Cloudflare Operator

Appearance

Deploy a Cloudflare Tunnel

This builds on the Getting Started guide, and it is recommended to read that first.

This example shows how to deploy a Cloudflare Tunnel/ClusterTunnel. This resource will generate a cloudflared deployment for you.

Once deployed, you can set up routing with a TunnelBinding. See the TunnelBinding examples for how to set up routing.

Motivation

In order to route traffic from the internet to your cluster, a Tunnel/ClusterTunnel must be created. This resource manages a deployment of one or more cloudflared pods which create an outbound connection to Cloudflare's edge servers. When this outbound connection is established, cloudflared can route traffic from Cloudflare domains to cloudflared.

Tunnels and ClusterTunnels are almost identical. A Tunnel is simply a namespaced version of a ClusterTunnel (same abstraction as cert-manager's Issuer/ClusterIssuer). The practical difference is that TunnelBindings for a Tunnel must be in the same namespace, while a ClusterTunnel can be referenced from any namespace.

Prerequisites

  1. kubectl is installed
  2. You have deployed a secret for authentication
  3. You have deployed cloudflare-operator

Steps

  1. Decide whether you want a Tunnel or ClusterTunnel.

  2. Replace all placeholder values formatted <like-this> in the manifest below.

Tunnel (namespaced)

yaml
apiVersion: networking.cfargotunnel.com/v1alpha2
kind: Tunnel
metadata:
  name: example-tunnel
spec:
  newTunnel:
    name: example-tunnel
  cloudflare:
    email: <email-address>
    domain: <domain>
    secret: <secret-name>
    accountId: <account-id>

ClusterTunnel (cluster-scoped)

yaml
apiVersion: networking.cfargotunnel.com/v1alpha2
kind: ClusterTunnel
metadata:
  name: k3s-cluster-tunnel
spec:
  newTunnel:
    name: my-k8s-tunnel
  cloudflare:
    email: email@example.com
    domain: example.com
    secret: cloudflare-secrets
    # accountId and accountName cannot be both empty.
    # If both are provided, Account ID is used if valid, else falls back to Account Name.
    accountName: <Cloudflare account name>
    accountId: <Cloudflare account ID>
  1. Deploy your Tunnel/ClusterTunnel:
bash
# execute one of these, not both
kubectl apply -f tunnel.yaml
kubectl apply -f cluster-tunnel.yaml
  1. Verify the resource was created:
bash
kubectl get clustertunnel
kubectl get tunnel -n cloudflare-operator-system
# NAME                 TUNNELID
# k3s-cluster-tunnel   <uuid>
bash
kubectl get configmap k3s-cluster-tunnel -n cloudflare-operator-system
# NAME                 DATA   AGE
# k3s-cluster-tunnel   1      5m
bash
kubectl get deployment k3s-cluster-tunnel -n cloudflare-operator-system
# NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
# k3s-cluster-tunnel   1/1     1            1           5m

Next steps

Released under the Apache-2.0 License.

Copyright 2025-present geomena