
 	}
 	ss.Spec.ServiceName = headlessSvc.Name
 	ss.Spec.Selector = &metav1.LabelSelector{
@@ -412,7 +479,10 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			"app": sts.ParentResourceUID,
 		},
 	}
-	mak.Set(&ss.Spec.Template.Labels, "app", sts.ParentResourceUID)
+	mak.Set(&pod.Labels, "app", sts.ParentResourceUID)
+	for key, val := range sts.ChildResourceLabels {
+		pod.Labels[key] = val // sync StatefulSet labels to Pod to make it easier for users to select the Pod
+	}

 	// Generic containerboot configuration options.
 	container.Env = append(container.Env,
@@ -420,43 +490,36 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			Name:  "TS_KUBE_SECRET",
 			Value: proxySecret,
 		},
-	)
-	if !shouldDoTailscaledDeclarativeConfig(sts) {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_HOSTNAME",
-			Value: sts.Hostname,
-		})
-		// containerboot currently doesn't have a way to re-read the hostname/ip as
-		// it is passed via an environment variable. So we need to restart the
-		// container when the value changes. We do this by adding an annotation to
-		// the pod template that contains the last value we set.
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetHostname, sts.Hostname)
-	}
-	// Configure containeboot to run tailscaled with a configfile read from the state Secret.
-	if shouldDoTailscaledDeclarativeConfig(sts) {
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetConfigFileHash, tsConfigHash)
-		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
-			Name: "tailscaledconfig",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: proxySecret,
-					Items: []corev1.KeyToPath{{
-						Key:  tailscaledConfigKey,
-						Path: tailscaledConfigKey,
-					}},
-				},
-			},
-		})
-		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
-			Name:      "tailscaledconfig",
-			ReadOnly:  true,
-			MountPath: "/etc/tsconfig",
-		})
-		container.Env = append(container.Env, corev1.EnvVar{
+		corev1.EnvVar{
 			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
 			Value: "/etc/tsconfig/tailscaled",
+		},
+	)
+	if sts.ForwardClusterTrafficViaL7IngressProxy {
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS",
+			Value: "true",
 		})
 	}
+	// Configure containeboot to run tailscaled with a configfile read from the state Secret.
+	mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetConfigFileHash, tsConfigHash)
+	pod.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
+		Name: "tailscaledconfig",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: proxySecret,
+				Items: []corev1.KeyToPath{{
+					Key:  tailscaledConfigKey,
+					Path: tailscaledConfigKey,
+				}},
+			},
+		},
+	})
+	container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
+		Name:      "tailscaledconfig",
+		ReadOnly:  true,
+		MountPath: "/etc/tsconfig",
+	})

 	if a.tsFirewallMode != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
@@ -464,7 +527,7 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			Value: a.tsFirewallMode,
 		})
 	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
+	pod.Spec.PriorityClassName = a.proxyPriorityClassName

 	// Ingress/egress proxy configuration options.
 	if sts.ClusterTargetIP != "" {
@@ -495,7 +558,7 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			ReadOnly:  true,
 			MountPath: "/etc/tailscaled",
 		})
-		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
+		pod.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
 			Name: "serve-config",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
@@ -509,7 +572,95 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 		})
 	}
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
-	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
+	if sts.ProxyClass != "" {
+		logger.Debugf("configuring proxy resources with ProxyClass %s", sts.ProxyClass)
+		ss = applyProxyClassToStatefulSet(proxyClass, ss)
+	}
+	updateSS := func(s *appsv1.StatefulSet) {
+		s.Spec = ss.Spec
+		s.ObjectMeta.Labels = ss.Labels
+		s.ObjectMeta.Annotations = ss.Annotations
+	}
+	return createOrUpdate(ctx, a.Client, a.operatorNamespace, ss, updateSS)
+}
+
+// mergeStatefulSetLabelsOrAnnots returns a map that contains all keys/values
+// present in 'custom' map as well as those keys/values from the current map
+// whose keys are present in the 'managed' map. The reason why this merge is
+// necessary is to ensure that labels/annotations applied from a ProxyClass get removed
+// if they are removed from a ProxyClass or if the ProxyClass no longer applies
+// to this StatefulSet whilst any tailscale managed labels/annotations remain present.
+func mergeStatefulSetLabelsOrAnnots(current, custom map[string]string, managed []string) map[string]string {
+	if custom == nil {
+		custom = make(map[string]string)
+	}
+	if current == nil {
+		return custom
+	}
+	for key, val := range current {
+		if slices.Contains(managed, key) {
+			custom[key] = val
+		}
+	}
+	return custom
+}
+
+func applyProxyClassToStatefulSet(pc *tsapi.ProxyClass, ss *appsv1.StatefulSet) *appsv1.StatefulSet {
+	if pc == nil || ss == nil || pc.Spec.StatefulSet == nil {
+		return ss
+	}
+
+	// Update StatefulSet metadata.
+	if wantsSSLabels := pc.Spec.StatefulSet.Labels; len(wantsSSLabels) > 0 {
+		ss.ObjectMeta.Labels = mergeStatefulSetLabelsOrAnnots(ss.ObjectMeta.Labels, wantsSSLabels, tailscaleManagedLabels)
+	}
+	if wantsSSAnnots := pc.Spec.StatefulSet.Annotations; len(wantsSSAnnots) > 0 {
+		ss.ObjectMeta.Annotations = mergeStatefulSetLabelsOrAnnots(ss.ObjectMeta.Annotations, wantsSSAnnots, tailscaleManagedAnnotations)
+	}
+
+	// Update Pod fields.
+	if pc.Spec.StatefulSet.Pod == nil {
+		return ss
+	}
+	wantsPod := pc.Spec.StatefulSet.Pod
+	if wantsPodLabels := wantsPod.Labels; len(wantsPodLabels) > 0 {
+		ss.Spec.Template.ObjectMeta.Labels = mergeStatefulSetLabelsOrAnnots(ss.Spec.Template.ObjectMeta.Labels, wantsPodLabels, tailscaleManagedLabels)
+	}
+	if wantsPodAnnots := wantsPod.Annotations; len(wantsPodAnnots) > 0 {
+		ss.Spec.Template.ObjectMeta.Annotations = mergeStatefulSetLabelsOrAnnots(ss.Spec.Template.ObjectMeta.Annotations, wantsPodAnnots, tailscaleManagedAnnotations)
+	}
+	ss.Spec.Template.Spec.SecurityContext = wantsPod.SecurityContext
+	ss.Spec.Template.Spec.ImagePullSecrets = wantsPod.ImagePullSecrets
+	ss.Spec.Template.Spec.NodeName = wantsPod.NodeName
+	ss.Spec.Template.Spec.NodeSelector = wantsPod.NodeSelector
+	ss.Spec.Template.Spec.Tolerations = wantsPod.Tolerations
+
+	// Update containers.
+	updateContainer := func(overlay *tsapi.Container, base corev1.Container) corev1.Container {
+		if overlay == nil {
+			return base
+		}
+		if overlay.SecurityContext != nil {
+			base.SecurityContext = overlay.SecurityContext
+		}
+		base.Resources = overlay.Resources
+		return base
+	}
+	for i, c := range ss.Spec.Template.Spec.Containers {
+		if c.Name == "tailscale" {
+			ss.Spec.Template.Spec.Containers[i] = updateContainer(wantsPod.TailscaleContainer, ss.Spec.Template.Spec.Containers[i])
+			break
+		}
+	}
+	if initContainers := ss.Spec.Template.Spec.InitContainers; len(initContainers) > 0 {
+		for i, c := range initContainers {
+			if c.Name == "sysctler" {
+				ss.Spec.Template.Spec.InitContainers[i] = updateContainer(wantsPod.TailscaleInitContainer, initContainers[i])
+				break
+			}
+		}
+	}
+	return ss
 }

 // tailscaledConfig takes a proxy config, a newly generated auth key if
@@ -517,10 +668,11 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 // produces returns tailscaled configuration and a hash of that configuration.
 func tailscaledConfig(stsC *tailscaleSTSConfig, newAuthkey string, oldSecret *corev1.Secret) ([]byte, string, error) {
 	conf := ipn.ConfigVAlpha{
-		Version:   "alpha0",
-		AcceptDNS: "false",
-		Locked:    "false",
-		Hostname:  &stsC.Hostname,
+		Version:      "alpha0",
+		AcceptDNS:    "false",
+		AcceptRoutes: "false", // AcceptRoutes defaults to true
+		Locked:       "false",
+		Hostname:     &stsC.Hostname,
 	}
 	if stsC.Connector != nil {
 		routes, err := netutil.CalcAdvertiseRoutes(stsC.Connector.routes, stsC.Connector.isExitNode)
@@ -677,10 +829,3 @@ func nameForService(svc *corev1.Service) (string, error) {
 func isValidFirewallMode(m string) bool {
 	return m == "auto" || m == "nftables" || m == "iptables"
 }
-
-// shouldDoTailscaledDeclarativeConfig determines whether the proxy instance
-// should be configured to run tailscaled only with a all config opts passed to
-// tailscaled.
-func shouldDoTailscaledDeclarativeConfig(stsC *tailscaleSTSConfig) bool {
-	return stsC.Connector != nil
-}
--- a/cmd/k8s-operator/sts_test.go
+++ b/cmd/k8s-operator/sts_test.go
@@ -6,10 +6,20 @@
 package main

 import (
+	_ "embed"
 	"fmt"
+	"reflect"
 	"regexp"
 	"strings"
 	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"sigs.k8s.io/yaml"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/types/ptr"
 )

 // Test_statefulSetNameBase tests that parent name portion in a StatefulSet name
@@ -28,7 +38,7 @@ func Test_statefulSetNameBase(t *testing.T) {
 		if _, err := b.WriteString("a"); err != nil {
 			t.Fatalf("error writing to string builder: %v", err)
 		}
-		baseLength := len(b.String())
+		baseLength := b.Len()
 		if baseLength > 43 {
 			baseLength = 43 // currently 43 is the max base length
 		}
@@ -39,3 +49,245 @@ func Test_statefulSetNameBase(t *testing.T) {
 		}
 	}
 }
+
+func Test_applyProxyClassToStatefulSet(t *testing.T) {
+	// Setup
+	proxyClassAllOpts := &tsapi.ProxyClass{
+		Spec: tsapi.ProxyClassSpec{
+			StatefulSet: &tsapi.StatefulSet{
+				Labels:      map[string]string{"foo": "bar"},
+				Annotations: map[string]string{"foo.io/bar": "foo"},
+				Pod: &tsapi.Pod{
+					Labels:      map[string]string{"bar": "foo"},
+					Annotations: map[string]string{"bar.io/foo": "foo"},
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsUser: ptr.To(int64(0)),
+					},
+					ImagePullSecrets: []corev1.LocalObjectReference{{Name: "docker-creds"}},
+					NodeName:         "some-node",
+					NodeSelector:     map[string]string{"beta.kubernetes.io/os": "linux"},
+					Tolerations:      []corev1.Toleration{{Key: "", Operator: "Exists"}},
+					TailscaleContainer: &tsapi.Container{
+						SecurityContext: &corev1.SecurityContext{
+							Privileged: ptr.To(true),
+						},
+						Resources: corev1.ResourceRequirements{
+							Limits:   corev1.ResourceList{corev1.ResourceCPU: resource.MustParse("1000m"), corev1.ResourceMemory: resource.MustParse("128Mi")},
+							Requests: corev1.ResourceList{corev1.ResourceCPU: resource.MustParse("500m"), corev1.ResourceMemory: resource.MustParse("64Mi")},
+						},
+					},
+					TailscaleInitContainer: &tsapi.Container{
+						SecurityContext: &corev1.SecurityContext{
+							Privileged: ptr.To(true),
+							RunAsUser:  ptr.To(int64(0)),
+						},
+						Resources: corev1.ResourceRequirements{
+							Limits:   corev1.ResourceList{corev1.ResourceCPU: resource.MustParse("1000m"), corev1.ResourceMemory: resource.MustParse("128Mi")},
+							Requests: corev1.ResourceList{corev1.ResourceCPU: resource.MustParse("500m"), corev1.ResourceMemory: resource.MustParse("64Mi")},
+						},
+					},
+				},
+			},
+		},
+	}
+	proxyClassJustLabels := &tsapi.ProxyClass{
+		Spec: tsapi.ProxyClassSpec{
+			StatefulSet: &tsapi.StatefulSet{
+				Labels:      map[string]string{"foo": "bar"},
+				Annotations: map[string]string{"foo.io/bar": "foo"},
+				Pod: &tsapi.Pod{
+					Labels:      map[string]string{"bar": "foo"},
+					Annotations: map[string]string{"bar.io/foo": "foo"},
+				},
+			},
+		},
+	}
+	var userspaceProxySS, nonUserspaceProxySS appsv1.StatefulSet
+	if err := yaml.Unmarshal(userspaceProxyYaml, &userspaceProxySS); err != nil {
+		t.Fatalf("unmarshaling userspace proxy template: %v", err)
+	}
+	if err := yaml.Unmarshal(proxyYaml, &nonUserspaceProxySS); err != nil {
+		t.Fatalf("unmarshaling non-userspace proxy template: %v", err)
+	}
+	// Set a couple additional fields so we can test that we don't
+	// mistakenly override those.
+	labels := map[string]string{
+		LabelManaged:    "true",
+		LabelParentName: "foo",
+	}
+	annots := map[string]string{
+		podAnnotationLastSetClusterIP: "1.2.3.4",
+	}
+	env := []corev1.EnvVar{{Name: "TS_HOSTNAME", Value: "nginx"}}
+	userspaceProxySS.Labels = labels
+	userspaceProxySS.Annotations = annots
+	userspaceProxySS.Spec.Template.Spec.Containers[0].Env = env
+	nonUserspaceProxySS.ObjectMeta.Labels = labels
+	nonUserspaceProxySS.ObjectMeta.Annotations = annots
+	nonUserspaceProxySS.Spec.Template.Spec.Containers[0].Env = env
+
+	// 1. Test that a ProxyClass with all fields set gets correctly applied
+	// to a Statefulset built from non-userspace proxy template.
+	wantSS := nonUserspaceProxySS.DeepCopy()
+	wantSS.ObjectMeta.Labels = mergeMapKeys(wantSS.ObjectMeta.Labels, proxyClassAllOpts.Spec.StatefulSet.Labels)
+	wantSS.ObjectMeta.Annotations = mergeMapKeys(wantSS.ObjectMeta.Annotations, proxyClassAllOpts.Spec.StatefulSet.Annotations)
+	wantSS.Spec.Template.Labels = proxyClassAllOpts.Spec.StatefulSet.Pod.Labels
+	wantSS.Spec.Template.Annotations = proxyClassAllOpts.Spec.StatefulSet.Pod.Annotations
+	wantSS.Spec.Template.Spec.SecurityContext = proxyClassAllOpts.Spec.StatefulSet.Pod.SecurityContext
+	wantSS.Spec.Template.Spec.ImagePullSecrets = proxyClassAllOpts.Spec.StatefulSet.Pod.ImagePullSecrets
+	wantSS.Spec.Template.Spec.NodeName = proxyClassAllOpts.Spec.StatefulSet.Pod.NodeName
+	wantSS.Spec.Template.Spec.NodeSelector = proxyClassAllOpts.Spec.StatefulSet.Pod.NodeSelector
+	wantSS.Spec.Template.Spec.Tolerations = proxyClassAllOpts.Spec.StatefulSet.Pod.Tolerations
+	wantSS.Spec.Template.Spec.Containers[0].SecurityContext = proxyClassAllOpts.Spec.StatefulSet.Pod.TailscaleContainer.SecurityContext
+	wantSS.Spec.Template.Spec.InitContainers[0].SecurityContext = proxyClassAllOpts.Spec.StatefulSet.Pod.TailscaleInitContainer.SecurityContext
+	wantSS.Spec.Template.Spec.Containers[0].Resources = proxyClassAllOpts.Spec.StatefulSet.Pod.TailscaleContainer.Resources
+	wantSS.Spec.Template.Spec.InitContainers[0].Resources = proxyClassAllOpts.Spec.StatefulSet.Pod.TailscaleInitContainer.Resources
+
+	gotSS := applyProxyClassToStatefulSet(proxyClassAllOpts, nonUserspaceProxySS.DeepCopy())
+	if diff := cmp.Diff(gotSS, wantSS); diff != "" {
+		t.Fatalf("Unexpected result applying ProxyClass with all fields set to a StatefulSet for non-userspace proxy (-got +want):\n%s", diff)
+	}
+
+	// 2. Test that a ProxyClass with custom labels and annotations for
+	// StatefulSet and Pod set gets correctly applied to a Statefulset built
+	// from non-userspace proxy template.
+	wantSS = nonUserspaceProxySS.DeepCopy()
+	wantSS.ObjectMeta.Labels = mergeMapKeys(wantSS.ObjectMeta.Labels, proxyClassJustLabels.Spec.StatefulSet.Labels)
+	wantSS.ObjectMeta.Annotations = mergeMapKeys(wantSS.ObjectMeta.Annotations, proxyClassJustLabels.Spec.StatefulSet.Annotations)
+	wantSS.Spec.Template.Labels = proxyClassJustLabels.Spec.StatefulSet.Pod.Labels
+	wantSS.Spec.Template.Annotations = proxyClassJustLabels.Spec.StatefulSet.Pod.Annotations
+	gotSS = applyProxyClassToStatefulSet(proxyClassJustLabels, nonUserspaceProxySS.DeepCopy())
+	if diff := cmp.Diff(gotSS, wantSS); diff != "" {
+		t.Fatalf("Unexpected result applying ProxyClass with custom labels and annotations to a StatefulSet for non-userspace proxy (-got +want):\n%s", diff)
+	}
+
+	// 3. Test that a ProxyClass with all fields set gets correctly applied
+	// to a Statefulset built from a userspace proxy template.
+	wantSS = userspaceProxySS.DeepCopy()
+	wantSS.ObjectMeta.Labels = mergeMapKeys(wantSS.ObjectMeta.Labels, proxyClassAllOpts.Spec.StatefulSet.Labels)
+	wantSS.ObjectMeta.Annotations = mergeMapKeys(wantSS.ObjectMeta.Annotations, proxyClassAllOpts.Spec.StatefulSet.Annotations)
+	wantSS.Spec.Template.Labels = proxyClassAllOpts.Spec.StatefulSet.Pod.Labels
+	wantSS.Spec.Template.Annotations = proxyClassAllOpts.Spec.StatefulSet.Pod.Annotations
+	wantSS.Spec.Template.Spec.SecurityContext = proxyClassAllOpts.Spec.StatefulSet.Pod.SecurityContext
+	wantSS.Spec.Template.Spec.ImagePullSecrets = proxyClassAllOpts.Spec.StatefulSet.Pod.ImagePullSecrets
+	wantSS.Spec.Template.Spec.NodeName = proxyClassAllOpts.Spec.StatefulSet.Pod.NodeName
+	wantSS.Spec.Template.Spec.NodeSelector = proxyClassAllOpts.Spec.StatefulSet.Pod.NodeSelector
+	wantSS.Spec.Template.Spec.Tolerations = proxyClassAllOpts.Spec.StatefulSet.Pod.Tolerations
+	wantSS.Spec.Template.Spec.Containers[0].SecurityContext = proxyClassAllOpts.Spec.StatefulSet.Pod.TailscaleContainer.SecurityContext
+	wantSS.Spec.Template.Spec.Containers[0].Resources = proxyClassAllOpts.Spec.StatefulSet.Pod.TailscaleContainer.Resources
+	gotSS = applyProxyClassToStatefulSet(proxyClassAllOpts, userspaceProxySS.DeepCopy())
+	if diff := cmp.Diff(gotSS, wantSS); diff != "" {
+		t.Fatalf("Unexpected result applying ProxyClass with custom labels and annotations to a StatefulSet for a userspace proxy (-got +want):\n%s", diff)
+	}
+
+	// 4. Test that a ProxyClass with custom labels and annotations gets correctly applied
+	// to a Statefulset built from a userspace proxy template.
+	wantSS = userspaceProxySS.DeepCopy()
+	wantSS.ObjectMeta.Labels = mergeMapKeys(wantSS.ObjectMeta.Labels, proxyClassJustLabels.Spec.StatefulSet.Labels)
+	wantSS.ObjectMeta.Annotations = mergeMapKeys(wantSS.ObjectMeta.Annotations, proxyClassJustLabels.Spec.StatefulSet.Annotations)
+	wantSS.Spec.Template.Labels = proxyClassJustLabels.Spec.StatefulSet.Pod.Labels
+	wantSS.Spec.Template.Annotations = proxyClassJustLabels.Spec.StatefulSet.Pod.Annotations
+	gotSS = applyProxyClassToStatefulSet(proxyClassJustLabels, userspaceProxySS.DeepCopy())
+	if diff := cmp.Diff(gotSS, wantSS); diff != "" {
+		t.Fatalf("Unexpected result applying ProxyClass with custom labels and annotations to a StatefulSet for a userspace proxy (-got +want):\n%s", diff)
+	}
+}
+
+func mergeMapKeys(a, b map[string]string) map[string]string {
+	for key, val := range b {
+		a[key] = val
+	}
+	return a
+}
+
+func Test_mergeStatefulSetLabelsOrAnnots(t *testing.T) {
+	tests := []struct {
+		name    string
+		current map[string]string
+		custom  map[string]string
+		managed []string
+		want    map[string]string
+	}{
+		{
+			name:    "no custom labels specified and none present in current labels, return current labels",
+			current: map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			managed: tailscaleManagedLabels,
+		},
+		{
+			name:    "no custom labels specified, but some present in current labels, return tailscale managed labels only from the current labels",
+			current: map[string]string{"foo": "bar", "something.io/foo": "bar", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			want:    map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			managed: tailscaleManagedLabels,
+		},
+		{
+			name:    "custom labels specified, current labels only contain tailscale managed labels, return a union of both",
+			current: map[string]string{LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			managed: tailscaleManagedLabels,
+		},
+		{
+			name:    "custom labels specified, current labels contain tailscale managed labels and custom labels, some of which re not present in the new custom labels, return a union of managed labels and the desired custom labels",
+			current: map[string]string{"foo": "bar", "bar": "baz", "app": "1234", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", "app": "1234", LabelManaged: "true", LabelParentName: "foo", LabelParentType: "svc", LabelParentNamespace: "foo"},
+			managed: tailscaleManagedLabels,
+		},
+		{
+			name:    "no current labels present, return custom labels only",
+			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			managed: tailscaleManagedLabels,
+		},
+		{
+			name:    "no current labels present, no custom labels specified, return empty map",
+			want:    map[string]string{},
+			managed: tailscaleManagedLabels,
+		},
+		{
+			name:    "no custom annots specified and none present in current annots, return current annots",
+			current: map[string]string{podAnnotationLastSetClusterIP: "1.2.3.4"},
+			want:    map[string]string{podAnnotationLastSetClusterIP: "1.2.3.4"},
+			managed: tailscaleManagedAnnotations,
+		},
+		{
+			name:    "no custom annots specified, but some present in current annots, return tailscale managed annots only from the current annots",
+			current: map[string]string{"foo": "bar", "something.io/foo": "bar", podAnnotationLastSetClusterIP: "1.2.3.4"},
+			want:    map[string]string{podAnnotationLastSetClusterIP: "1.2.3.4"},
+			managed: tailscaleManagedAnnotations,
+		},
+		{
+			name:    "custom annots specified, current annots only contain tailscale managed annots, return a union of both",
+			current: map[string]string{podAnnotationLastSetClusterIP: "1.2.3.4"},
+			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar", podAnnotationLastSetClusterIP: "1.2.3.4"},
+			managed: tailscaleManagedAnnotations,
+		},
+		{
+			name:    "custom annots specified, current annots contain tailscale managed annots and custom annots, some of which are not present in the new custom annots, return a union of managed annots and the desired custom annots",
+			current: map[string]string{"foo": "bar", "something.io/foo": "bar", podAnnotationLastSetClusterIP: "1.2.3.4"},
+			custom:  map[string]string{"something.io/foo": "bar"},
+			want:    map[string]string{"something.io/foo": "bar", podAnnotationLastSetClusterIP: "1.2.3.4"},
+			managed: tailscaleManagedAnnotations,
+		},
+		{
+			name:    "no current annots present, return custom annots only",
+			custom:  map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			want:    map[string]string{"foo": "bar", "something.io/foo": "bar"},
+			managed: tailscaleManagedAnnotations,
+		},
+		{
+			name:    "no current labels present, no custom labels specified, return empty map",
+			want:    map[string]string{},
+			managed: tailscaleManagedAnnotations,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := mergeStatefulSetLabelsOrAnnots(tt.current, tt.custom, tt.managed); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("mergeStatefulSetLabels() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/cmd/k8s-operator/svc.go
+++ b/cmd/k8s-operator/svc.go
@@ -20,6 +20,8 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	tsoperator "tailscale.com/k8s-operator"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/set"
 )
@@ -155,6 +157,17 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		a.logger.Error(msg)
 		return nil
 	}
+
+	proxyClass := proxyClassForObject(svc)
+	if proxyClass != "" {
+		if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
+			return fmt.Errorf("error verifying ProxyClass for Service: %w", err)
+		} else if !ready {
+			logger.Infof("ProxyClass %s specified for the Service, but is not (yet) Ready, waiting..", proxyClass)
+			return nil
+		}
+	}
+
 	hostname, err := nameForService(svc)
 	if err != nil {
 		return err
@@ -183,6 +196,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		Hostname:            hostname,
 		Tags:                tags,
 		ChildResourceLabels: crl,
+		ProxyClass:          proxyClass,
 	}

 	a.mu.Lock()
@@ -318,3 +332,15 @@ func (a *ServiceReconciler) tailnetTargetAnnotation(svc *corev1.Service) string
 	}
 	return svc.Annotations[annotationTailnetTargetIPOld]
 }
+
+func proxyClassForObject(o client.Object) string {
+	return o.GetLabels()[LabelProxyClass]
+}
+
+func proxyClassIsReady(ctx context.Context, name string, cl client.Client) (bool, error) {
+	proxyClass := new(tsapi.ProxyClass)
+	if err := cl.Get(ctx, types.NamespacedName{Name: name}, proxyClass); err != nil {
+		return false, fmt.Errorf("error getting ProxyClass %s: %w", name, err)
+	}
+	return tsoperator.ProxyClassIsReady(proxyClass), nil
+}
--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -24,6 +24,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
+	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/mak"
 )
@@ -31,30 +32,34 @@ import (
 // confgOpts contains configuration options for creating cluster resources for
 // Tailscale proxies.
 type configOpts struct {
-	stsName                    string
-	secretName                 string
-	hostname                   string
-	namespace                  string
-	parentType                 string
-	priorityClassName          string
-	firewallMode               string
-	tailnetTargetIP            string
-	tailnetTargetFQDN          string
-	clusterTargetIP            string
-	subnetRoutes               string
-	isExitNode                 bool
-	shouldUseDeclarativeConfig bool // tailscaled in proxy should be configured using config file
-	confFileHash               string
+	stsName                                        string
+	secretName                                     string
+	hostname                                       string
+	namespace                                      string
+	parentType                                     string
+	priorityClassName                              string
+	firewallMode                                   string
+	tailnetTargetIP                                string
+	tailnetTargetFQDN                              string
+	clusterTargetIP                                string
+	subnetRoutes                                   string
+	isExitNode                                     bool
+	confFileHash                                   string
+	serveConfig                                    *ipn.ServeConfig
+	shouldEnableForwardingClusterTrafficViaIngress bool
+	proxyClass                                     string // configuration from the named ProxyClass should be applied to proxy resources
 }

-func expectedSTS(opts configOpts) *appsv1.StatefulSet {
+func expectedSTS(t *testing.T, cl client.Client, opts configOpts) *appsv1.StatefulSet {
+	t.Helper()
 	tsContainer := corev1.Container{
 		Name:  "tailscale",
 		Image: "tailscale/tailscale",
 		Env: []corev1.EnvVar{
 			{Name: "TS_USERSPACE", Value: "false"},
-			{Name: "TS_AUTH_ONCE", Value: "true"},
+			{Name: "POD_IP", ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "", FieldPath: "status.podIP"}, ResourceFieldRef: nil, ConfigMapKeyRef: nil, SecretKeyRef: nil}},
 			{Name: "TS_KUBE_SECRET", Value: opts.secretName},
+			{Name: "EXPERIMENTAL_TS_CONFIGFILE_PATH", Value: "/etc/tsconfig/tailscaled"},
 		},
 		SecurityContext: &corev1.SecurityContext{
 			Capabilities: &corev1.Capabilities{
@@ -63,38 +68,37 @@ func expectedSTS(opts configOpts) *appsv1.StatefulSet {
 		},
 		ImagePullPolicy: "Always",
 	}
+	if opts.shouldEnableForwardingClusterTrafficViaIngress {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS",
+			Value: "true",
+		})
+	}
 	annots := make(map[string]string)
 	var volumes []corev1.Volume
-	if opts.shouldUseDeclarativeConfig {
-		volumes = []corev1.Volume{
-			{
-				Name: "tailscaledconfig",
-				VolumeSource: corev1.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: opts.secretName,
-						Items: []corev1.KeyToPath{
-							{
-								Key:  "tailscaled",
-								Path: "tailscaled",
-							},
+	volumes = []corev1.Volume{
+		{
+			Name: "tailscaledconfig",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: opts.secretName,
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "tailscaled",
+							Path: "tailscaled",
 						},
 					},
 				},
 			},
-		}
-		tsContainer.VolumeMounts = []corev1.VolumeMount{{
-			Name:      "tailscaledconfig",
-			ReadOnly:  true,
-			MountPath: "/etc/tsconfig",
-		}}
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
-			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
-			Value: "/etc/tsconfig/tailscaled",
-		})
+		},
+	}
+	tsContainer.VolumeMounts = []corev1.VolumeMount{{
+		Name:      "tailscaledconfig",
+		ReadOnly:  true,
+		MountPath: "/etc/tsconfig",
+	}}
+	if opts.confFileHash != "" {
 		annots["tailscale.com/operator-last-set-config-file-hash"] = opts.confFileHash
-	} else {
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{Name: "TS_HOSTNAME", Value: opts.hostname})
-		annots["tailscale.com/operator-last-set-hostname"] = opts.hostname
 	}
 	if opts.firewallMode != "" {
 		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
@@ -122,7 +126,17 @@ func expectedSTS(opts configOpts) *appsv1.StatefulSet {
 		})
 		annots["tailscale.com/operator-last-set-cluster-ip"] = opts.clusterTargetIP
 	}
-	return &appsv1.StatefulSet{
+	if opts.serveConfig != nil {
+		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
+			Name:  "TS_SERVE_CONFIG",
+			Value: "/etc/tailscaled/serve-config",
+		})
+		volumes = append(volumes, corev1.Volume{
+			Name: "serve-config", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: opts.secretName, Items: []corev1.KeyToPath{{Path: "serve-config", Key: "serve-config"}}}},
+		})
+		tsContainer.VolumeMounts = append(tsContainer.VolumeMounts, corev1.VolumeMount{Name: "serve-config", ReadOnly: true, MountPath: "/etc/tailscaled"})
+	}
+	ss := &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
 			APIVersion: "apps/v1",
@@ -147,7 +161,13 @@ func expectedSTS(opts configOpts) *appsv1.StatefulSet {
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations:                annots,
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
+					Labels: map[string]string{
+						"tailscale.com/managed":              "true",
+						"tailscale.com/parent-resource":      "test",
+						"tailscale.com/parent-resource-ns":   opts.namespace,
+						"tailscale.com/parent-resource-type": opts.parentType,
+						"app":                                "1234-UID",
+					},
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",
@@ -169,9 +189,116 @@ func expectedSTS(opts configOpts) *appsv1.StatefulSet {
 			},
 		},
 	}
+	// If opts.proxyClass is set, retrieve the ProxyClass and apply
+	// configuration from that to the StatefulSet.
+	if opts.proxyClass != "" {
+		t.Logf("applying configuration from ProxyClass %s", opts.proxyClass)
+		proxyClass := new(tsapi.ProxyClass)
+		if err := cl.Get(context.Background(), types.NamespacedName{Name: opts.proxyClass}, proxyClass); err != nil {
+			t.Fatalf("error getting ProxyClass: %v", err)
+		}
+		return applyProxyClassToStatefulSet(proxyClass, ss)
+	}
+	return ss
 }

-func expectedHeadlessService(name string) *corev1.Service {
+func expectedSTSUserspace(t *testing.T, cl client.Client, opts configOpts) *appsv1.StatefulSet {
+	t.Helper()
+	tsContainer := corev1.Container{
+		Name:  "tailscale",
+		Image: "tailscale/tailscale",
+		Env: []corev1.EnvVar{
+			{Name: "TS_USERSPACE", Value: "true"},
+			{Name: "TS_KUBE_SECRET", Value: opts.secretName},
+			{Name: "EXPERIMENTAL_TS_CONFIGFILE_PATH", Value: "/etc/tsconfig/tailscaled"},
+			{Name: "TS_SERVE_CONFIG", Value: "/etc/tailscaled/serve-config"},
+		},
+		ImagePullPolicy: "Always",
+		VolumeMounts: []corev1.VolumeMount{
+			{Name: "tailscaledconfig", ReadOnly: true, MountPath: "/etc/tsconfig"},
+			{Name: "serve-config", ReadOnly: true, MountPath: "/etc/tailscaled"},
+		},
+	}
+	volumes := []corev1.Volume{
+		{
+			Name: "tailscaledconfig",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: opts.secretName,
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "tailscaled",
+							Path: "tailscaled",
+						},
+					},
+				},
+			},
+		},
+		{Name: "serve-config",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{SecretName: opts.secretName,
+					Items: []corev1.KeyToPath{{Key: "serve-config", Path: "serve-config"}}}},
+		},
+	}
+	ss := &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.stsName,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   opts.namespace,
+				"tailscale.com/parent-resource-type": opts.parentType,
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: opts.stsName,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels: map[string]string{
+						"tailscale.com/managed":              "true",
+						"tailscale.com/parent-resource":      "test",
+						"tailscale.com/parent-resource-ns":   opts.namespace,
+						"tailscale.com/parent-resource-type": opts.parentType,
+						"app":                                "1234-UID",
+					},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					PriorityClassName:  opts.priorityClassName,
+					Containers:         []corev1.Container{tsContainer},
+					Volumes:            volumes,
+				},
+			},
+		},
+	}
+	ss.Spec.Template.Annotations = map[string]string{}
+	if opts.confFileHash != "" {
+		ss.Spec.Template.Annotations["tailscale.com/operator-last-set-config-file-hash"] = opts.confFileHash
+	}
+	// If opts.proxyClass is set, retrieve the ProxyClass and apply
+	// configuration from that to the StatefulSet.
+	if opts.proxyClass != "" {
+		t.Logf("applying configuration from ProxyClass %s", opts.proxyClass)
+		proxyClass := new(tsapi.ProxyClass)
+		if err := cl.Get(context.Background(), types.NamespacedName{Name: opts.proxyClass}, proxyClass); err != nil {
+			t.Fatalf("error getting ProxyClass: %v", err)
+		}
+		return applyProxyClassToStatefulSet(proxyClass, ss)
+	}
+	return ss
+}
+
+func expectedHeadlessService(name string, parentType string) *corev1.Service {
 	return &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -185,7 +312,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 				"tailscale.com/managed":              "true",
 				"tailscale.com/parent-resource":      "test",
 				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
+				"tailscale.com/parent-resource-type": parentType,
 			},
 		},
 		Spec: corev1.ServiceSpec{
@@ -199,11 +326,6 @@ func expectedHeadlessService(name string) *corev1.Service {

 func expectedSecret(t *testing.T, opts configOpts) *corev1.Secret {
 	t.Helper()
-	labels := map[string]string{
-		"tailscale.com/managed":              "true",
-		"tailscale.com/parent-resource":      "test",
-		"tailscale.com/parent-resource-type": opts.parentType,
-	}
 	s := &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Secret",
@@ -214,37 +336,48 @@ func expectedSecret(t *testing.T, opts configOpts) *corev1.Secret {
 			Namespace: "operator-ns",
 		},
 	}
-	if !opts.shouldUseDeclarativeConfig {
-		mak.Set(&s.StringData, "authkey", "secret-authkey")
-		labels["tailscale.com/parent-resource-ns"] = opts.namespace
-	} else {
-		conf := &ipn.ConfigVAlpha{
-			Version:   "alpha0",
-			AcceptDNS: "false",
-			Hostname:  &opts.hostname,
-			Locked:    "false",
-			AuthKey:   ptr.To("secret-authkey"),
-		}
-		var routes []netip.Prefix
-		if opts.subnetRoutes != "" || opts.isExitNode {
-			r := opts.subnetRoutes
-			if opts.isExitNode {
-				r = "0.0.0.0/0,::/0," + r
-			}
-			for _, rr := range strings.Split(r, ",") {
-				prefix, err := netip.ParsePrefix(rr)
-				if err != nil {
-					t.Fatal(err)
-				}
-				routes = append(routes, prefix)
-			}
-		}
-		conf.AdvertiseRoutes = routes
-		b, err := json.Marshal(conf)
+	if opts.serveConfig != nil {
+		serveConfigBs, err := json.Marshal(opts.serveConfig)
 		if err != nil {
-			t.Fatalf("error marshalling tailscaled config")
+			t.Fatalf("error marshalling serve config: %v", err)
 		}
-		mak.Set(&s.StringData, "tailscaled", string(b))
+		mak.Set(&s.StringData, "serve-config", string(serveConfigBs))
+	}
+	conf := &ipn.ConfigVAlpha{
+		Version:      "alpha0",
+		AcceptDNS:    "false",
+		Hostname:     &opts.hostname,
+		Locked:       "false",
+		AuthKey:      ptr.To("secret-authkey"),
+		AcceptRoutes: "false",
+	}
+	var routes []netip.Prefix
+	if opts.subnetRoutes != "" || opts.isExitNode {
+		r := opts.subnetRoutes
+		if opts.isExitNode {
+			r = "0.0.0.0/0,::/0," + r
+		}
+		for _, rr := range strings.Split(r, ",") {
+			prefix, err := netip.ParsePrefix(rr)
+			if err != nil {
+				t.Fatal(err)
+			}
+			routes = append(routes, prefix)
+		}
+	}
+	conf.AdvertiseRoutes = routes
+	b, err := json.Marshal(conf)
+	if err != nil {
+		t.Fatalf("error marshalling tailscaled config")
+	}
+	mak.Set(&s.StringData, "tailscaled", string(b))
+	labels := map[string]string{
+		"tailscale.com/managed":              "true",
+		"tailscale.com/parent-resource":      "test",
+		"tailscale.com/parent-resource-ns":   "default",
+		"tailscale.com/parent-resource-type": opts.parentType,
+	}
+	if opts.parentType == "connector" {
 		labels["tailscale.com/parent-resource-ns"] = "" // Connector is cluster scoped
 	}
 	s.Labels = labels
@@ -306,7 +439,13 @@ func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client,
 	}
 }

-func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
+// expectEqual accepts a Kubernetes object and a Kubernetes client. It tests
+// whether an object with equivalent contents can be retrieved by the passed
+// client. If you want to NOT test some object fields for equality, ensure that
+// they are not present in the passed object and use the modify func to remove
+// them from the cluster object. If no such modifications are needed, you can
+// pass nil in place of the modify function.
+func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O, modify func(O)) {
 	t.Helper()
 	got := O(new(T))
 	if err := client.Get(context.Background(), types.NamespacedName{
@@ -320,6 +459,9 @@ func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want
 	// so just remove it from both got and want.
 	got.SetResourceVersion("")
 	want.SetResourceVersion("")
+	if modify != nil {
+		modify(got)
+	}
 	if diff := cmp.Diff(got, want); diff != "" {
 		t.Fatalf("unexpected object (-got +want):\n%s", diff)
 	}
@@ -378,6 +520,13 @@ type fakeTSClient struct {
 	keyRequests []tailscale.KeyCapabilities
 	deleted     []string
 }
+type fakeTSNetServer struct {
+	certDomains []string
+}
+
+func (f *fakeTSNetServer) CertDomains() []string {
+	return f.certDomains
+}

 func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
 	c.Lock()
@@ -409,3 +558,11 @@ func (c *fakeTSClient) Deleted() []string {
 	defer c.Unlock()
 	return c.deleted
 }
+
+// removeHashAnnotation can be used to remove declarative tailscaled config hash
+// annotation from proxy StatefulSets to make the tests more maintainable (so
+// that we don't have to change the annotation in each test case after any
+// change to the configfile contents).
+func removeHashAnnotation(sts *appsv1.StatefulSet) {
+	delete(sts.Spec.Template.Annotations, podAnnotationLastSetConfigFileHash)
+}
--- a/cmd/sniproxy/handlers.go
+++ b/cmd/sniproxy/handlers.go
@@ -12,7 +12,7 @@ import (
 	"net/netip"
 	"slices"

-	"inet.af/tcpproxy"
+	"github.com/inetaf/tcpproxy"
 	"tailscale.com/net/netutil"
 )

--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -2,9 +2,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar

        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
-        github.com/google/uuid                                       from tailscale.com/tsweb
-        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
+        github.com/google/uuid                                       from tailscale.com/util/fastuuid
     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
@@ -16,8 +14,9 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
     💣 go4.org/mem                                                  from tailscale.com/metrics+
        go4.org/netipx                                               from tailscale.com/net/tsaddr
-        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
+        google.golang.org/protobuf/encoding/prototext                from github.com/prometheus/common/expfmt+
+        google.golang.org/protobuf/encoding/protowire                from google.golang.org/protobuf/encoding/protodelim+
        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
@@ -36,13 +35,11 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/proto                             from github.com/prometheus/client_golang/prometheus+
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/prometheus/client_model/go+
+        google.golang.org/protobuf/reflect/protoregistry             from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/runtime/protoiface                from google.golang.org/protobuf/internal/impl+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/prometheus/client_model/go+
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
        tailscale.com                                                from tailscale.com/version
        tailscale.com/envknob                                        from tailscale.com/tsweb+
@@ -65,9 +62,10 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        tailscale.com/types/structs                                  from tailscale.com/tailcfg+
        tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
        tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
-        tailscale.com/util/cmpx                                      from tailscale.com/tailcfg+
+        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/tailcfg
+        tailscale.com/util/fastuuid                                  from tailscale.com/tsweb
        tailscale.com/util/lineread                                  from tailscale.com/version/distro
        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
        tailscale.com/util/slicesx                                   from tailscale.com/tailcfg
@@ -99,9 +97,9 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        cmp                                                          from slices
+        cmp                                                          from slices+
        compress/flate                                               from compress/gzip
-        compress/gzip                                                from github.com/golang/protobuf/proto+
+        compress/gzip                                                from google.golang.org/protobuf/internal/impl+
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdh+
@@ -146,7 +144,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        html                                                         from net/http/pprof+
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/golang/protobuf/proto+
+        io/ioutil                                                    from google.golang.org/protobuf/internal/impl
        log                                                          from expvar+
        log/internal                                                 from log
        maps                                                         from tailscale.com/tailcfg+
@@ -154,6 +152,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
        math/rand                                                    from math/big+
+        math/rand/v2                                                 from tailscale.com/util/fastuuid
        mime                                                         from github.com/prometheus/common/expfmt+
        mime/multipart                                               from net/http
        mime/quotedprintable                                         from mime/multipart
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -17,7 +17,7 @@ var bugReportCmd = &ffcli.Command{
 	Name:       "bugreport",
 	Exec:       runBugReport,
 	ShortHelp:  "Print a shareable identifier to help diagnose issues",
-	ShortUsage: "bugreport [note]",
+	ShortUsage: "tailscale bugreport [note]",
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("bugreport")
 		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -28,7 +28,7 @@ var certCmd = &ffcli.Command{
 	Name:       "cert",
 	Exec:       runCert,
 	ShortHelp:  "Get TLS certs",
-	ShortUsage: "cert [flags] <domain>",
+	ShortUsage: "tailscale cert [flags] <domain>",
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -14,11 +14,12 @@ import (
 	"log"
 	"os"
 	"runtime"
-	"slices"
 	"strings"
 	"sync"
 	"text/tabwriter"

+	"github.com/mattn/go-colorable"
+	"github.com/mattn/go-isatty"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
@@ -93,6 +94,49 @@ func Run(args []string) (err error) {
 		})
 	})

+	rootCmd := newRootCmd()
+	if err := rootCmd.Parse(args); err != nil {
+		if errors.Is(err, flag.ErrHelp) {
+			return nil
+		}
+		return err
+	}
+
+	if envknob.Bool("TS_DUMP_HELP") {
+		walkCommands(rootCmd, func(c *ffcli.Command) {
+			fmt.Println("===")
+			// UsageFuncs are typically called during Command.Run which ensures
+			// FlagSet is not nil.
+			if c.FlagSet == nil {
+				c.FlagSet = flag.NewFlagSet(c.Name, flag.ContinueOnError)
+			}
+			if c.UsageFunc != nil {
+				fmt.Println(c.UsageFunc(c))
+			} else {
+				fmt.Println(ffcli.DefaultUsageFunc(c))
+			}
+		})
+		return
+	}
+
+	localClient.Socket = rootArgs.socket
+	rootCmd.FlagSet.Visit(func(f *flag.Flag) {
+		if f.Name == "socket" {
+			localClient.UseSocketOnly = true
+		}
+	})
+
+	err = rootCmd.Run(context.Background())
+	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
+		return fmt.Errorf("%v\n\nUse 'sudo tailscale %s' or 'tailscale up --operator=$USER' to not require root.", err, strings.Join(args, " "))
+	}
+	if errors.Is(err, flag.ErrHelp) {
+		return nil
+	}
+	return err
+}
+
+func newRootCmd() *ffcli.Command {
 	rootfs := newFlagSet("tailscale")
 	rootfs.StringVar(&rootArgs.socket, "socket", paths.DefaultTailscaledSocket(), "path to tailscaled socket")

@@ -129,13 +173,14 @@ change in the future.
 			certCmd,
 			netlockCmd,
 			licensesCmd,
-			exitNodeCmd,
+			exitNodeCmd(),
 			updateCmd,
 			whoisCmd,
+			debugCmd,
+			driveCmd,
 		},
-		FlagSet:   rootfs,
-		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
-		UsageFunc: usageFunc,
+		FlagSet: rootfs,
+		Exec:    func(context.Context, []string) error { return flag.ErrHelp },
 	}
 	if envknob.UseWIPCode() {
 		rootCmd.Subcommands = append(rootCmd.Subcommands,
@@ -143,43 +188,16 @@ change in the future.
 		)
 	}

-	// Don't advertise these commands, but they're still explicitly available.
-	switch {
-	case slices.Contains(args, "debug"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
 	}

-	for _, c := range rootCmd.Subcommands {
+	walkCommands(rootCmd, func(c *ffcli.Command) {
 		if c.UsageFunc == nil {
 			c.UsageFunc = usageFunc
 		}
-	}
-
-	if err := rootCmd.Parse(args); err != nil {
-		if errors.Is(err, flag.ErrHelp) {
-			return nil
-		}
-		return err
-	}
-
-	localClient.Socket = rootArgs.socket
-	rootfs.Visit(func(f *flag.Flag) {
-		if f.Name == "socket" {
-			localClient.UseSocketOnly = true
-		}
 	})
-
-	err = rootCmd.Run(context.Background())
-	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
-		return fmt.Errorf("%v\n\nUse 'sudo tailscale %s' or 'tailscale up --operator=$USER' to not require root.", err, strings.Join(args, " "))
-	}
-	if errors.Is(err, flag.ErrHelp) {
-		return nil
-	}
-	return err
+	return rootCmd
 }

 func fatalf(format string, a ...any) {
@@ -198,6 +216,13 @@ var rootArgs struct {
 	socket string
 }

+func walkCommands(cmd *ffcli.Command, f func(*ffcli.Command)) {
+	f(cmd)
+	for _, sub := range cmd.Subcommands {
+		walkCommands(sub, f)
+	}
+}
+
 // usageFuncNoDefaultValues is like usageFunc but doesn't print default values.
 func usageFuncNoDefaultValues(c *ffcli.Command) string {
 	return usageFuncOpt(c, false)
@@ -209,23 +234,32 @@ func usageFunc(c *ffcli.Command) string {

 func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 	var b strings.Builder
+	const hiddenPrefix = "HIDDEN: "
+
+	if c.ShortHelp != "" {
+		fmt.Fprintf(&b, "%s\n\n", c.ShortHelp)
+	}

 	fmt.Fprintf(&b, "USAGE\n")
 	if c.ShortUsage != "" {
-		fmt.Fprintf(&b, "  %s\n", c.ShortUsage)
+		fmt.Fprintf(&b, "  %s\n", strings.ReplaceAll(c.ShortUsage, "\n", "\n  "))
 	} else {
 		fmt.Fprintf(&b, "  %s\n", c.Name)
 	}
 	fmt.Fprintf(&b, "\n")

 	if c.LongHelp != "" {
-		fmt.Fprintf(&b, "%s\n\n", c.LongHelp)
+		help, _ := strings.CutPrefix(c.LongHelp, hiddenPrefix)
+		fmt.Fprintf(&b, "%s\n\n", help)
 	}

 	if len(c.Subcommands) > 0 {
 		fmt.Fprintf(&b, "SUBCOMMANDS\n")
 		tw := tabwriter.NewWriter(&b, 0, 2, 2, ' ', 0)
 		for _, subcommand := range c.Subcommands {
+			if strings.HasPrefix(subcommand.LongHelp, hiddenPrefix) {
+				continue
+			}
 			fmt.Fprintf(tw, "  %s\t%s\n", subcommand.Name, subcommand.ShortHelp)
 		}
 		tw.Flush()
@@ -238,7 +272,7 @@ func usageFuncOpt(c *ffcli.Command, withDefaults bool) string {
 		c.FlagSet.VisitAll(func(f *flag.Flag) {
 			var s string
 			name, usage := flag.UnquoteUsage(f)
-			if strings.HasPrefix(usage, "HIDDEN: ") {
+			if strings.HasPrefix(usage, hiddenPrefix) {
 				return
 			}
 			if isBoolFlag(f) {
@@ -285,3 +319,17 @@ func countFlags(fs *flag.FlagSet) (n int) {
 	fs.VisitAll(func(*flag.Flag) { n++ })
 	return n
 }
+
+// colorableOutput returns a colorable writer if stdout is a terminal (not, say,
+// redirected to a file or pipe), the Stdout writer is os.Stdout (we're not
+// embedding the CLI in wasm or a mobile app), and NO_COLOR is not set (see
+// https://no-color.org/). If any of those is not the case, ok is false
+// and w is Stdout.
+func colorableOutput() (w io.Writer, ok bool) {
+	if Stdout != os.Stdout ||
+		os.Getenv("NO_COLOR") != "" ||
+		!isatty.IsTerminal(os.Stdout.Fd()) {
+		return Stdout, false
+	}
+	return colorable.NewColorableStdout(), true
+}
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -5,6 +5,7 @@ package cli

 import (
 	"bytes"
+	stdcmp "cmp"
 	"encoding/json"
 	"flag"
 	"fmt"
@@ -15,6 +16,8 @@ import (

 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/envknob"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -24,10 +27,35 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/version/distro"
 )

+func TestPanicIfAnyEnvCheckedInInit(t *testing.T) {
+	envknob.PanicIfAnyEnvCheckedInInit()
+}
+
+func TestShortUsage_FullCmd(t *testing.T) {
+	t.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	if !envknob.UseWIPCode() {
+		t.Fatal("expected envknob.UseWIPCode() to be true")
+	}
+
+	// Some commands have more than one path from the root, so investigate all
+	// paths before we report errors.
+	ok := make(map[*ffcli.Command]bool)
+	root := newRootCmd()
+	walkCommands(root, func(c *ffcli.Command) {
+		if !ok[c] {
+			ok[c] = strings.HasPrefix(c.ShortUsage, "tailscale ") && (c.Name == "tailscale" || strings.Contains(c.ShortUsage, " "+c.Name+" ") || strings.HasSuffix(c.ShortUsage, " "+c.Name))
+		}
+	})
+	walkCommands(root, func(c *ffcli.Command) {
+		if !ok[c] {
+			t.Errorf("subcommand %s should show full usage ('tailscale ... %s ...') in ShortUsage (%q)", c.Name, c.Name, c.ShortUsage)
+		}
+	})
+}
+
 // geese is a collection of gooses. It need not be complete.
 // But it should include anything handled specially (e.g. linux, windows)
 // and at least one thing that's not (darwin, freebsd).
@@ -758,7 +786,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var warnBuf tstest.MemLogger
-			goos := cmpx.Or(tt.goos, "linux")
+			goos := stdcmp.Or(tt.goos, "linux")
 			st := tt.st
 			if st == nil {
 				st = new(ipnstate.Status)
@@ -802,7 +830,7 @@ func TestPrefFlagMapping(t *testing.T) {
 		}
 	}

-	prefType := reflect.TypeOf(ipn.Prefs{})
+	prefType := reflect.TypeFor[ipn.Prefs]()
 	for i := 0; i < prefType.NumField(); i++ {
 		prefName := prefType.Field(i).Name
 		if prefHasFlag[prefName] {
@@ -829,6 +857,14 @@ func TestPrefFlagMapping(t *testing.T) {
 			// Handled by TS_DEBUG_FIREWALL_MODE env var, we don't want to have
 			// a CLI flag for this. The Pref is used by c2n.
 			continue
+		case "DriveShares":
+			// Handled by the tailscale share subcommand, we don't want a CLI
+			// flag for this.
+			continue
+		case "InternalExitNodePrior":
+			// Used internally by LocalBackend as part of exit node usage toggling.
+			// No CLI flag for this.
+			continue
 		}
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
--- a/cmd/tailscale/cli/configure-kube.go
+++ b/cmd/tailscale/cli/configure-kube.go
@@ -27,7 +27,7 @@ func init() {
 var configureKubeconfigCmd = &ffcli.Command{
 	Name:       "kubeconfig",
 	ShortHelp:  "[ALPHA] Connect to a Kubernetes cluster using a Tailscale Auth Proxy",
-	ShortUsage: "kubeconfig <hostname-or-fqdn>",
+	ShortUsage: "tailscale configure kubeconfig <hostname-or-fqdn>",
 	LongHelp: strings.TrimSpace(`
 Run this command to configure kubectl to connect to a Kubernetes cluster over Tailscale.

@@ -43,7 +43,20 @@ See: https://tailscale.com/s/k8s-auth-proxy
 }

 // kubeconfigPath returns the path to the kubeconfig file for the current user.
-func kubeconfigPath() string {
+func kubeconfigPath() (string, error) {
+	if kubeconfig := os.Getenv("KUBECONFIG"); kubeconfig != "" {
+		if version.IsSandboxedMacOS() {
+			return "", errors.New("$KUBECONFIG is incompatible with the App Store version")
+		}
+		var out string
+		for _, out = range filepath.SplitList(kubeconfig) {
+			if info, err := os.Stat(out); !os.IsNotExist(err) && !info.IsDir() {
+				break
+			}
+		}
+		return out, nil
+	}
+
 	var dir string
 	if version.IsSandboxedMacOS() {
 		// The HOME environment variable in macOS sandboxed apps is set to
@@ -55,7 +68,7 @@ func kubeconfigPath() string {
 	} else {
 		dir = homedir.HomeDir()
 	}
-	return filepath.Join(dir, ".kube", "config")
+	return filepath.Join(dir, ".kube", "config"), nil
 }

 func runConfigureKubeconfig(ctx context.Context, args []string) error {
@@ -76,7 +89,11 @@ func runConfigureKubeconfig(ctx context.Context, args []string) error {
 		return fmt.Errorf("no peer found with hostname %q", hostOrFQDN)
 	}
 	targetFQDN = strings.TrimSuffix(targetFQDN, ".")
-	if err := setKubeconfigForPeer(targetFQDN, kubeconfigPath()); err != nil {
+	var kubeconfig string
+	if kubeconfig, err = kubeconfigPath(); err != nil {
+		return err
+	}
+	if err = setKubeconfigForPeer(targetFQDN, kubeconfig); err != nil {
 		return err
 	}
 	printf("kubeconfig configured for %q\n", hostOrFQDN)
@@ -119,7 +136,7 @@ func updateKubeconfig(cfgYaml []byte, fqdn string) ([]byte, error) {

 	var clusters []any
 	if cm, ok := cfg["clusters"]; ok {
-		clusters = cm.([]any)
+		clusters, _ = cm.([]any)
 	}
 	cfg["clusters"] = appendOrSetNamed(clusters, fqdn, map[string]any{
 		"name": fqdn,
@@ -130,7 +147,7 @@ func updateKubeconfig(cfgYaml []byte, fqdn string) ([]byte, error) {

 	var users []any
 	if um, ok := cfg["users"]; ok {
-		users = um.([]any)
+		users, _ = um.([]any)
 	}
 	cfg["users"] = appendOrSetNamed(users, "tailscale-auth", map[string]any{
 		// We just need one of these, and can reuse it for all clusters.
@@ -144,7 +161,7 @@ func updateKubeconfig(cfgYaml []byte, fqdn string) ([]byte, error) {

 	var contexts []any
 	if cm, ok := cfg["contexts"]; ok {
-		contexts = cm.([]any)
+		contexts, _ = cm.([]any)
 	}
 	cfg["contexts"] = appendOrSetNamed(contexts, fqdn, map[string]any{
 		"name": fqdn,
--- a/cmd/tailscale/cli/configure-kube_test.go
+++ b/cmd/tailscale/cli/configure-kube_test.go
@@ -48,6 +48,31 @@ contexts:
 current-context: foo.tail-scale.ts.net
 kind: Config
 users:
+- name: tailscale-auth
+  user:
+    token: unused`,
+		},
+		{
+			name: "all configs, clusters, users have been deleted",
+			in: `apiVersion: v1
+clusters: null
+contexts: null
+kind: Config
+current-context: some-non-existent-cluster
+users: null`,
+			want: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://foo.tail-scale.ts.net
+  name: foo.tail-scale.ts.net
+contexts:
+- context:
+    cluster: foo.tail-scale.ts.net
+    user: tailscale-auth
+  name: foo.tail-scale.ts.net
+current-context: foo.tail-scale.ts.net
+kind: Config
+users:
 - name: tailscale-auth
  user:
    token: unused`,
--- a/cmd/tailscale/cli/configure-synology-cert.go
+++ b/cmd/tailscale/cli/configure-synology-cert.go
@@ -0,0 +1,220 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/hostinfo"
+	"tailscale.com/ipn"
+	"tailscale.com/version/distro"
+)
+
+var synologyConfigureCertCmd = &ffcli.Command{
+	Name:       "synology-cert",
+	Exec:       runConfigureSynologyCert,
+	ShortHelp:  "Configure Synology with a TLS certificate for your tailnet",
+	ShortUsage: "synology-cert [--domain <domain>]",
+	LongHelp: strings.TrimSpace(`
+This command is intended to run periodically as root on a Synology device to
+create or refresh the TLS certificate for the tailnet domain.
+
+See: https://tailscale.com/kb/1153/enabling-https
+`),
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("synology-cert")
+		fs.StringVar(&synologyConfigureCertArgs.domain, "domain", "", "Tailnet domain to create or refresh certificates for. Ignored if only one domain exists.")
+		return fs
+	})(),
+}
+
+var synologyConfigureCertArgs struct {
+	domain string
+}
+
+func runConfigureSynologyCert(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unknown arguments")
+	}
+	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
+		return errors.New("only implemented on Synology")
+	}
+	if uid := os.Getuid(); uid != 0 {
+		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
+	}
+	hi := hostinfo.New()
+	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
+	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
+	if !isDSM6 && !isDSM7 {
+		return fmt.Errorf("unsupported DSM version %q", hi.DistroVersion)
+	}
+
+	domain := synologyConfigureCertArgs.domain
+	if st, err := localClient.Status(ctx); err == nil {
+		if st.BackendState != ipn.Running.String() {
+			return fmt.Errorf("Tailscale is not running.")
+		} else if len(st.CertDomains) == 0 {
+			return fmt.Errorf("TLS certificate support is not enabled/configured for your tailnet.")
+		} else if len(st.CertDomains) == 1 {
+			if domain != "" && domain != st.CertDomains[0] {
+				log.Printf("Ignoring supplied domain %q, TLS certificate will be created for %q.\n", domain, st.CertDomains[0])
+			}
+			domain = st.CertDomains[0]
+		} else {
+			var found bool
+			for _, d := range st.CertDomains {
+				if d == domain {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return fmt.Errorf("Domain %q was not one of the valid domain options: %q.", domain, st.CertDomains)
+			}
+		}
+	}
+
+	// Check for an existing certificate, and replace it if it already exists
+	var id string
+	certs, err := listCerts(ctx, synowebapiCommand{})
+	if err != nil {
+		return err
+	}
+	for _, c := range certs {
+		if c.Subject.CommonName == domain {
+			id = c.ID
+			break
+		}
+	}
+
+	certPEM, keyPEM, err := localClient.CertPair(ctx, domain)
+	if err != nil {
+		return err
+	}
+
+	// Certs have to be written to file for the upload command to work.
+	tmpDir, err := os.MkdirTemp("", "")
+	if err != nil {
+		return fmt.Errorf("can't create temp dir: %w", err)
+	}
+	defer os.RemoveAll(tmpDir)
+	keyFile := path.Join(tmpDir, "key.pem")
+	os.WriteFile(keyFile, keyPEM, 0600)
+	certFile := path.Join(tmpDir, "cert.pem")
+	os.WriteFile(certFile, certPEM, 0600)
+
+	if err := uploadCert(ctx, synowebapiCommand{}, certFile, keyFile, id); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+type subject struct {
+	CommonName string `json:"common_name"`
+}
+
+type certificateInfo struct {
+	ID      string  `json:"id"`
+	Desc    string  `json:"desc"`
+	Subject subject `json:"subject"`
+}
+
+// listCerts fetches a list of the certificates that DSM knows about
+func listCerts(ctx context.Context, c synoAPICaller) ([]certificateInfo, error) {
+	rawData, err := c.Call(ctx, "SYNO.Core.Certificate.CRT", "list", nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var payload struct {
+		Certificates []certificateInfo `json:"certificates"`
+	}
+	if err := json.Unmarshal(rawData, &payload); err != nil {
+		return nil, fmt.Errorf("decoding certificate list response payload: %w", err)
+	}
+
+	return payload.Certificates, nil
+}
+
+// uploadCert creates or replaces a certificate. If id is given, it will attempt to replace the certificate with that ID.
+func uploadCert(ctx context.Context, c synoAPICaller, certFile, keyFile string, id string) error {
+	params := map[string]string{
+		"key_tmp":  keyFile,
+		"cert_tmp": certFile,
+		"desc":     "Tailnet Certificate",
+	}
+	if id != "" {
+		params["id"] = id
+	}
+
+	rawData, err := c.Call(ctx, "SYNO.Core.Certificate", "import", params)
+	if err != nil {
+		return err
+	}
+
+	var payload struct {
+		NewID string `json:"id"`
+	}
+	if err := json.Unmarshal(rawData, &payload); err != nil {
+		return fmt.Errorf("decoding certificate upload response payload: %w", err)
+	}
+	log.Printf("Tailnet Certificate uploaded with ID %q.", payload.NewID)
+
+	return nil
+
+}
+
+type synoAPICaller interface {
+	Call(context.Context, string, string, map[string]string) (json.RawMessage, error)
+}
+
+type apiResponse struct {
+	Success bool            `json:"success"`
+	Error   *apiError       `json:"error,omitempty"`
+	Data    json.RawMessage `json:"data"`
+}
+
+type apiError struct {
+	Code   int64  `json:"code"`
+	Errors string `json:"errors"`
+}
+
+// synowebapiCommand implements synoAPICaller using the /usr/syno/bin/synowebapi binary. Must be run as root.
+type synowebapiCommand struct{}
+
+func (s synowebapiCommand) Call(ctx context.Context, api, method string, params map[string]string) (json.RawMessage, error) {
+	args := []string{"--exec", fmt.Sprintf("api=%s", api), fmt.Sprintf("method=%s", method)}
+
+	for k, v := range params {
+		args = append(args, fmt.Sprintf("%s=%q", k, v))
+	}
+
+	out, err := exec.CommandContext(ctx, "/usr/syno/bin/synowebapi", args...).Output()
+	if err != nil {
+		return nil, fmt.Errorf("calling %q method of %q API: %v, %s", method, api, err, out)
+	}
+
+	var payload apiResponse
+	if err := json.Unmarshal(out, &payload); err != nil {
+		return nil, fmt.Errorf("decoding response json from %q method of %q API: %w", method, api, err)
+	}
+
+	if payload.Error != nil {
+		return nil, fmt.Errorf("error response from %q method of %q API: %v", method, api, payload.Error)
+	}
+
+	return payload.Data, nil
+}
--- a/cmd/tailscale/cli/configure-synology-cert_test.go
+++ b/cmd/tailscale/cli/configure-synology-cert_test.go
@@ -0,0 +1,140 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"testing"
+)
+
+type fakeAPICaller struct {
+	Data  json.RawMessage
+	Error error
+}
+
+func (c fakeAPICaller) Call(_ context.Context, _, _ string, _ map[string]string) (json.RawMessage, error) {
+	return c.Data, c.Error
+}
+
+func Test_listCerts(t *testing.T) {
+	tests := []struct {
+		name    string
+		caller  synoAPICaller
+		want    []certificateInfo
+		wantErr bool
+	}{
+		{
+			name: "normal response",
+			caller: fakeAPICaller{
+				Data: json.RawMessage(`{
+"certificates" : [
+	{
+		"desc" : "Tailnet Certificate",
+		"id" : "cG2XBt",
+		"is_broken" : false,
+		"is_default" : false,
+		"issuer" : {
+			"common_name" : "R3",
+			"country" : "US",
+			"organization" : "Let's Encrypt"
+		},
+		"key_types" : "ECC",
+		"renewable" : false,
+		"services" : [
+			{
+			"display_name" : "DSM Desktop Service",
+			"display_name_i18n" : "common:web_desktop",
+			"isPkg" : false,
+			"multiple_cert" : true,
+			"owner" : "root",
+			"service" : "default",
+			"subscriber" : "system",
+			"user_setable" : true
+			}
+		],
+		"signature_algorithm" : "sha256WithRSAEncryption",
+		"subject" : {
+			"common_name" : "foo.tailscale.ts.net",
+			"sub_alt_name" : [ "foo.tailscale.ts.net" ]
+		},
+		"user_deletable" : true,
+		"valid_from" : "Sep 26 11:39:43 2023 GMT",
+		"valid_till" : "Dec 25 11:39:42 2023 GMT"
+	},
+	{
+		"desc" : "",
+		"id" : "sgmnpb",
+		"is_broken" : false,
+		"is_default" : false,
+		"issuer" : {
+			"city" : "Taipei",
+			"common_name" : "Synology Inc. CA",
+			"country" : "TW",
+			"organization" : "Synology Inc."
+		},
+		"key_types" : "",
+		"renewable" : false,
+		"self_signed_cacrt_info" : {
+			"issuer" : {
+			"city" : "Taipei",
+			"common_name" : "Synology Inc. CA",
+			"country" : "TW",
+			"organization" : "Synology Inc."
+			},
+			"subject" : {
+			"city" : "Taipei",
+			"common_name" : "Synology Inc. CA",
+			"country" : "TW",
+			"organization" : "Synology Inc."
+			}
+		},
+		"services" : [],
+		"signature_algorithm" : "sha256WithRSAEncryption",
+		"subject" : {
+			"city" : "Taipei",
+			"common_name" : "synology.com",
+			"country" : "TW",
+			"organization" : "Synology Inc.",
+			"sub_alt_name" : []
+		},
+		"user_deletable" : true,
+		"valid_from" : "May 27 00:23:19 2019 GMT",
+		"valid_till" : "Feb 11 00:23:19 2039 GMT"
+	}
+]
+}`),
+				Error: nil,
+			},
+			want: []certificateInfo{
+				{Desc: "Tailnet Certificate", ID: "cG2XBt", Subject: subject{CommonName: "foo.tailscale.ts.net"}},
+				{Desc: "", ID: "sgmnpb", Subject: subject{CommonName: "synology.com"}},
+			},
+		},
+		{
+			name:    "call error",
+			caller:  fakeAPICaller{nil, fmt.Errorf("caller failed")},
+			wantErr: true,
+		},
+		{
+			name:    "payload decode error",
+			caller:  fakeAPICaller{json.RawMessage("This isn't JSON!"), nil},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := listCerts(context.Background(), tt.caller)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("listCerts() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("listCerts() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/cmd/tailscale/cli/configure-synology.go
+++ b/cmd/tailscale/cli/configure-synology.go
@@ -22,10 +22,11 @@ import (
 // used to configure Synology devices, but is now a compatibility alias to
 // "tailscale configure synology".
 var configureHostCmd = &ffcli.Command{
-	Name:      "configure-host",
-	Exec:      runConfigureSynology,
-	ShortHelp: synologyConfigureCmd.ShortHelp,
-	LongHelp:  synologyConfigureCmd.LongHelp,
+	Name:       "configure-host",
+	Exec:       runConfigureSynology,
+	ShortUsage: "tailscale configure-host",
+	ShortHelp:  synologyConfigureCmd.ShortHelp,
+	LongHelp:   synologyConfigureCmd.LongHelp,
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("configure-host")
 		return fs
@@ -33,9 +34,10 @@ var configureHostCmd = &ffcli.Command{
 }

 var synologyConfigureCmd = &ffcli.Command{
-	Name:      "synology",
-	Exec:      runConfigureSynology,
-	ShortHelp: "Configure Synology to enable outbound connections",
+	Name:       "synology",
+	Exec:       runConfigureSynology,
+	ShortUsage: "tailscale configure synology",
+	ShortHelp:  "Configure Synology to enable outbound connections",
 	LongHelp: strings.TrimSpace(`
 This command is intended to run at boot as root on a Synology device to
 create the /dev/net/tun device and give the tailscaled binary permission
--- a/cmd/tailscale/cli/configure.go
+++ b/cmd/tailscale/cli/configure.go
@@ -14,8 +14,9 @@ import (
 )

 var configureCmd = &ffcli.Command{
-	Name:      "configure",
-	ShortHelp: "[ALPHA] Configure the host to enable more Tailscale features",
+	Name:       "configure",
+	ShortUsage: "tailscale configure <subcommand>",
+	ShortHelp:  "[ALPHA] Configure the host to enable more Tailscale features",
 	LongHelp: strings.TrimSpace(`
 The 'configure' set of commands are intended to provide a way to enable different
 services on the host to use Tailscale in more ways.
@@ -33,6 +34,7 @@ services on the host to use Tailscale in more ways.
 func configureSubcommands() (out []*ffcli.Command) {
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		out = append(out, synologyConfigureCmd)
+		out = append(out, synologyConfigureCertCmd)
 	}
 	return out
 }
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -45,9 +45,10 @@ import (
 )

 var debugCmd = &ffcli.Command{
-	Name:     "debug",
-	Exec:     runDebug,
-	LongHelp: `"tailscale debug" contains misc debug facilities; it is not a stable interface.`,
+	Name:       "debug",
+	Exec:       runDebug,
+	ShortUsage: "tailscale debug <debug-flags | subcommand>",
+	LongHelp:   `HIDDEN: "tailscale debug" contains misc debug facilities; it is not a stable interface.`,
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("debug")
 		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
@@ -58,15 +59,16 @@ var debugCmd = &ffcli.Command{
 	})(),
 	Subcommands: []*ffcli.Command{
 		{
-			Name:      "derp-map",
-			Exec:      runDERPMap,
-			ShortHelp: "print DERP map",
+			Name:       "derp-map",
+			ShortUsage: "tailscale debug derp-map",
+			Exec:       runDERPMap,
+			ShortHelp:  "Print DERP map",
 		},
 		{
 			Name:       "component-logs",
-			Exec:       runDebugComponentLogs,
-			ShortHelp:  "enable/disable debug logs for a component",
 			ShortUsage: "tailscale debug component-logs [" + strings.Join(ipn.DebuggableComponents, "|") + "]",
+			Exec:       runDebugComponentLogs,
+			ShortHelp:  "Enable/disable debug logs for a component",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("component-logs")
 				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
@@ -74,14 +76,16 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "daemon-goroutines",
-			Exec:      runDaemonGoroutines,
-			ShortHelp: "print tailscaled's goroutines",
+			Name:       "daemon-goroutines",
+			ShortUsage: "tailscale debug daemon-goroutines",
+			Exec:       runDaemonGoroutines,
+			ShortHelp:  "Print tailscaled's goroutines",
 		},
 		{
-			Name:      "daemon-logs",
-			Exec:      runDaemonLogs,
-			ShortHelp: "watch tailscaled's server logs",
+			Name:       "daemon-logs",
+			ShortUsage: "tailscale debug daemon-logs",
+			Exec:       runDaemonLogs,
+			ShortHelp:  "Watch tailscaled's server logs",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("daemon-logs")
 				fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
@@ -90,9 +94,10 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "metrics",
-			Exec:      runDaemonMetrics,
-			ShortHelp: "print tailscaled's metrics",
+			Name:       "metrics",
+			ShortUsage: "tailscale debug metrics",
+			Exec:       runDaemonMetrics,
+			ShortHelp:  "Print tailscaled's metrics",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("metrics")
 				fs.BoolVar(&metricsArgs.watch, "watch", false, "print JSON dump of delta values")
@@ -100,80 +105,95 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "env",
-			Exec:      runEnv,
-			ShortHelp: "print cmd/tailscale environment",
+			Name:       "env",
+			ShortUsage: "tailscale debug env",
+			Exec:       runEnv,
+			ShortHelp:  "Print cmd/tailscale environment",
 		},
 		{
-			Name:      "stat",
-			Exec:      runStat,
-			ShortHelp: "stat a file",
+			Name:       "stat",
+			ShortUsage: "tailscale debug stat <files...>",
+			Exec:       runStat,
+			ShortHelp:  "Stat a file",
 		},
 		{
-			Name:      "hostinfo",
-			Exec:      runHostinfo,
-			ShortHelp: "print hostinfo",
+			Name:       "hostinfo",
+			ShortUsage: "tailscale debug hostinfo",
+			Exec:       runHostinfo,
+			ShortHelp:  "Print hostinfo",
 		},
 		{
-			Name:      "local-creds",
-			Exec:      runLocalCreds,
-			ShortHelp: "print how to access Tailscale LocalAPI",
+			Name:       "local-creds",
+			ShortUsage: "tailscale debug local-creds",
+			Exec:       runLocalCreds,
+			ShortHelp:  "Print how to access Tailscale LocalAPI",
 		},
 		{
-			Name:      "restun",
-			Exec:      localAPIAction("restun"),
-			ShortHelp: "force a magicsock restun",
+			Name:       "restun",
+			ShortUsage: "tailscale debug restun",
+			Exec:       localAPIAction("restun"),
+			ShortHelp:  "Force a magicsock restun",
 		},
 		{
-			Name:      "rebind",
-			Exec:      localAPIAction("rebind"),
-			ShortHelp: "force a magicsock rebind",
+			Name:       "rebind",
+			ShortUsage: "tailscale debug rebind",
+			Exec:       localAPIAction("rebind"),
+			ShortHelp:  "Force a magicsock rebind",
 		},
 		{
-			Name:      "derp-set-homeless",
-			Exec:      localAPIAction("derp-set-homeless"),
-			ShortHelp: "enable DERP homeless mode (breaks reachablility)",
+			Name:       "derp-set-on-demand",
+			ShortUsage: "tailscale debug derp-set-on-demand",
+			Exec:       localAPIAction("derp-set-homeless"),
+			ShortHelp:  "Enable DERP on-demand mode (breaks reachability)",
 		},
 		{
-			Name:      "derp-unset-homeless",
-			Exec:      localAPIAction("derp-unset-homeless"),
-			ShortHelp: "disable DERP homeless mode",
+			Name:       "derp-unset-on-demand",
+			ShortUsage: "tailscale debug derp-unset-on-demand",
+			Exec:       localAPIAction("derp-unset-homeless"),
+			ShortHelp:  "Disable DERP on-demand mode",
 		},
 		{
-			Name:      "break-tcp-conns",
-			Exec:      localAPIAction("break-tcp-conns"),
-			ShortHelp: "break any open TCP connections from the daemon",
+			Name:       "break-tcp-conns",
+			ShortUsage: "tailscale debug break-tcp-conns",
+			Exec:       localAPIAction("break-tcp-conns"),
+			ShortHelp:  "Break any open TCP connections from the daemon",
 		},
 		{
-			Name:      "break-derp-conns",
-			Exec:      localAPIAction("break-derp-conns"),
-			ShortHelp: "break any open DERP connections from the daemon",
+			Name:       "break-derp-conns",
+			ShortUsage: "tailscale debug break-derp-conns",
+			Exec:       localAPIAction("break-derp-conns"),
+			ShortHelp:  "Break any open DERP connections from the daemon",
 		},
 		{
-			Name:      "pick-new-derp",
-			Exec:      localAPIAction("pick-new-derp"),
-			ShortHelp: "switch to some other random DERP home region for a short time",
+			Name:       "pick-new-derp",
+			ShortUsage: "tailscale debug pick-new-derp",
+			Exec:       localAPIAction("pick-new-derp"),
+			ShortHelp:  "Switch to some other random DERP home region for a short time",
 		},
 		{
-			Name:      "force-netmap-update",
-			Exec:      localAPIAction("force-netmap-update"),
-			ShortHelp: "force a full no-op netmap update (for load testing)",
+			Name:       "force-netmap-update",
+			ShortUsage: "tailscale debug force-netmap-update",
+			Exec:       localAPIAction("force-netmap-update"),
+			ShortHelp:  "Force a full no-op netmap update (for load testing)",
 		},
 		{
 			// TODO(bradfitz,maisem): eventually promote this out of debug
-			Name:      "reload-config",
-			Exec:      reloadConfig,
-			ShortHelp: "reload config",
+			Name:       "reload-config",
+			ShortUsage: "tailscale debug reload-config",
+			Exec:       reloadConfig,
+			ShortHelp:  "Reload config",
 		},
 		{
-			Name:      "control-knobs",
-			Exec:      debugControlKnobs,
-			ShortHelp: "see current control knobs",
+			Name:       "control-knobs",
+			ShortUsage: "tailscale debug control-knobs",
+			Exec:       debugControlKnobs,
+			ShortHelp:  "See current control knobs",
 		},
 		{
-			Name:      "prefs",
-			Exec:      runPrefs,
-			ShortHelp: "print prefs",
+			Name:       "prefs",
+			ShortUsage: "tailscale debug prefs",
+			Exec:       runPrefs,
+			ShortHelp:  "Print prefs",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("prefs")
 				fs.BoolVar(&prefsArgs.pretty, "pretty", false, "If true, pretty-print output")
@@ -181,9 +201,10 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "watch-ipn",
-			Exec:      runWatchIPN,
-			ShortHelp: "subscribe to IPN message bus",
+			Name:       "watch-ipn",
+			ShortUsage: "tailscale debug watch-ipn",
+			Exec:       runWatchIPN,
+			ShortHelp:  "Subscribe to IPN message bus",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("watch-ipn")
 				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
@@ -194,9 +215,10 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "netmap",
-			Exec:      runNetmap,
-			ShortHelp: "print the current network map",
+			Name:       "netmap",
+			ShortUsage: "tailscale debug netmap",
+			Exec:       runNetmap,
+			ShortHelp:  "Print the current network map",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("netmap")
 				fs.BoolVar(&netmapArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
@@ -204,14 +226,17 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "via",
+			Name: "via",
+			ShortUsage: "tailscale via <site-id> <v4-cidr>\n" +
+				"tailscale via <v6-route>",
 			Exec:      runVia,
-			ShortHelp: "convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
+			ShortHelp: "Convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
 		},
 		{
-			Name:      "ts2021",
-			Exec:      runTS2021,
-			ShortHelp: "debug ts2021 protocol connectivity",
+			Name:       "ts2021",
+			ShortUsage: "tailscale debug ts2021",
+			Exec:       runTS2021,
+			ShortHelp:  "Debug ts2021 protocol connectivity",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("ts2021")
 				fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
@@ -221,9 +246,10 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "set-expire",
-			Exec:      runSetExpire,
-			ShortHelp: "manipulate node key expiry for testing",
+			Name:       "set-expire",
+			ShortUsage: "tailscale debug set-expire --in=1m",
+			Exec:       runSetExpire,
+			ShortHelp:  "Manipulate node key expiry for testing",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("set-expire")
 				fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
@@ -231,9 +257,10 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "dev-store-set",
-			Exec:      runDevStoreSet,
-			ShortHelp: "set a key/value pair during development",
+			Name:       "dev-store-set",
+			ShortUsage: "tailscale debug dev-store-set",
+			Exec:       runDevStoreSet,
+			ShortHelp:  "Set a key/value pair during development",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("store-set")
 				fs.BoolVar(&devStoreSetArgs.danger, "danger", false, "accept danger")
@@ -241,14 +268,16 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "derp",
-			Exec:      runDebugDERP,
-			ShortHelp: "test a DERP configuration",
+			Name:       "derp",
+			ShortUsage: "tailscale debug derp",
+			Exec:       runDebugDERP,
+			ShortHelp:  "Test a DERP configuration",
 		},
 		{
-			Name:      "capture",
-			Exec:      runCapture,
-			ShortHelp: "streams pcaps for debugging",
+			Name:       "capture",
+			ShortUsage: "tailscale debug capture",
+			Exec:       runCapture,
+			ShortHelp:  "Streams pcaps for debugging",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("capture")
 				fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
@@ -256,9 +285,10 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "portmap",
-			Exec:      debugPortmap,
-			ShortHelp: "run portmap debugging",
+			Name:       "portmap",
+			ShortUsage: "tailscale debug portmap",
+			Exec:       debugPortmap,
+			ShortHelp:  "Run portmap debugging",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("portmap")
 				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
@@ -270,14 +300,16 @@ var debugCmd = &ffcli.Command{
 			})(),
 		},
 		{
-			Name:      "peer-endpoint-changes",
-			Exec:      runPeerEndpointChanges,
-			ShortHelp: "prints debug information about a peer's endpoint changes",
+			Name:       "peer-endpoint-changes",
+			ShortUsage: "tailscale debug peer-endpoint-changes <hostname-or-IP>",
+			Exec:       runPeerEndpointChanges,
+			ShortHelp:  "Prints debug information about a peer's endpoint changes",
 		},
 		{
-			Name:      "dial-types",
-			Exec:      runDebugDialTypes,
-			ShortHelp: "prints debug information about connecting to a given host or IP",
+			Name:       "dial-types",
+			ShortUsage: "tailscale debug dial-types <hostname-or-IP> <port>",
+			Exec:       runDebugDialTypes,
+			ShortHelp:  "Prints debug information about connecting to a given host or IP",
 			FlagSet: (func() *flag.FlagSet {
 				fs := newFlagSet("dial-types")
 				fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
@@ -453,7 +485,7 @@ func runWatchIPN(ctx context.Context, args []string) error {
 		return err
 	}
 	defer watcher.Close()
-	fmt.Fprintf(os.Stderr, "Connected.\n")
+	fmt.Fprintf(Stderr, "Connected.\n")
 	for seen := 0; watchIPNArgs.count == 0 || seen < watchIPNArgs.count; seen++ {
 		n, err := watcher.Next()
 		if err != nil {
@@ -563,7 +595,7 @@ func runStat(ctx context.Context, args []string) error {
 func runHostinfo(ctx context.Context, args []string) error {
 	hi := hostinfo.New()
 	j, _ := json.MarshalIndent(hi, "", "  ")
-	os.Stdout.Write(j)
+	Stdout.Write(j)
 	return nil
 }

@@ -716,7 +748,7 @@ var ts2021Args struct {
 }

 func runTS2021(ctx context.Context, args []string) error {
-	log.SetOutput(os.Stdout)
+	log.SetOutput(Stdout)
 	log.SetFlags(log.Ltime | log.Lmicroseconds)

 	keysURL := "https://" + ts2021Args.host + "/key?v=" + strconv.Itoa(ts2021Args.version)
@@ -867,7 +899,7 @@ var setExpireArgs struct {

 func runSetExpire(ctx context.Context, args []string) error {
 	if len(args) != 0 || setExpireArgs.in == 0 {
-		return errors.New("usage --in=<duration>")
+		return errors.New("usage: tailscale debug set-expire --in=<duration>")
 	}
 	return localClient.DebugSetExpireIn(ctx, setExpireArgs.in)
 }
@@ -885,7 +917,7 @@ func runCapture(ctx context.Context, args []string) error {

 	switch captureArgs.outFile {
 	case "-":
-		fmt.Fprintln(os.Stderr, "Press Ctrl-C to stop the capture.")
+		fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
 		_, err = io.Copy(os.Stdout, stream)
 		return err
 	case "":
@@ -911,7 +943,7 @@ func runCapture(ctx context.Context, args []string) error {
 		return err
 	}
 	defer f.Close()
-	fmt.Fprintln(os.Stderr, "Press Ctrl-C to stop the capture.")
+	fmt.Fprintln(Stderr, "Press Ctrl-C to stop the capture.")
 	_, err = io.Copy(f, stream)
 	return err
 }
@@ -966,7 +998,7 @@ func runPeerEndpointChanges(ctx context.Context, args []string) error {
 	}

 	if len(args) != 1 || args[0] == "" {
-		return errors.New("usage: peer-status <hostname-or-IP>")
+		return errors.New("usage: tailscale debug peer-endpoint-changes <hostname-or-IP>")
 	}
 	var ip string

@@ -1042,7 +1074,7 @@ func runDebugDialTypes(ctx context.Context, args []string) error {
 	}

 	if len(args) != 2 || args[0] == "" || args[1] == "" {
-		return errors.New("usage: dial-types <hostname-or-IP> <port>")
+		return errors.New("usage: tailscale debug dial-types <hostname-or-IP> <port>")
 	}

 	port, err := strconv.ParseUint(args[1], 10, 16)
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -14,7 +14,7 @@ import (

 var downCmd = &ffcli.Command{
 	Name:       "down",
-	ShortUsage: "down",
+	ShortUsage: "tailscale down",
 	ShortHelp:  "Disconnect from Tailscale",

 	Exec:    runDown,
--- a/cmd/tailscale/cli/drive.go
+++ b/cmd/tailscale/cli/drive.go
@@ -0,0 +1,248 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/drive"
+)
+
+const (
+	driveShareUsage   = "tailscale drive share <name> <path>"
+	driveRenameUsage  = "tailscale drive rename <oldname> <newname>"
+	driveUnshareUsage = "tailscale drive unshare <name>"
+	driveListUsage    = "tailscale drive list"
+)
+
+var driveCmd = &ffcli.Command{
+	Name:      "drive",
+	ShortHelp: "Share a directory with your tailnet",
+	ShortUsage: strings.Join([]string{
+		driveShareUsage,
+		driveRenameUsage,
+		driveUnshareUsage,
+		driveListUsage,
+	}, "\n  "),
+	LongHelp:  buildShareLongHelp(),
+	UsageFunc: usageFuncNoDefaultValues,
+	Subcommands: []*ffcli.Command{
+		{
+			Name:       "share",
+			ShortUsage: driveShareUsage,
+			Exec:       runDriveShare,
+			ShortHelp:  "[ALPHA] create or modify a share",
+			UsageFunc:  usageFunc,
+		},
+		{
+			Name:       "rename",
+			ShortUsage: driveRenameUsage,
+			ShortHelp:  "[ALPHA] rename a share",
+			Exec:       runDriveRename,
+			UsageFunc:  usageFunc,
+		},
+		{
+			Name:       "unshare",
+			ShortUsage: driveUnshareUsage,
+			ShortHelp:  "[ALPHA] remove a share",
+			Exec:       runDriveUnshare,
+			UsageFunc:  usageFunc,
+		},
+		{
+			Name:       "list",
+			ShortUsage: driveListUsage,
+			ShortHelp:  "[ALPHA] list current shares",
+			Exec:       runDriveList,
+			UsageFunc:  usageFunc,
+		},
+	},
+	Exec: func(context.Context, []string) error {
+		return errors.New("drive subcommand required; run 'tailscale drive -h' for details")
+	},
+}
+
+// runDriveShare is the entry point for the "tailscale drive share" command.
+func runDriveShare(ctx context.Context, args []string) error {
+	if len(args) != 2 {
+		return fmt.Errorf("usage: tailscale %v", driveShareUsage)
+	}
+
+	name, path := args[0], args[1]
+
+	err := localClient.DriveShareSet(ctx, &drive.Share{
+		Name: name,
+		Path: path,
+	})
+	if err == nil {
+		fmt.Printf("Sharing %q as %q\n", path, name)
+	}
+	return err
+}
+
+// runDriveUnshare is the entry point for the "tailscale drive unshare" command.
+func runDriveUnshare(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return fmt.Errorf("usage: tailscale %v", driveUnshareUsage)
+	}
+	name := args[0]
+
+	err := localClient.DriveShareRemove(ctx, name)
+	if err == nil {
+		fmt.Printf("No longer sharing %q\n", name)
+	}
+	return err
+}
+
+// runDriveRename is the entry point for the "tailscale drive rename" command.
+func runDriveRename(ctx context.Context, args []string) error {
+	if len(args) != 2 {
+		return fmt.Errorf("usage: tailscale %v", driveRenameUsage)
+	}
+	oldName := args[0]
+	newName := args[1]
+
+	err := localClient.DriveShareRename(ctx, oldName, newName)
+	if err == nil {
+		fmt.Printf("Renamed share %q to %q\n", oldName, newName)
+	}
+	return err
+}
+
+// runDriveList is the entry point for the "tailscale drive list" command.
+func runDriveList(ctx context.Context, args []string) error {
+	if len(args) != 0 {
+		return fmt.Errorf("usage: tailscale %v", driveListUsage)
+	}
+
+	shares, err := localClient.DriveShareList(ctx)
+	if err != nil {
+		return err
+	}
+
+	longestName := 4 // "name"
+	longestPath := 4 // "path"
+	longestAs := 2   // "as"
+	for _, share := range shares {
+		if len(share.Name) > longestName {
+			longestName = len(share.Name)
+		}
+		if len(share.Path) > longestPath {
+			longestPath = len(share.Path)
+		}
+		if len(share.As) > longestAs {
+			longestAs = len(share.As)
+		}
+	}
+	formatString := fmt.Sprintf("%%-%ds    %%-%ds    %%s\n", longestName, longestPath)
+	fmt.Printf(formatString, "name", "path", "as")
+	fmt.Printf(formatString, strings.Repeat("-", longestName), strings.Repeat("-", longestPath), strings.Repeat("-", longestAs))
+	for _, share := range shares {
+		fmt.Printf(formatString, share.Name, share.Path, share.As)
+	}
+
+	return nil
+}
+
+func buildShareLongHelp() string {
+	longHelpAs := ""
+	if drive.AllowShareAs() {
+		longHelpAs = shareLongHelpAs
+	}
+	return fmt.Sprintf(shareLongHelpBase, longHelpAs)
+}
+
+var shareLongHelpBase = `Taildrive allows you to share directories with other machines on your tailnet.
+
+In order to share folders, your node needs to have the node attribute "drive:share".
+
+In order to access shares, your node needs to have the node attribute "drive:access".
+
+For example, to enable sharing and accessing shares for all member nodes:
+
+  "nodeAttrs": [
+    {
+      "target": ["autogroup:member"],
+      "attr": [
+        "drive:share",
+        "drive:access",
+      ],
+    }]
+
+Each share is identified by a name and points to a directory at a specific path. For example, to share the path /Users/me/Documents under the name "docs", you would run:
+
+  $ tailscale drive share docs /Users/me/Documents
+
+Note that the system forces share names to lowercase to avoid problems with clients that don't support case-sensitive filenames.
+
+Share names may only contain the letters a-z, underscore _, parentheses (), or spaces. Leading and trailing spaces are omitted.
+
+All Tailscale shares have a globally unique path consisting of the tailnet, the machine name and the share name. For example, if the above share was created on the machine "mylaptop" on the tailnet "mydomain.com", the share's path would be:
+
+  /mydomain.com/mylaptop/docs
+
+In order to access this share, other machines on the tailnet can connect to the above path on a WebDAV server running at 100.100.100.100:8080, for example:
+
+  http://100.100.100.100:8080/mydomain.com/mylaptop/docs
+
+Permissions to access shares are controlled via ACLs. For example, to give yourself read/write access and give the group "home" read-only access to the above share, use the below ACL grants:
+
+  "grants": [
+    {
+      "src": ["mylogin@domain.com"],
+      "dst": ["mylaptop's ip address"],
+      "app": {
+        "tailscale.com/cap/drive": [{
+          "shares": ["docs"],
+          "access": "rw"
+        }]
+      }
+    },
+    {
+      "src": ["group:home"],
+      "dst": ["mylaptop"],
+      "app": {
+        "tailscale.com/cap/drive": [{
+          "shares": ["docs"],
+          "access": "ro"
+        }]
+      }
+    }]
+
+To categorically give yourself access to all your shares, you can use the below ACL grant:
+
+  "grants": [
+    {
+      "src": ["autogroup:member"],
+      "dst": ["autogroup:self"],
+      "app": {
+        "tailscale.com/cap/drive": [{
+          "shares": ["*"],
+          "access": "rw"
+        }]
+      }
+    }]
+
+Whenever either you or anyone in the group "home" connects to the share, they connect as if they are using your local machine user. They'll be able to read the same files as your user and if they create files, those files will be owned by your user.%s
+
+You can rename shares, for example you could rename the above share by running:
+
+  $ tailscale drive rename docs newdocs
+
+You can remove shares by name, for example you could remove the above share by running:
+
+  $ tailscale drive unshare newdocs
+
+You can get a list of currently published shares by running:
+
+  $ tailscale drive list`
+
+const shareLongHelpAs = `
+
+If you want a share to be accessed as a different user, you can use sudo to accomplish this. For example, to create the aforementioned share as "theuser", you could run:
+
+  $ sudo -u theuser tailscale drive share docs /Users/theuser/Documents`
--- a/cmd/tailscale/cli/exitnode.go
+++ b/cmd/tailscale/cli/exitnode.go
@@ -9,42 +9,83 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"os"
 	"slices"
 	"strings"
 	"text/tabwriter"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	xmaps "golang.org/x/exp/maps"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )

-var exitNodeCmd = &ffcli.Command{
-	Name:       "exit-node",
-	ShortUsage: "exit-node [flags]",
-	Subcommands: []*ffcli.Command{
-		{
-			Name:       "list",
-			ShortUsage: "exit-node list [flags]",
-			ShortHelp:  "Show exit nodes",
-			Exec:       runExitNodeList,
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("list")
-				fs.StringVar(&exitNodeArgs.filter, "filter", "", "filter exit nodes by country")
-				return fs
-			})(),
+func exitNodeCmd() *ffcli.Command {
+	return &ffcli.Command{
+		Name:       "exit-node",
+		ShortUsage: "tailscale exit-node [flags]",
+		ShortHelp:  "Show machines on your tailnet configured as exit nodes",
+		LongHelp:   "Show machines on your tailnet configured as exit nodes",
+		Exec: func(context.Context, []string) error {
+			return errors.New("exit-node subcommand required; run 'tailscale exit-node -h' for details")
 		},
-	},
-	Exec: func(context.Context, []string) error {
-		return errors.New("exit-node subcommand required; run 'tailscale exit-node -h' for details")
-	},
+		Subcommands: append([]*ffcli.Command{
+			{
+				Name:       "list",
+				ShortUsage: "tailscale exit-node list [flags]",
+				ShortHelp:  "Show exit nodes",
+				Exec:       runExitNodeList,
+				FlagSet: (func() *flag.FlagSet {
+					fs := newFlagSet("list")
+					fs.StringVar(&exitNodeArgs.filter, "filter", "", "filter exit nodes by country")
+					return fs
+				})(),
+			}},
+			(func() []*ffcli.Command {
+				if !envknob.UseWIPCode() {
+					return nil
+				}
+				return []*ffcli.Command{
+					{
+						Name:       "connect",
+						ShortUsage: "tailscale exit-node connect",
+						ShortHelp:  "connect to most recently used exit node",
+						Exec:       exitNodeSetUse(true),
+					},
+					{
+						Name:       "disconnect",
+						ShortUsage: "tailscale exit-node disconnect",
+						ShortHelp:  "disconnect from current exit node, if any",
+						Exec:       exitNodeSetUse(false),
+					},
+				}
+			})()...),
+	}
 }

 var exitNodeArgs struct {
 	filter string
 }

+func exitNodeSetUse(wantOn bool) func(ctx context.Context, args []string) error {
+	return func(ctx context.Context, args []string) error {
+		if len(args) > 0 {
+			return errors.New("unexpected non-flag arguments")
+		}
+		err := localClient.SetUseExitNode(ctx, wantOn)
+		if err != nil {
+			if !wantOn {
+				pref, err := localClient.GetPrefs(ctx)
+				if err == nil && pref.ExitNodeID == "" {
+					// Two processes concurrently turned it off.
+					return nil
+				}
+			}
+		}
+		return err
+	}
+}
+
 // runExitNodeList returns a formatted list of exit nodes for a tailnet.
 // If the exit node has location and priority data, only the highest
 // priority node for each city location is shown to the user.
@@ -68,7 +109,6 @@ func runExitNodeList(ctx context.Context, args []string) error {
 			// We only show exit nodes under the exit-node subcommand.
 			continue
 		}
-
 		peers = append(peers, ps)
 	}

@@ -82,13 +122,12 @@ func runExitNodeList(ctx context.Context, args []string) error {
 		return fmt.Errorf("no exit nodes found for %q", exitNodeArgs.filter)
 	}

-	w := tabwriter.NewWriter(os.Stdout, 10, 5, 5, ' ', 0)
+	w := tabwriter.NewWriter(Stdout, 10, 5, 5, ' ', 0)
 	defer w.Flush()
 	fmt.Fprintf(w, "\n %s\t%s\t%s\t%s\t%s\t", "IP", "HOSTNAME", "COUNTRY", "CITY", "STATUS")
 	for _, country := range filteredPeers.Countries {
 		for _, city := range country.Cities {
 			for _, peer := range city.Peers {
-
 				fmt.Fprintf(w, "\n %s\t%s\t%s\t%s\t%s\t", peer.TailscaleIPs[0], strings.Trim(peer.DNSName, "."), country.Name, city.Name, peerStatus(peer))
 			}
 		}
@@ -135,46 +174,51 @@ type filteredCity struct {

 const noLocationData = "-"

+var noLocation = &tailcfg.Location{
+	Country:     noLocationData,
+	CountryCode: noLocationData,
+	City:        noLocationData,
+	CityCode:    noLocationData,
+}
+
 // filterFormatAndSortExitNodes filters and sorts exit nodes into
 // alphabetical order, by country, city and then by priority if
 // present.
 // If an exit node has location data, and the country has more than
-// once city, an `Any` city is added to the country that contains the
+// one city, an `Any` city is added to the country that contains the
 // highest priority exit node within that country.
 // For exit nodes without location data, their country fields are
 // defined as '-' to indicate that the data is not available.
 func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string) filteredExitNodes {
+	// first get peers into some fixed order, as code below doesn't break ties
+	// and our input comes from a random range-over-map.
+	slices.SortFunc(peers, func(a, b *ipnstate.PeerStatus) int {
+		return strings.Compare(a.DNSName, b.DNSName)
+	})
+
 	countries := make(map[string]*filteredCountry)
 	cities := make(map[string]*filteredCity)
 	for _, ps := range peers {
-		if ps.Location == nil {
-			ps.Location = &tailcfg.Location{
-				Country:     noLocationData,
-				CountryCode: noLocationData,
-				City:        noLocationData,
-				CityCode:    noLocationData,
-			}
-		}
+		loc := cmp.Or(ps.Location, noLocation)

-		if filterBy != "" && ps.Location.Country != filterBy {
+		if filterBy != "" && loc.Country != filterBy {
 			continue
 		}

-		co, coOK := countries[ps.Location.CountryCode]
-		if !coOK {
+		co, ok := countries[loc.CountryCode]
+		if !ok {
 			co = &filteredCountry{
-				Name: ps.Location.Country,
+				Name: loc.Country,
 			}
-			countries[ps.Location.CountryCode] = co
-
+			countries[loc.CountryCode] = co
 		}

-		ci, ciOK := cities[ps.Location.CityCode]
-		if !ciOK {
+		ci, ok := cities[loc.CityCode]
+		if !ok {
 			ci = &filteredCity{
-				Name: ps.Location.City,
+				Name: loc.City,
 			}
-			cities[ps.Location.CityCode] = ci
+			cities[loc.CityCode] = ci
 			co.Cities = append(co.Cities, ci)
 		}
 		ci.Peers = append(ci.Peers, ps)
@@ -191,10 +235,10 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 			continue
 		}

-		var countryANYPeer []*ipnstate.PeerStatus
+		var countryAnyPeer []*ipnstate.PeerStatus
 		for _, city := range country.Cities {
 			sortPeersByPriority(city.Peers)
-			countryANYPeer = append(countryANYPeer, city.Peers...)
+			countryAnyPeer = append(countryAnyPeer, city.Peers...)
 			var reducedCityPeers []*ipnstate.PeerStatus
 			for i, peer := range city.Peers {
 				if i == 0 || peer.ExitNode {
@@ -206,7 +250,7 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 			city.Peers = reducedCityPeers
 		}
 		sortByCityName(country.Cities)
-		sortPeersByPriority(countryANYPeer)
+		sortPeersByPriority(countryAnyPeer)

 		if len(country.Cities) > 1 {
 			// For countries with more than one city, we want to return the
@@ -214,7 +258,7 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 			country.Cities = append([]*filteredCity{
 				{
 					Name:  "Any",
-					Peers: []*ipnstate.PeerStatus{countryANYPeer[0]},
+					Peers: []*ipnstate.PeerStatus{countryAnyPeer[0]},
 				},
 			}, country.Cities...)
 		}
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -38,7 +38,7 @@ import (

 var fileCmd = &ffcli.Command{
 	Name:       "file",
-	ShortUsage: "file <cp|get> ...",
+	ShortUsage: "tailscale file <cp|get> ...",
 	ShortHelp:  "Send or receive files",
 	Subcommands: []*ffcli.Command{
 		fileCpCmd,
@@ -65,7 +65,7 @@ func (c *countingReader) Read(buf []byte) (int, error) {

 var fileCpCmd = &ffcli.Command{
 	Name:       "cp",
-	ShortUsage: "file cp <files...> <target>:",
+	ShortUsage: "tailscale file cp <files...> <target>:",
 	ShortHelp:  "Copy file(s) to a host",
 	Exec:       runCp,
 	FlagSet: (func() *flag.FlagSet {
@@ -412,7 +412,7 @@ func (v *onConflict) Set(s string) error {

 var fileGetCmd = &ffcli.Command{
 	Name:       "get",
-	ShortUsage: "file get [--wait] [--verbose] [--conflict=(skip|overwrite|rename)] <target-directory>",
+	ShortUsage: "tailscale file get [--wait] [--verbose] [--conflict=(skip|overwrite|rename)] <target-directory>",
 	ShortHelp:  "Move files out of the Tailscale file inbox",
 	Exec:       runFileGet,
 	FlagSet: (func() *flag.FlagSet {
@@ -420,7 +420,7 @@ var fileGetCmd = &ffcli.Command{
 		fs.BoolVar(&getArgs.wait, "wait", false, "wait for a file to arrive if inbox is empty")
 		fs.BoolVar(&getArgs.loop, "loop", false, "run get in a loop, receiving files as they come in")
 		fs.BoolVar(&getArgs.verbose, "verbose", false, "verbose output")
-		fs.Var(&getArgs.conflict, "conflict", `behavior when a conflicting (same-named) file already exists in the target directory.
+		fs.Var(&getArgs.conflict, "conflict", "`behavior`"+` when a conflicting (same-named) file already exists in the target directory.
 	skip:       skip conflicting files: leave them in the taildrop inbox and print an error. get any non-conflicting files
 	overwrite:  overwrite existing file
 	rename:     write to a new number-suffixed filename`)
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@@ -8,14 +8,12 @@ import (
 	"flag"
 	"fmt"
 	"net"
-	"os"
 	"strconv"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/mak"
 )

 var funnelCmd = func() *ffcli.Command {
@@ -38,9 +36,9 @@ func newFunnelCommand(e *serveEnv) *ffcli.Command {
 		Name:      "funnel",
 		ShortHelp: "Turn on/off Funnel service",
 		ShortUsage: strings.Join([]string{
-			"funnel <serve-port> {on|off}",
-			"funnel status [--json]",
-		}, "\n  "),
+			"tailscale funnel <serve-port> {on|off}",
+			"tailscale funnel status [--json]",
+		}, "\n"),
 		LongHelp: strings.Join([]string{
 			"Funnel allows you to publish a 'tailscale serve'",
 			"server publicly, open to the entire internet.",
@@ -48,17 +46,16 @@ func newFunnelCommand(e *serveEnv) *ffcli.Command {
 			"Turning off Funnel only turns off serving to the internet.",
 			"It does not affect serving to your tailnet.",
 		}, "\n"),
-		Exec:      e.runFunnel,
-		UsageFunc: usageFunc,
+		Exec: e.runFunnel,
 		Subcommands: []*ffcli.Command{
 			{
-				Name:      "status",
-				Exec:      e.runServeStatus,
-				ShortHelp: "show current serve/funnel status",
+				Name:       "status",
+				Exec:       e.runServeStatus,
+				ShortUsage: "tailscale funnel status [--json]",
+				ShortHelp:  "Show current serve/funnel status",
 				FlagSet: e.newFlags("funnel-status", func(fs *flag.FlagSet) {
 					fs.BoolVar(&e.json, "json", false, "output JSON")
 				}),
-				UsageFunc: usageFunc,
 			},
 		},
 	}
@@ -114,15 +111,8 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 		// Nothing to do.
 		return nil
 	}
-	if on {
-		mak.Set(&sc.AllowFunnel, hp, true)
-	} else {
-		delete(sc.AllowFunnel, hp)
-		// clear map mostly for testing
-		if len(sc.AllowFunnel) == 0 {
-			sc.AllowFunnel = nil
-		}
-	}
+	sc.SetFunnel(dnsName, port, on)
+
 	if err := e.lc.SetServeConfig(ctx, sc); err != nil {
 		return err
 	}
@@ -177,10 +167,10 @@ func printFunnelWarning(sc *ipn.ServeConfig) {
 		p, _ := strconv.ParseUint(portStr, 10, 16)
 		if _, ok := sc.TCP[uint16(p)]; !ok {
 			warn = true
-			fmt.Fprintf(os.Stderr, "\nWarning: funnel=on for %s, but no serve config\n", hp)
+			fmt.Fprintf(Stderr, "\nWarning: funnel=on for %s, but no serve config\n", hp)
 		}
 	}
 	if warn {
-		fmt.Fprintf(os.Stderr, "         run: `tailscale serve --help` to see how to configure handlers\n")
+		fmt.Fprintf(Stderr, "         run: `tailscale serve --help` to see how to configure handlers\n")
 	}
 }
--- a/cmd/tailscale/cli/id-token.go
+++ b/cmd/tailscale/cli/id-token.go
@@ -12,8 +12,8 @@ import (

 var idTokenCmd = &ffcli.Command{
 	Name:       "id-token",
-	ShortUsage: "id-token <aud>",
-	ShortHelp:  "fetch an OIDC id-token for the Tailscale machine",
+	ShortUsage: "tailscale id-token <aud>",
+	ShortHelp:  "Fetch an OIDC id-token for the Tailscale machine",
 	Exec:       runIDToken,
 }

--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -16,7 +16,7 @@ import (

 var ipCmd = &ffcli.Command{
 	Name:       "ip",
-	ShortUsage: "ip [-1] [-4] [-6] [peer hostname or ip address]",
+	ShortUsage: "tailscale ip [-1] [-4] [-6] [peer hostname or ip address]",
 	ShortHelp:  "Show Tailscale IP addresses",
 	LongHelp:   "Show Tailscale IP addresses for peer. Peer defaults to the current machine.",
 	Exec:       runIP,
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .57.0
 .64.2