cloudflare-operator

module

v0.26.0 Latest Latest Go to latest Published: Jan 19, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/StringKe/cloudflare-operator

Links

Open Source Insights

README ¶

Cloudflare Zero Trust Operator

A Kubernetes Operator for Cloudflare Zero Trust: Tunnels, Access, Gateway, Device, DNS, R2, and Rules Management

Documentation (English) » | 文档 (中文) »

Examples · Report Bug · Request Feature

Note: This project is currently in Alpha (v0.23.x). This is NOT an official Cloudflare product. It uses the Cloudflare API and cloudflared to automate Zero Trust configuration on Kubernetes.

This project is a fork of adyanth/cloudflare-operator with extended Zero Trust features and improvements.

Overview

The Cloudflare Zero Trust Operator provides Kubernetes-native management of Cloudflare Zero Trust resources. Built with kubebuilder and controller-runtime, it enables declarative configuration of tunnels, access policies, gateway rules, device settings, R2 storage, and zone rules through Custom Resource Definitions (CRDs).

Features

Category	Features
Tunnel Management	Create/manage Cloudflare Tunnels, automatic cloudflared deployments, Service binding with DNS
Private Network	Virtual Networks, Network Routes, Private Service exposure via WARP
Access Control	Zero Trust Applications, Access Groups, Identity Providers, Service Tokens
Gateway & Security	Gateway Rules (DNS/HTTP/L4), Gateway Lists, Browser Isolation
Device Management	Split Tunnel configuration, Fallback Domains, Device Posture Rules
DNS & Connectivity	DNS Record management, WARP Connectors for site-to-site
Domain Management	Zone settings (SSL/TLS, Cache, Security), Origin CA Certificates
R2 Storage	R2 Buckets, Custom Domains, Event Notifications
Rules Engine	Zone Rulesets, Transform Rules (URL/Header), Redirect Rules
Registrar	Domain Registration management (Enterprise)
Kubernetes Integration	Native Ingress support, Gateway API support (Gateway, HTTPRoute, TCPRoute, UDPRoute)

Architecture

This operator uses a Unified Sync Architecture with six layers to ensure concurrent safety and eliminate race conditions:

flowchart TB
    subgraph Internet["Internet"]
        Users["Users / WARP Clients"]
    end

    subgraph Cloudflare["Cloudflare Edge"]
        Edge["Cloudflare Edge Network"]
        API["Cloudflare API"]
    end

    subgraph K8s["Kubernetes Cluster"]
        subgraph Layer1["Layer 1: K8s Resources"]
            CRDs["Custom Resources<br/>(Tunnel, DNSRecord, AccessApp, etc.)"]
            K8sNative["Kubernetes Native<br/>(Ingress, Gateway API)"]
        end

        subgraph Layer2["Layer 2: Resource Controllers"]
            RC["Resource Controllers<br/>(Lightweight, 100-150 lines each)"]
        end

        subgraph Layer3["Layer 3: Core Services"]
            SVC["Core Services<br/>(TunnelConfigService, DNSService, etc.)"]
        end

        subgraph Layer4["Layer 4: SyncState CRD"]
            SyncState["CloudflareSyncState<br/>(Shared state with optimistic locking)"]
        end

        subgraph Layer5["Layer 5: Sync Controllers"]
            SC["Sync Controllers<br/>(Debouncing, Aggregation, Hash detection)"]
        end

        subgraph Managed["Managed Resources"]
            Deployment["cloudflared Deployment"]
        end

        subgraph App["Applications"]
            Service["Services"]
            Pod["Pods"]
        end
    end

    CRDs -.->|watch| RC
    K8sNative -.->|watch| RC
    RC -->|register config| SVC
    SVC -->|update| SyncState
    SyncState -.->|watch| SC
    SC -->|"API calls<br/>(single sync point)"| API
    SC -->|creates| Managed
    Managed -->|proxy| Service
    Service --> Pod
    Users -->|HTTPS/WARP| Edge
    Edge <-->|tunnel| Deployment

    style Layer4 fill:#f9f,stroke:#333,stroke-width:2px
    style SC fill:#9f9,stroke:#333,stroke-width:2px

Architecture Benefits

Feature	Benefit
Single Sync Point	Only Sync Controllers call Cloudflare API, eliminating race conditions
Optimistic Locking	SyncState CRD uses K8s resourceVersion for multi-instance safety
Debouncing	500ms delay aggregates multiple changes into single API call
Hash Detection	Skip sync when config unchanged, reducing API usage
Separation of Concerns	Each layer has clear, single responsibility

Note: See Unified Sync Architecture Design for detailed documentation.

Quick Start

Prerequisites

Kubernetes cluster v1.28+
Cloudflare account with Zero Trust enabled
Cloudflare API Token (Create Token)

Installation

Option 1: Full Installation (Recommended for new users)

# All-in-one: CRDs + Namespace + RBAC + Operator (without webhook)
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-full-no-webhook.yaml

# Verify installation
kubectl get pods -n cloudflare-operator-system

Option 2: Modular Installation (Recommended for production)

# Step 1: Install CRDs (cluster-admin required)
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-crds.yaml

# Step 2: Create namespace
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-namespace.yaml

# Step 3: Install operator (RBAC + Deployment)
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-no-webhook.yaml

# Verify installation
kubectl get pods -n cloudflare-operator-system

Available Installation Files

File	Contents	Use Case
`cloudflare-operator-full.yaml`	CRDs + Namespace + RBAC + Operator + Webhook	Full installation with cert-manager
`cloudflare-operator-full-no-webhook.yaml`	CRDs + Namespace + RBAC + Operator	Full installation without webhook
`cloudflare-operator-crds.yaml`	CRDs only	Modular: install CRDs separately
`cloudflare-operator-namespace.yaml`	Namespace only	Modular: create namespace
`cloudflare-operator.yaml`	RBAC + Operator + Webhook	Modular: operator with webhook
`cloudflare-operator-no-webhook.yaml`	RBAC + Operator	Modular: operator without webhook

Create a Tunnel

# 1. Create API credentials secret
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-credentials
type: Opaque
stringData:
  CLOUDFLARE_API_TOKEN: "<your-api-token>"
---
# 2. Create tunnel
apiVersion: networking.cloudflare-operator.io/v1alpha2
kind: Tunnel
metadata:
  name: my-tunnel
spec:
  newTunnel:
    name: k8s-tunnel
  cloudflare:
    accountId: "<your-account-id>"
    domain: example.com
    secret: cloudflare-credentials

Expose a Service

apiVersion: networking.cfargotunnel.com/v1alpha1
kind: TunnelBinding
metadata:
  name: web-binding
subjects:
  - kind: Service
    name: web-app
    spec:
      fqdn: app.example.com
      protocol: http
tunnelRef:
  kind: Tunnel
  name: my-tunnel

CRD Reference

Credentials & Configuration

CRD	API Version	Scope	Description
CloudflareCredentials	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cloudflare API credentials management
CloudflareDomain	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Zone settings (SSL/TLS, Cache, Security, WAF)

Tunnel Management

CRD	API Version	Scope	Description
Tunnel	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Cloudflare Tunnel with managed cloudflared
ClusterTunnel	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cluster-wide Cloudflare Tunnel
TunnelBinding	`networking.cfargotunnel.com/v1alpha1`	Namespaced	Bind Services to Tunnels with DNS

Private Network Access

CRD	API Version	Scope	Description
VirtualNetwork	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cloudflare virtual network for isolation
NetworkRoute	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Route CIDR through tunnel
PrivateService	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Expose Service via private IP

Access Control

CRD	API Version	Scope	Description
AccessApplication	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Zero Trust application
AccessGroup	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Access policy group
AccessIdentityProvider	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Identity provider config
AccessServiceToken	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Service token for M2M

Gateway & Security

CRD	API Version	Scope	Description
GatewayRule	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Gateway policy rule
GatewayList	`networking.cloudflare-operator.io/v1alpha2`	Cluster	List for gateway rules
GatewayConfiguration	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Global gateway settings

Device Management

CRD	API Version	Scope	Description
DeviceSettingsPolicy	`networking.cloudflare-operator.io/v1alpha2`	Cluster	WARP client settings
DevicePostureRule	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Device posture check

DNS & Connectivity

CRD	API Version	Scope	Description
DNSRecord	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	DNS record management
WARPConnector	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	WARP connector deployment
AccessTunnel	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Access tunnel configuration

SSL/TLS & Certificates

CRD	API Version	Scope	Description
OriginCACertificate	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Cloudflare Origin CA certificate with K8s Secret

R2 Storage

CRD	API Version	Scope	Description
R2Bucket	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	R2 storage bucket with lifecycle rules
R2BucketDomain	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Custom domain for R2 bucket
R2BucketNotification	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Event notifications for R2 bucket

Rules Engine

CRD	API Version	Scope	Description
ZoneRuleset	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Zone ruleset (WAF, rate limiting, etc.)
TransformRule	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	URL rewrite & header modification
RedirectRule	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	URL redirect rules

Registrar (Enterprise)

CRD	API Version	Scope	Description
DomainRegistration	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Domain registration settings

Kubernetes Integration

CRD	API Version	Scope	Description
TunnelIngressClassConfig	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Config for Ingress integration
TunnelGatewayClassConfig	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Config for Gateway API integration

Note: The operator also supports native Kubernetes Ingress and Gateway API (Gateway, HTTPRoute, TCPRoute, UDPRoute) resources when configured with the appropriate IngressClass or GatewayClass.

Examples

See the examples directory for comprehensive usage examples:

Basic - Credentials, Tunnels, DNS, Service Binding
Private Network - Virtual Networks, Routes, Private Services
Zero Trust - Access Apps, Groups, Identity Providers
Gateway - Gateway Rules, Lists
Device - Device Policies, Posture Rules
Scenarios - Complete real-world scenarios

Documentation

Language	Link
English	docs/en/README.md
中文	docs/zh/README.md

Documentation includes:

Installation Guide
API Token Permissions
Complete CRD Reference
Troubleshooting Guide
Migration Guide (v1alpha1 → v1alpha2)

API Token Permissions

Feature	Permission	Scope
Tunnels	`Account:Cloudflare Tunnel:Edit`	Account
DNS	`Zone:DNS:Edit`	Zone
Access	`Account:Access: Apps and Policies:Edit`	Account
Gateway	`Account:Zero Trust:Edit`	Account
Zone Settings	`Zone:Zone Settings:Edit`	Zone
SSL/TLS	`Zone:SSL and Certificates:Edit`	Zone
R2	`Account:Workers R2 Storage:Edit`	Account
Rules	`Zone:Zone Rulesets:Edit`	Zone
Registrar	`Account:Registrar:Edit`	Account

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Acknowledgements

This project is forked from adyanth/cloudflare-operator. We extend our gratitude to @adyanth and all original contributors for their excellent work on the initial implementation.

What's Different

This fork extends the original project with:

Complete Zero Trust resource support (Access, Gateway, Device management)
v1alpha2 API with improved resource management
Native Kubernetes Ingress and Gateway API integration
R2 Storage management (buckets, custom domains, notifications)
Zone settings and rules engine (SSL/TLS, Cache, WAF, Transform/Redirect rules)
Origin CA certificate integration
Domain registration management (Enterprise)
Enhanced error handling and status reporting
Comprehensive documentation and examples

License

Apache License 2.0 - See LICENSE for details.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
api
cloudflare/v1alpha1 Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.	Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.
v1alpha1 Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +kubebuilder:object:generate=true +groupName=networking.cloudflare-operator.io	Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +kubebuilder:object:generate=true +groupName=networking.cloudflare-operator.io
v1alpha2 Package v1alpha2 contains API Schema definitions for the networking v1alpha2 API group.	Package v1alpha2 contains API Schema definitions for the networking v1alpha2 API group.
cmd
internal
clients/cf
clients/cf/mock Package mock is a generated GoMock package.	Package mock is a generated GoMock package.
clients/k8s
controller
controller/accessapplication
controller/accessgroup
controller/accessidentityprovider
controller/accesspolicy
controller/accessservicetoken
controller/accesstunnel Package accesstunnel contains the code associated with the reconciliation process for the accessTunnel resource	Package accesstunnel contains the code associated with the reconciliation process for the accessTunnel resource
controller/cloudflarecredentials
controller/cloudflaredomain Package cloudflaredomain implements the controller for CloudflareDomain resources.	Package cloudflaredomain implements the controller for CloudflareDomain resources.
controller/deviceposturerule
controller/devicesettingspolicy Package devicesettingspolicy implements the controller for DeviceSettingsPolicy resources.	Package devicesettingspolicy implements the controller for DeviceSettingsPolicy resources.
controller/dnsrecord
controller/domainregistration Package domainregistration provides a controller for managing Cloudflare Registrar domains.	Package domainregistration provides a controller for managing Cloudflare Registrar domains.
controller/gateway Package gateway implements Kubernetes Gateway API controllers for cloudflared tunnels.	Package gateway implements Kubernetes Gateway API controllers for cloudflared tunnels.
controller/gatewayconfiguration
controller/gatewaylist
controller/gatewayrule Package gatewayrule implements the controller for GatewayRule resources.	Package gatewayrule implements the controller for GatewayRule resources.
controller/ingress Package ingress implements the Kubernetes Ingress Controller for Cloudflare Tunnels.	Package ingress implements the Kubernetes Ingress Controller for Cloudflare Tunnels.
controller/networkroute
controller/origincacertificate Package origincacertificate provides a controller for managing Cloudflare Origin CA certificates.	Package origincacertificate provides a controller for managing Cloudflare Origin CA certificates.
controller/pagesdeployment Package pagesdeployment implements the L2 Controller for PagesDeployment CRD.	Package pagesdeployment implements the L2 Controller for PagesDeployment CRD.
controller/pagesdomain Package pagesdomain implements the L2 Controller for PagesDomain CRD.	Package pagesdomain implements the L2 Controller for PagesDomain CRD.
controller/pagesproject Package pagesproject implements the L2 Controller for PagesProject CRD.	Package pagesproject implements the L2 Controller for PagesProject CRD.
controller/privateservice
controller/r2bucket Package r2bucket provides a controller for managing Cloudflare R2 storage buckets.	Package r2bucket provides a controller for managing Cloudflare R2 storage buckets.
controller/r2bucketdomain Package r2bucketdomain provides a controller for managing Cloudflare R2 bucket custom domains.	Package r2bucketdomain provides a controller for managing Cloudflare R2 bucket custom domains.
controller/r2bucketnotification Package r2bucketnotification provides a controller for managing R2 bucket event notifications.	Package r2bucketnotification provides a controller for managing R2 bucket event notifications.
controller/redirectrule Package redirectrule provides a controller for managing Cloudflare Redirect Rules.	Package redirectrule provides a controller for managing Cloudflare Redirect Rules.
controller/route Package route provides shared utilities for building cloudflared ingress rules from various Kubernetes resources (Ingress, Gateway API routes, TunnelBinding).	Package route provides shared utilities for building cloudflared ingress rules from various Kubernetes resources (Ingress, Gateway API routes, TunnelBinding).
controller/transformrule Package transformrule provides a controller for managing Cloudflare Transform Rules.	Package transformrule provides a controller for managing Cloudflare Transform Rules.
controller/tunnel Package tunnel provides shared tunnel resolution and management utilities for controllers that work with Tunnel and ClusterTunnel resources.	Package tunnel provides shared tunnel resolution and management utilities for controllers that work with Tunnel and ClusterTunnel resources.
controller/virtualnetwork
controller/warpconnector
controller/zoneruleset Package zoneruleset provides a controller for managing Cloudflare zone rulesets.	Package zoneruleset provides a controller for managing Cloudflare zone rulesets.
credentials Package credentials provides utilities for loading Cloudflare API credentials from various sources including CloudflareCredentials resources and Kubernetes secrets.	Package credentials provides utilities for loading Cloudflare API credentials from various sources including CloudflareCredentials resources and Kubernetes secrets.
resolver Package resolver provides hostname to CloudflareDomain resolution using longest suffix match.	Package resolver provides hostname to CloudflareDomain resolution using longest suffix match.
service Package service provides the Core Service layer for the unified sync architecture.	Package service provides the Core Service layer for the unified sync architecture.
service/access Package access provides the AccessService for managing Cloudflare Access resource configurations.	Package access provides the AccessService for managing Cloudflare Access resource configurations.
service/device Package device provides services for managing Cloudflare Device configurations.	Package device provides services for managing Cloudflare Device configurations.
service/dns Package dns provides the DNSService for managing Cloudflare DNS record configuration.	Package dns provides the DNSService for managing Cloudflare DNS record configuration.
service/domain Package domain provides services for managing Cloudflare Domain configurations.	Package domain provides services for managing Cloudflare Domain configurations.
service/gateway Package gateway provides services for managing Cloudflare Gateway configurations.	Package gateway provides services for managing Cloudflare Gateway configurations.
service/networkroute Package networkroute provides the NetworkRouteService for managing Cloudflare NetworkRoute configuration.	Package networkroute provides the NetworkRouteService for managing Cloudflare NetworkRoute configuration.
service/pages Package pages provides types and services for Cloudflare Pages configuration management.	Package pages provides types and services for Cloudflare Pages configuration management.
service/privateservice Package privateservice provides the PrivateServiceService for managing Cloudflare PrivateService configuration.	Package privateservice provides the PrivateServiceService for managing Cloudflare PrivateService configuration.
service/r2 Package r2 provides services for managing Cloudflare R2 resource configurations.	Package r2 provides services for managing Cloudflare R2 resource configurations.
service/ruleset Package ruleset provides services for managing Cloudflare Ruleset configurations.	Package ruleset provides services for managing Cloudflare Ruleset configurations.
service/tunnel Package tunnel provides the TunnelConfigService for managing Cloudflare Tunnel configuration.	Package tunnel provides the TunnelConfigService for managing Cloudflare Tunnel configuration.
service/virtualnetwork Package virtualnetwork provides the VirtualNetworkService for managing Cloudflare VirtualNetwork configuration.	Package virtualnetwork provides the VirtualNetworkService for managing Cloudflare VirtualNetwork configuration.
service/warp
sync/access Package access provides the Access Sync Controllers for managing Cloudflare Access resources.	Package access provides the Access Sync Controllers for managing Cloudflare Access resources.
sync/common Package common provides base infrastructure for Sync Controllers.	Package common provides base infrastructure for Sync Controllers.
sync/device Package device provides Sync Controllers for managing Cloudflare Device resources.	Package device provides Sync Controllers for managing Cloudflare Device resources.
sync/dns Package dns provides the DNS Sync Controller for managing Cloudflare DNS records.	Package dns provides the DNS Sync Controller for managing Cloudflare DNS records.
sync/domain Package domain provides Sync Controllers for domain-related Cloudflare resources.	Package domain provides Sync Controllers for domain-related Cloudflare resources.
sync/gateway Package gateway provides Sync Controllers for managing Cloudflare Gateway resources.	Package gateway provides Sync Controllers for managing Cloudflare Gateway resources.
sync/networkroute Package networkroute provides the NetworkRoute Sync Controller for managing Cloudflare Tunnel Routes.	Package networkroute provides the NetworkRoute Sync Controller for managing Cloudflare Tunnel Routes.
sync/pages Package pages provides the Pages Sync Controllers for managing Cloudflare Pages resources.	Package pages provides the Pages Sync Controllers for managing Cloudflare Pages resources.
sync/privateservice Package privateservice provides the PrivateService Sync Controller for managing Cloudflare Tunnel Routes.	Package privateservice provides the PrivateService Sync Controller for managing Cloudflare Tunnel Routes.
sync/r2 Package r2 provides sync controllers for managing Cloudflare R2 resources.	Package r2 provides sync controllers for managing Cloudflare R2 resources.
sync/ruleset Package ruleset provides sync controllers for managing Cloudflare Ruleset resources.	Package ruleset provides sync controllers for managing Cloudflare Ruleset resources.
sync/tunnel Package tunnel provides the TunnelConfigSyncController and aggregation logic for Cloudflare Tunnel configuration management.	Package tunnel provides the TunnelConfigSyncController and aggregation logic for Cloudflare Tunnel configuration management.
sync/virtualnetwork Package virtualnetwork provides the VirtualNetwork Sync Controller for managing Cloudflare Virtual Networks.	Package virtualnetwork provides the VirtualNetwork Sync Controller for managing Cloudflare Virtual Networks.
sync/warp Package warp provides Sync Controllers for WARP-related Cloudflare resources.	Package warp provides Sync Controllers for WARP-related Cloudflare resources.
testutil Package testutil provides testing utilities for the cloudflare-operator.	Package testutil provides testing utilities for the cloudflare-operator.
webhook/v1alpha2
test
e2e/framework Package framework provides the E2E test framework for cloudflare-operator.	Package framework provides the E2E test framework for cloudflare-operator.
mockserver Package mockserver provides a mock Cloudflare API server for testing.	Package mockserver provides a mock Cloudflare API server for testing.
mockserver/cmd command Package main provides the entry point for the mock Cloudflare API server.	Package main provides the entry point for the mock Cloudflare API server.
mockserver/handlers Package handlers provides HTTP handlers for the mock Cloudflare API server.	Package handlers provides HTTP handlers for the mock Cloudflare API server.
mockserver/injection Package injection provides error injection capabilities for testing.	Package injection provides error injection capabilities for testing.
mockserver/internal/store Package store provides in-memory storage for the mock Cloudflare API server.	Package store provides in-memory storage for the mock Cloudflare API server.
mockserver/models Package models defines the data types for the Cloudflare API mock server.	Package models defines the data types for the Cloudflare API mock server.