Deploying Cloudflare Tunnels in Kubernetes for Secure Application Access#

Cloudflare Tunnels provide a secure way to expose your internal applications to the internet without opening inbound ports or exposing your infrastructure. This guide demonstrates how to deploy Cloudflare Tunnels in Kubernetes to securely access applications like GitLab.

Overview#

Cloudflare Tunnel (formerly Argo Tunnel) creates an encrypted tunnel between your origin server and Cloudflare’s edge network. This approach offers several security advantages:

No Public IPs Required: Applications remain completely private
Zero-Trust Security: All traffic is authenticated and encrypted
DDoS Protection: Leverages Cloudflare’s global network
Easy Management: Centralized configuration through Cloudflare dashboard

Prerequisites#

Kubernetes cluster (1.19+)
kubectl configured
Cloudflare account with a domain
Cloudflare Tunnel token

Security-First Approach#

Before diving into the deployment, let’s address the security considerations upfront.

1. Secure Token Storage#

Never store Cloudflare tokens in plain text. Always use Kubernetes Secrets:

1
apiVersion: v1
2
kind: Secret
3
metadata:
4
  name: gitlab-cloudflared-token
5
  namespace: default
6
type: Opaque
7
stringData:
8
  token: eyJhIjoiNjcwODgwNDJhYjYyYzAwZTU0MjAwOTRlZjIwZTkyNDQiLCJ0IjoiNjEyMmU5ZjItNTBhYS00M2ExLTk4YzYtNDYyYmEyYzU1OGFmIiwicyI6IlhZL1piNGxGVHZDNVZtL2RnVW5lSUQvSDNQNHpXNXRiNHpCSVB1aHF6b3M9In0=

2. RBAC Configuration#

Create appropriate service accounts and role bindings:

1
apiVersion: v1
2
kind: ServiceAccount
3
metadata:
4
  name: cloudflared
5
  namespace: default
6
---
7
apiVersion: rbac.authorization.k8s.io/v1
8
kind: Role
9
metadata:
10
  name: cloudflared
11
  namespace: default
12
rules:
13
  - apiGroups: [""]
14
    resources: ["secrets"]
15
    resourceNames: ["gitlab-cloudflared-token"]
16
    verbs: ["get"]
17
---
18
apiVersion: rbac.authorization.k8s.io/v1
19
kind: RoleBinding
20
metadata:
21
  name: cloudflared
22
  namespace: default
23
roleRef:
24
  apiGroup: rbac.authorization.k8s.io
25
  kind: Role
26
  name: cloudflared
27
subjects:
28
  - kind: ServiceAccount
29
    name: cloudflared
30
    namespace: default

Complete Deployment Configuration#

Here’s the production-ready deployment for GitLab with Cloudflare Tunnel:

1
apiVersion: v1
2
kind: Secret
3
metadata:
4
  name: gitlab-cloudflared-token
5
  namespace: default
6
type: Opaque
7
stringData:
8
  token: YOUR_CLOUDFLARE_TUNNEL_TOKEN_HERE
9
---
10
apiVersion: v1
11
kind: ConfigMap
12
metadata:
13
  name: cloudflared-config
14
  namespace: default
15
data:
16
  config.yaml: |
17
    tunnel: gitlab-tunnel
18
    credentials-file: /etc/cloudflared/creds/credentials.json
19
    metrics: 0.0.0.0:2000
20
    no-autoupdate: true
21

22
    ingress:
23
      - hostname: gitlab.yourdomain.com
24
        service: http://gitlab-service:80
25
      - service: http_status:404
26
---
27
apiVersion: apps/v1
28
kind: Deployment
29
metadata:
30
  name: gitlab-cloudflared-deployment
31
  namespace: default
32
  labels:
33
    app: gitlab-cloudflared
34
spec:
35
  replicas: 2
36
  selector:
37
    matchLabels:
38
      pod: cloudflared
39
      app: gitlab-cloudflared
40
  template:
41
    metadata:
42
      labels:
43
        pod: cloudflared
44
        app: gitlab-cloudflared
45
      annotations:
46
        prometheus.io/scrape: "true"
47
        prometheus.io/port: "2000"
48
        prometheus.io/path: "/metrics"
49
    spec:
50
      serviceAccountName: cloudflared
51
      securityContext:
52
        runAsNonRoot: true
53
        runAsUser: 65532
54
        fsGroup: 65532
55
      containers:
56
        - name: cloudflared
57
          image: cloudflare/cloudflared:2024.1.5
58
          command:
59
            - cloudflared
60
            - tunnel
61
            - --no-autoupdate
62
            - --metrics
63
            - 0.0.0.0:2000
64
            - run
65
          args:
66
            - --token
67
            - $(TUNNEL_TOKEN)
68
          env:
69
            - name: TUNNEL_TOKEN
70
              valueFrom:
71
                secretKeyRef:
72
                  name: gitlab-cloudflared-token
73
                  key: token
74
            - name: TUNNEL_LOGLEVEL
75
              value: "info"
76
            - name: TUNNEL_TRANSPORT_PROTOCOL
77
              value: "quic"
78
          resources:
79
            requests:
80
              cpu: 10m
81
              memory: 64Mi
82
            limits:
83
              cpu: 100m
84
              memory: 128Mi
85
          livenessProbe:
86
            httpGet:
87
              path: /ready
88
              port: 2000
89
            initialDelaySeconds: 10
90
            periodSeconds: 10
91
            timeoutSeconds: 1
92
            failureThreshold: 1
93
          readinessProbe:
94
            httpGet:
95
              path: /ready
96
              port: 2000
97
            initialDelaySeconds: 5
98
            periodSeconds: 5
99
            timeoutSeconds: 1
100
            successThreshold: 1
101
            failureThreshold: 3
102
          securityContext:
103
            allowPrivilegeEscalation: false
104
            readOnlyRootFilesystem: true
105
            capabilities:
106
              drop:
107
                - ALL
108
          volumeMounts:
109
            - name: config
110
              mountPath: /etc/cloudflared
111
              readOnly: true
112
      volumes:
113
        - name: config
114
          configMap:
115
            name: cloudflared-config
116
      affinity:
117
        podAntiAffinity:
118
          preferredDuringSchedulingIgnoredDuringExecution:
119
            - weight: 100
120
              podAffinityTerm:
121
                labelSelector:
122
                  matchExpressions:
123
                    - key: app
124
                      operator: In
125
                      values:
126
                        - gitlab-cloudflared
127
                topologyKey: kubernetes.io/hostname
128
---
129
apiVersion: v1
130
kind: Service
131
metadata:
132
  name: cloudflared-metrics
133
  namespace: default
134
  labels:
135
    app: gitlab-cloudflared
136
spec:
137
  ports:
138
    - name: metrics
139
      port: 2000
140
      targetPort: 2000
141
  selector:
142
    app: gitlab-cloudflared
143
---
144
apiVersion: policy/v1
145
kind: PodDisruptionBudget
146
metadata:
147
  name: gitlab-cloudflared-pdb
148
  namespace: default
149
spec:
150
  minAvailable: 1
151
  selector:
152
    matchLabels:
153
      app: gitlab-cloudflared

Advanced Configuration Options#

1. Multiple Services Through Single Tunnel#

Configure multiple services through one tunnel:

1
data:
2
  config.yaml: |
3
    tunnel: multi-service-tunnel
4
    credentials-file: /etc/cloudflared/creds/credentials.json
5

6
    ingress:
7
      - hostname: gitlab.yourdomain.com
8
        service: http://gitlab-service:80
9
      - hostname: jenkins.yourdomain.com
10
        service: http://jenkins-service:8080
11
      - hostname: grafana.yourdomain.com
12
        service: http://grafana-service:3000
13
      - service: http_status:404

2. Origin Server Configuration#

Configure advanced origin settings:

1
data:
2
  config.yaml: |
3
    tunnel: gitlab-tunnel
4

5
    ingress:
6
      - hostname: gitlab.yourdomain.com
7
        service: http://gitlab-service:80
8
        originRequest:
9
          connectTimeout: 30s
10
          tlsTimeout: 10s
11
          tcpKeepAlive: 30s
12
          noHappyEyeballs: false
13
          keepAliveConnections: 100
14
          keepAliveTimeout: 90s
15
          httpHostHeader: gitlab.internal.local
16
          originServerName: gitlab.internal.local
17
          caPool: /etc/cloudflared/ca.crt
18
          noTLSVerify: false
19
          disableChunkedEncoding: false
20
          proxyAddress: 127.0.0.1
21
          proxyPort: 0
22
          proxyType: ""
23
      - service: http_status:404

3. Load Balancing Configuration#

For high-traffic applications, implement load balancing:

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: gitlab-cloudflared-deployment
5
spec:
6
  replicas: 3 # Increase replicas for load distribution
7
  template:
8
    spec:
9
      containers:
10
        - name: cloudflared
11
          env:
12
            - name: TUNNEL_EDGE_IP_VERSION
13
              value: "auto" # Use both IPv4 and IPv6
14
            - name: TUNNEL_PROTOCOL
15
              value: "quic" # Use QUIC for better performance
16
            - name: TUNNEL_RETRIES
17
              value: "5"
18
            - name: TUNNEL_GRACE_PERIOD
19
              value: "30s"

Monitoring and Observability#

1. Prometheus Metrics#

The Cloudflared deployment exposes metrics on port 2000. Configure Prometheus to scrape these metrics:

1
apiVersion: v1
2
kind: ServiceMonitor
3
metadata:
4
  name: cloudflared-metrics
5
  namespace: default
6
spec:
7
  selector:
8
    matchLabels:
9
      app: gitlab-cloudflared
10
  endpoints:
11
    - port: metrics
12
      interval: 30s
13
      path: /metrics

2. Key Metrics to Monitor#

cloudflared_tunnel_active_streams: Number of active connections
cloudflared_tunnel_request_errors: Request error rate
cloudflared_tunnel_response_time: Response time histogram
cloudflared_tunnel_concurrent_requests: Concurrent request count

3. Logging Configuration#

Configure structured logging for better observability:

1
env:
2
  - name: TUNNEL_LOGLEVEL
3
    value: "info"
4
  - name: TUNNEL_LOGFILE
5
    value: "/dev/stdout"
6
  - name: TUNNEL_LOG_FORMAT
7
    value: "json"

Security Best Practices#

1. Network Policies#

Implement strict network policies:

1
apiVersion: networking.k8s.io/v1
2
kind: NetworkPolicy
3
metadata:
4
  name: cloudflared-network-policy
5
  namespace: default
6
spec:
7
  podSelector:
8
    matchLabels:
9
      app: gitlab-cloudflared
10
  policyTypes:
11
    - Ingress
12
    - Egress
13
  ingress:
14
    - from:
15
        - podSelector:
16
            matchLabels:
17
              monitoring: prometheus
18
      ports:
19
        - protocol: TCP
20
          port: 2000
21
  egress:
22
    - to:
23
        - namespaceSelector: {}
24
      ports:
25
        - protocol: TCP
26
          port: 443 # Cloudflare API
27
        - protocol: UDP
28
          port: 7844 # QUIC
29
    - to:
30
        - podSelector:
31
            matchLabels:
32
              app: gitlab
33
      ports:
34
        - protocol: TCP
35
          port: 80

2. Pod Security Standards#

Apply pod security standards:

1
apiVersion: v1
2
kind: Namespace
3
metadata:
4
  name: cloudflare-tunnels
5
  labels:
6
    pod-security.kubernetes.io/enforce: restricted
7
    pod-security.kubernetes.io/audit: restricted
8
    pod-security.kubernetes.io/warn: restricted

3. Secret Rotation#

Implement automatic token rotation:

1
#!/bin/bash
2
# Rotate Cloudflare tunnel token
3

4
# Generate new token via Cloudflare API
5
NEW_TOKEN=$(cloudflared tunnel token ${TUNNEL_NAME})
6

7
# Update Kubernetes secret
8
kubectl create secret generic gitlab-cloudflared-token \
9
  --from-literal=token=${NEW_TOKEN} \
10
  --dry-run=client -o yaml | kubectl apply -f -
11

12
# Restart deployment to pick up new token
13
kubectl rollout restart deployment/gitlab-cloudflared-deployment

Troubleshooting Guide#

1. Connection Issues#

Check tunnel status:

1
# Check pod logs
2
kubectl logs -l app=gitlab-cloudflared -f
3

4
# Verify tunnel connectivity
5
kubectl exec -it deployment/gitlab-cloudflared-deployment -- cloudflared tunnel info
6

7
# Test service connectivity
8
kubectl exec -it deployment/gitlab-cloudflared-deployment -- curl -I http://gitlab-service:80

2. Common Error Messages#

“Unable to reach the origin service”:

Verify service name and port
Check network policies
Ensure origin service is running

“Tunnel credentials file not found”:

Verify secret is properly mounted
Check token format and encoding
Ensure proper RBAC permissions

“Failed to serve quic connection”:

Check firewall rules for UDP port 7844
Try fallback to HTTP2: TUNNEL_TRANSPORT_PROTOCOL=http2

3. Performance Optimization#

For high-traffic scenarios:

1
resources:
2
  requests:
3
    cpu: 100m
4
    memory: 128Mi
5
  limits:
6
    cpu: 500m
7
    memory: 512Mi
8

9
env:
10
  - name: TUNNEL_COMPRESSION_LEVEL
11
    value: "0" # Disable compression for low-latency
12
  - name: TUNNEL_TCP_KEEPALIVE
13
    value: "30"
14
  - name: TUNNEL_KEEP_ALIVE_CONNECTIONS
15
    value: "100"

Integration with CI/CD#

GitLab CI/CD Pipeline#

Automate tunnel deployment with GitLab CI:

1
stages:
2
  - deploy
3

4
deploy-tunnel:
5
  stage: deploy
6
  image: bitnami/kubectl:latest
7
  script:
8
    - kubectl apply -f cloudflare-tunnel.yaml
9
    - kubectl rollout status deployment/gitlab-cloudflared-deployment
10
  only:
11
    - main
12
  environment:
13
    name: production

ArgoCD Application#

Deploy using GitOps with ArgoCD:

1
apiVersion: argoproj.io/v1alpha1
2
kind: Application
3
metadata:
4
  name: cloudflare-tunnel
5
  namespace: argocd
6
spec:
7
  project: default
8
  source:
9
    repoURL: https://github.com/yourorg/k8s-configs
10
    targetRevision: HEAD
11
    path: cloudflare-tunnels
12
  destination:
13
    server: https://kubernetes.default.svc
14
    namespace: default
15
  syncPolicy:
16
    automated:
17
      prune: true
18
      selfHeal: true

Cost Optimization#

1. Resource Right-Sizing#

Monitor actual resource usage and adjust:

1
# Get resource usage
2
kubectl top pod -l app=gitlab-cloudflared
3

4
# Adjust resources based on actual usage

2. Autoscaling#

Implement horizontal pod autoscaling:

1
apiVersion: autoscaling/v2
2
kind: HorizontalPodAutoscaler
3
metadata:
4
  name: cloudflared-hpa
5
spec:
6
  scaleTargetRef:
7
    apiVersion: apps/v1
8
    kind: Deployment
9
    name: gitlab-cloudflared-deployment
10
  minReplicas: 2
11
  maxReplicas: 10
12
  metrics:
13
    - type: Resource
14
      resource:
15
        name: cpu
16
        target:
17
          type: Utilization
18
          averageUtilization: 70
19
    - type: Resource
20
      resource:
21
        name: memory
22
        target:
23
          type: Utilization
24
          averageUtilization: 80

Conclusion#

Cloudflare Tunnels provide a secure, scalable solution for exposing internal applications without compromising security. This deployment configuration ensures:

High Availability: Multiple replicas with pod anti-affinity
Security: Least privilege, encrypted secrets, network policies
Observability: Comprehensive metrics and logging
Performance: Optimized resource usage and QUIC protocol
Maintainability: GitOps-ready configuration

By following this guide, you can securely expose your applications while maintaining a zero-trust security posture and leveraging Cloudflare’s global network for performance and protection.