Cloudflare Tunnel

Enterprise-grade tunnels with DDoS protection

Best for: Production workloads requiring enterprise security, DDoS protection, and custom domains.

Features

Custom domains with automatic TLS
DDoS protection included
Global CDN and edge caching
Cloudflare Access (Zero Trust) integration
Detailed analytics and logging
HTTP and TCP tunnels

Prerequisites

Cloudflare Account - Sign up free
Domain on Cloudflare - DNS must be managed by Cloudflare
API Token - With tunnel permissions

Setup

1. Create API Token

Go to Cloudflare API Tokens
Click Create Token
Select Create Custom Token
Configure: Account → Cloudflare Tunnel → Edit and Zone → DNS → Edit
Create and copy the token

2. Get Account ID

Find your Account ID in the Cloudflare dashboard sidebar under Account ID.

3. Create Kubernetes Secret

$ kubectl create secret generic cloudflare-credentials \
--from-literal=token=YOUR_API_TOKEN \
--from-literal=accountId=YOUR_ACCOUNT_ID

4. Create TunnelProvider

apiVersion: ktube.dev/v1alpha1
kind: TunnelProvider
metadata:
  name: cloudflare-provider
spec:
  type: cloudflare
  cloudflare:
    accountId: "your-account-id"
    apiTokenSecretRef:
      name: cloudflare-credentials
      key: token

$ kubectl apply -f cloudflare-provider.yaml

5. Verify Provider Status

$ kubectl get tunnelprovider cloudflare-provider

NAME                  TYPE         STATUS   AGE
cloudflare-provider   cloudflare   Ready    30s

Creating Tunnels

Basic HTTP Tunnel

apiVersion: ktube.dev/v1alpha1
kind: TunnelBinding
metadata:
  name: api-binding
spec:
  tunnelRef:
    name: my-tunnel
  hostname: api.example.com
  protocol: https
  enabled: true
  service:
    name: api-service
    port: 8080

Wildcard Domain

spec:
  hostname: "*.example.com"
  service:
    name: wildcard-service
    port: 80

Full Example

apiVersion: ktube.dev/v1alpha1
kind: TunnelProvider
metadata:
  name: cloudflare-prod
spec:
  type: cloudflare
  cloudflare:
    accountId: "abc123"
    apiTokenSecretRef:
      name: cloudflare-credentials
      key: token
---
apiVersion: ktube.dev/v1alpha1
kind: Tunnel
metadata:
  name: prod-tunnel
spec:
  providerRef:
    name: cloudflare-prod
---
apiVersion: ktube.dev/v1alpha1
kind: TunnelBinding
metadata:
  name: app-binding
spec:
  tunnelRef:
    name: prod-tunnel
  hostname: app.example.com
  protocol: https
  enabled: true
  service:
    name: my-app
    port: 8080