cloudflare-operator

module

v0.18.5 Latest Latest Go to latest Published: Jan 10, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/StringKe/cloudflare-operator

Links

Open Source Insights

README ¶

Cloudflare Zero Trust Operator

A Kubernetes Operator for Cloudflare Zero Trust: Tunnels, Access, Gateway, and Device Management

Documentation (English) » | 文档 (中文) »

Examples · Report Bug · Request Feature

Note: This project is currently in Alpha (v0.18.x). This is NOT an official Cloudflare product. It uses the Cloudflare API and cloudflared to automate Zero Trust configuration on Kubernetes.

This project is a fork of adyanth/cloudflare-operator with extended Zero Trust features and improvements.

Overview

The Cloudflare Zero Trust Operator provides Kubernetes-native management of Cloudflare Zero Trust resources. Built with kubebuilder and controller-runtime, it enables declarative configuration of tunnels, access policies, gateway rules, and device settings through Custom Resource Definitions (CRDs).

Features

Category	Features
Tunnel Management	Create/manage Cloudflare Tunnels, automatic cloudflared deployments, Service binding with DNS
Private Network	Virtual Networks, Network Routes, Private Service exposure via WARP
Access Control	Zero Trust Applications, Access Groups, Identity Providers, Service Tokens
Gateway & Security	Gateway Rules (DNS/HTTP/L4), Gateway Lists, Browser Isolation
Device Management	Split Tunnel configuration, Fallback Domains, Device Posture Rules
DNS & Connectivity	DNS Record management, WARP Connectors for site-to-site
Kubernetes Integration	Native Ingress support, Gateway API support (Gateway, HTTPRoute, TCPRoute, UDPRoute)

Architecture

flowchart TB
    subgraph Internet["Internet"]
        Users["Users / WARP Clients"]
    end

    subgraph Cloudflare["Cloudflare Edge"]
        Edge["Cloudflare Edge Network"]
        API["Cloudflare API"]
    end

    subgraph K8s["Kubernetes Cluster"]
        subgraph CRDs["Custom Resources"]
            Tunnel["Tunnel / ClusterTunnel"]
            TB["TunnelBinding"]
            VNet["VirtualNetwork"]
            Route["NetworkRoute"]
        end

        subgraph K8sNative["Kubernetes Native"]
            Ingress["Ingress"]
            Gateway["Gateway API"]
        end

        subgraph Operator["Cloudflare Operator"]
            Controller["Controller Manager"]
        end

        subgraph Managed["Managed Resources"]
            ConfigMap["ConfigMap"]
            Secret["Secret"]
            Deployment["cloudflared"]
        end

        subgraph App["Applications"]
            Service["Services"]
            Pod["Pods"]
        end
    end

    CRDs -.->|watches| Controller
    K8sNative -.->|watches| Controller
    Controller -->|creates| Managed
    Controller -->|API calls| API
    Managed -->|proxy| Service
    Service --> Pod
    Users -->|HTTPS/WARP| Edge
    Edge <-->|tunnel| Deployment

Quick Start

Prerequisites

Kubernetes cluster v1.28+
Cloudflare account with Zero Trust enabled
Cloudflare API Token (Create Token)

Installation

# Install CRDs and operator
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator.crds.yaml
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator.yaml

# Verify installation
kubectl get pods -n cloudflare-operator-system

Create a Tunnel

# 1. Create API credentials secret
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-credentials
type: Opaque
stringData:
  CLOUDFLARE_API_TOKEN: "<your-api-token>"
---
# 2. Create tunnel
apiVersion: networking.cloudflare-operator.io/v1alpha2
kind: Tunnel
metadata:
  name: my-tunnel
spec:
  newTunnel:
    name: k8s-tunnel
  cloudflare:
    accountId: "<your-account-id>"
    domain: example.com
    secret: cloudflare-credentials

Expose a Service

apiVersion: networking.cfargotunnel.com/v1alpha1
kind: TunnelBinding
metadata:
  name: web-binding
subjects:
  - kind: Service
    name: web-app
    spec:
      fqdn: app.example.com
      protocol: http
tunnelRef:
  kind: Tunnel
  name: my-tunnel

CRD Reference

Tunnel Management

CRD	API Version	Scope	Description
Tunnel	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Cloudflare Tunnel with managed cloudflared
ClusterTunnel	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cluster-wide Cloudflare Tunnel
TunnelBinding	`networking.cfargotunnel.com/v1alpha1`	Namespaced	Bind Services to Tunnels with DNS

Private Network Access

CRD	API Version	Scope	Description
VirtualNetwork	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cloudflare virtual network for isolation
NetworkRoute	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Route CIDR through tunnel
PrivateService	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Expose Service via private IP

Access Control

CRD	API Version	Scope	Description
AccessApplication	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Zero Trust application
AccessGroup	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Access policy group
AccessIdentityProvider	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Identity provider config
AccessServiceToken	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Service token for M2M

Gateway & Security

CRD	API Version	Scope	Description
GatewayRule	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Gateway policy rule
GatewayList	`networking.cloudflare-operator.io/v1alpha2`	Cluster	List for gateway rules
GatewayConfiguration	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Global gateway settings

Device Management

CRD	API Version	Scope	Description
DeviceSettingsPolicy	`networking.cloudflare-operator.io/v1alpha2`	Cluster	WARP client settings
DevicePostureRule	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Device posture check

DNS & Connectivity

CRD	API Version	Scope	Description
DNSRecord	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	DNS record management
WARPConnector	`networking.cloudflare-operator.io/v1alpha2`	Cluster	WARP connector deployment

Kubernetes Integration

CRD	API Version	Scope	Description
TunnelIngressClassConfig	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Config for Ingress integration
TunnelGatewayClassConfig	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Config for Gateway API integration

Note: The operator also supports native Kubernetes Ingress and Gateway API (Gateway, HTTPRoute, TCPRoute, UDPRoute) resources when configured with the appropriate IngressClass or GatewayClass.

Examples

See the examples directory for comprehensive usage examples:

Basic - Credentials, Tunnels, DNS, Service Binding
Private Network - Virtual Networks, Routes, Private Services
Zero Trust - Access Apps, Groups, Identity Providers
Gateway - Gateway Rules, Lists
Device - Device Policies, Posture Rules
Scenarios - Complete real-world scenarios

Documentation

Language	Link
English	docs/en/README.md
中文	docs/zh/README.md

Documentation includes:

Installation Guide
API Token Permissions
Complete CRD Reference
Troubleshooting Guide
Migration Guide (v1alpha1 → v1alpha2)

API Token Permissions

Feature	Permission	Scope
Tunnels	`Account:Cloudflare Tunnel:Edit`	Account
DNS	`Zone:DNS:Edit`	Zone
Access	`Account:Access: Apps and Policies:Edit`	Account
Gateway	`Account:Zero Trust:Edit`	Account

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Acknowledgements

This project is forked from adyanth/cloudflare-operator. We extend our gratitude to @adyanth and all original contributors for their excellent work on the initial implementation.

What's Different

This fork extends the original project with:

Complete Zero Trust resource support (Access, Gateway, Device management)
v1alpha2 API with improved resource management
Native Kubernetes Ingress and Gateway API integration
Enhanced error handling and status reporting
Comprehensive documentation and examples

License

Apache License 2.0 - See LICENSE for details.

Directories ¶

Path	Synopsis
api
cloudflare/v1alpha1 Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.	Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.
v1alpha1 Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +kubebuilder:object:generate=true +groupName=networking.cloudflare-operator.io	Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +kubebuilder:object:generate=true +groupName=networking.cloudflare-operator.io
v1alpha2 Package v1alpha2 contains API Schema definitions for the networking v1alpha2 API group.	Package v1alpha2 contains API Schema definitions for the networking v1alpha2 API group.
cmd
internal
clients/cf
clients/cf/mock Package mock is a generated GoMock package.	Package mock is a generated GoMock package.
clients/k8s
controller
controller/accessapplication
controller/accessgroup
controller/accessidentityprovider
controller/accessservicetoken
controller/accesstunnel Package accesstunnel contains the code associated with the reconciliation process for the accessTunnel resource	Package accesstunnel contains the code associated with the reconciliation process for the accessTunnel resource
controller/cloudflarecredentials
controller/configmap Package configmap provides utilities for managing cloudflared ConfigMaps and triggering Deployment restarts when configuration changes.	Package configmap provides utilities for managing cloudflared ConfigMaps and triggering Deployment restarts when configuration changes.
controller/deviceposturerule
controller/devicesettingspolicy
controller/dnsrecord
controller/gateway Package gateway implements Kubernetes Gateway API controllers for cloudflared tunnels.	Package gateway implements Kubernetes Gateway API controllers for cloudflared tunnels.
controller/gatewayconfiguration
controller/gatewaylist
controller/gatewayrule
controller/ingress Package ingress implements the Kubernetes Ingress Controller for Cloudflare Tunnels.	Package ingress implements the Kubernetes Ingress Controller for Cloudflare Tunnels.
controller/networkroute
controller/privateservice
controller/route Package route provides shared utilities for building cloudflared ingress rules from various Kubernetes resources (Ingress, Gateway API routes, TunnelBinding).	Package route provides shared utilities for building cloudflared ingress rules from various Kubernetes resources (Ingress, Gateway API routes, TunnelBinding).
controller/tunnel Package tunnel provides shared tunnel resolution and management utilities for controllers that work with Tunnel and ClusterTunnel resources.	Package tunnel provides shared tunnel resolution and management utilities for controllers that work with Tunnel and ClusterTunnel resources.
controller/virtualnetwork
controller/warpconnector
credentials Package credentials provides utilities for loading Cloudflare API credentials from various sources including CloudflareCredentials resources and Kubernetes secrets.	Package credentials provides utilities for loading Cloudflare API credentials from various sources including CloudflareCredentials resources and Kubernetes secrets.
webhook/v1alpha2

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL