diff --git a/src/tailscale/tailscaled-devcontainer-start.sh b/src/tailscale/tailscaled-devcontainer-start.sh
index 8ed0fb6..3da1d94 100755
--- a/src/tailscale/tailscaled-devcontainer-start.sh
+++ b/src/tailscale/tailscaled-devcontainer-start.sh
@@ -3,8 +3,21 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
+# if an operator argument has been provided, set the operator to
+# the specified value; if the value is the special value "$USER"
+# then set the operator to the default user for the devcontainer.
+#
+# This is done before the sudo switchover so we have the actual
+# user persisted.
+if [[ -n "$OPERATOR" ]]; then
+  if [[ "$OPERATOR" == "\$USER" ]]; then
+    OPERATOR=$(id -un)
+  fi
+  export OPERATOR
+fi
+
 if [[ $(id -u) -ne 0 ]]; then
-  if ! command -v sudo > /dev/null; then
+  if ! command -v sudo >/dev/null; then
     >&2 echo "tailscaled could not start as root."
     exit 1
   fi
@@ -31,7 +44,6 @@ EOF
   fi
 fi
 
-
 TAILSCALED_PID=""
 TAILSCALED_SOCK=/var/run/tailscale/tailscaled.sock
 TAILSCALED_LOG=/var/log/tailscaled.log
@@ -72,6 +84,12 @@ if [[ -n "$auth_key" ]]; then
     if [[ -n "${CODESPACE_NAME}" ]]; then
       hostnamearg="--hostname=${CODESPACE_NAME}"
     fi
-    /usr/local/bin/tailscale up --accept-routes --authkey="$auth_key" $hostnamearg
+
+    operatorarg=""
+    if [[ -n "${OPERATOR}" ]]; then
+      operatorarg="--operator=${OPERATOR}"
+    fi
+
+    /usr/local/bin/tailscale up --accept-routes --authkey="$auth_key" $hostnamearg $operatorarg
   fi
 fi
diff --git a/test/tailscale/scenarios.json b/test/tailscale/scenarios.json
index f7a1683..5707ee2 100644
--- a/test/tailscale/scenarios.json
+++ b/test/tailscale/scenarios.json
@@ -27,5 +27,16 @@
         "features": {
             "tailscale": {}
         }
+    },
+    "tailscale_operator": {
+        "image": "ubuntu:latest",
+        "containerEnv": {
+            "TS_AUTH_KEY": "test-auth-key"
+        },
+        "features": {
+            "tailscale": {
+                "operator": "$USER"
+            }
+        }
     }
-}
\ No newline at end of file
+}
diff --git a/test/tailscale/tailscale_operator.sh b/test/tailscale/tailscale_operator.sh
new file mode 100644
index 0000000..33a8185
--- /dev/null
+++ b/test/tailscale/tailscale_operator.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Copyright (c) 2025 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+set -e
+
+source dev-container-features-test-lib
+
+# Wait for the auth key to be seen by the start script.
+count=100
+while ((count--)); do
+    [[ -f /tmp/test-auth-key-seen ]] && break
+    sleep 0.1
+done
+
+check "tailscale operator is set" bash -c 'tailscale debug prefs | grep -q OperatorUser'
+
+reportResults
diff --git a/test/tailscale/test.sh b/test/tailscale/test.sh
index bb3d8a7..5bc0733 100644
--- a/test/tailscale/test.sh
+++ b/test/tailscale/test.sh
@@ -13,4 +13,6 @@ if [[ -n "$VERSION" ]]; then
     check "version is correct" bash -c "tailscale version --daemon | grep -q $VERSION"
 fi
 
-reportResults
\ No newline at end of file
+check "tailscale operator is not set" bash -c '! ( tailscale debug prefs | grep -q OperatorUser )'
+
+reportResults