Architecture
KTube is a Kubernetes operator that manages tunnel lifecycle through Custom Resource Definitions (CRDs).
Overview
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ KTube Operator ││
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────┐ ││
│ │ │ Cloudflare │ │ ngrok │ │ Dev Tunnels │ ││
│ │ │ Controller │ │ Controller │ │ Controller │ ││
│ │ └──────┬──────┘ └──────┬──────┘ └───────┬─────────┘ ││
│ │ └───────────────┼────────────────┘ ││
│ │ ▼ ││
│ │ Reconciliation Loop ││
│ └─────────────────────────┬───────────────────────────────┘│
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐│
│ │ Your Kubernetes Services ││
│ └─────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────┐
│ Internet │
│ (via tunnel providers) │
└──────────────────────────┘Components
KTube Operator
The operator runs as a Deployment in ktube-system namespace and watches for changes to KTube CRDs.
Provider Controllers
Each tunnel provider has a dedicated controller that handles provider-specific logic:
- Cloudflare Controller - Manages Cloudflare Tunnel API interactions
- ngrok Controller - Manages ngrok tunnel connections
- DevTunnels Controller - Manages Microsoft Dev Tunnels
KTube Dashboard
A web UI that provides visualization and management of tunnels. Runs as a separate Deployment and connects to the Kubernetes API.
Custom Resource Definitions
| CRD | Purpose | Scope |
|---|---|---|
| TunnelProvider | Configure provider credentials | Cluster-scoped |
| Tunnel | Define a tunnel instance | Namespaced |
| TunnelBinding | Bind services to tunnels | Namespaced |
Reconciliation Flow
- User creates/updates a TunnelBinding resource
- Operator detects the change via Kubernetes watch
- Operator looks up the referenced Tunnel and TunnelProvider
- Provider controller creates/updates tunnel with the provider API
- Operator updates TunnelBinding status with the public URL