cloudflare-operator

module

v0.23.0 Latest Latest Go to latest Published: Jan 16, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/StringKe/cloudflare-operator

Links

Open Source Insights

README ¶

Cloudflare Zero Trust Operator

A Kubernetes Operator for Cloudflare Zero Trust: Tunnels, Access, Gateway, Device, DNS, R2, and Rules Management

Documentation (English) » | 文档 (中文) »

Examples · Report Bug · Request Feature

Note: This project is currently in Alpha (v0.21.x). This is NOT an official Cloudflare product. It uses the Cloudflare API and cloudflared to automate Zero Trust configuration on Kubernetes.

This project is a fork of adyanth/cloudflare-operator with extended Zero Trust features and improvements.

Overview

The Cloudflare Zero Trust Operator provides Kubernetes-native management of Cloudflare Zero Trust resources. Built with kubebuilder and controller-runtime, it enables declarative configuration of tunnels, access policies, gateway rules, device settings, R2 storage, and zone rules through Custom Resource Definitions (CRDs).

Features

Category	Features
Tunnel Management	Create/manage Cloudflare Tunnels, automatic cloudflared deployments, Service binding with DNS
Private Network	Virtual Networks, Network Routes, Private Service exposure via WARP
Access Control	Zero Trust Applications, Access Groups, Identity Providers, Service Tokens
Gateway & Security	Gateway Rules (DNS/HTTP/L4), Gateway Lists, Browser Isolation
Device Management	Split Tunnel configuration, Fallback Domains, Device Posture Rules
DNS & Connectivity	DNS Record management, WARP Connectors for site-to-site
Domain Management	Zone settings (SSL/TLS, Cache, Security), Origin CA Certificates
R2 Storage	R2 Buckets, Custom Domains, Event Notifications
Rules Engine	Zone Rulesets, Transform Rules (URL/Header), Redirect Rules
Registrar	Domain Registration management (Enterprise)
Kubernetes Integration	Native Ingress support, Gateway API support (Gateway, HTTPRoute, TCPRoute, UDPRoute)

Architecture

flowchart TB
    subgraph Internet["Internet"]
        Users["Users / WARP Clients"]
    end

    subgraph Cloudflare["Cloudflare Edge"]
        Edge["Cloudflare Edge Network"]
        API["Cloudflare API"]
    end

    subgraph K8s["Kubernetes Cluster"]
        subgraph CRDs["Custom Resources"]
            Tunnel["Tunnel / ClusterTunnel"]
            TB["TunnelBinding"]
            VNet["VirtualNetwork"]
            Route["NetworkRoute"]
        end

        subgraph K8sNative["Kubernetes Native"]
            Ingress["Ingress"]
            Gateway["Gateway API"]
        end

        subgraph Operator["Cloudflare Operator"]
            Controller["Controller Manager"]
        end

        subgraph Managed["Managed Resources"]
            ConfigMap["ConfigMap"]
            Secret["Secret"]
            Deployment["cloudflared"]
        end

        subgraph App["Applications"]
            Service["Services"]
            Pod["Pods"]
        end
    end

    CRDs -.->|watches| Controller
    K8sNative -.->|watches| Controller
    Controller -->|creates| Managed
    Controller -->|API calls| API
    Managed -->|proxy| Service
    Service --> Pod
    Users -->|HTTPS/WARP| Edge
    Edge <-->|tunnel| Deployment

Quick Start

Prerequisites

Kubernetes cluster v1.28+
Cloudflare account with Zero Trust enabled
Cloudflare API Token (Create Token)

Installation

# Install CRDs and operator
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator.crds.yaml
kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator.yaml

# Verify installation
kubectl get pods -n cloudflare-operator-system

Create a Tunnel

# 1. Create API credentials secret
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-credentials
type: Opaque
stringData:
  CLOUDFLARE_API_TOKEN: "<your-api-token>"
---
# 2. Create tunnel
apiVersion: networking.cloudflare-operator.io/v1alpha2
kind: Tunnel
metadata:
  name: my-tunnel
spec:
  newTunnel:
    name: k8s-tunnel
  cloudflare:
    accountId: "<your-account-id>"
    domain: example.com
    secret: cloudflare-credentials

Expose a Service

apiVersion: networking.cfargotunnel.com/v1alpha1
kind: TunnelBinding
metadata:
  name: web-binding
subjects:
  - kind: Service
    name: web-app
    spec:
      fqdn: app.example.com
      protocol: http
tunnelRef:
  kind: Tunnel
  name: my-tunnel

CRD Reference

Credentials & Configuration

CRD	API Version	Scope	Description
CloudflareCredentials	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cloudflare API credentials management
CloudflareDomain	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Zone settings (SSL/TLS, Cache, Security, WAF)

Tunnel Management

CRD	API Version	Scope	Description
Tunnel	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Cloudflare Tunnel with managed cloudflared
ClusterTunnel	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cluster-wide Cloudflare Tunnel
TunnelBinding	`networking.cfargotunnel.com/v1alpha1`	Namespaced	Bind Services to Tunnels with DNS

Private Network Access

CRD	API Version	Scope	Description
VirtualNetwork	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Cloudflare virtual network for isolation
NetworkRoute	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Route CIDR through tunnel
PrivateService	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Expose Service via private IP

Access Control

CRD	API Version	Scope	Description
AccessApplication	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Zero Trust application
AccessGroup	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Access policy group
AccessIdentityProvider	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Identity provider config
AccessServiceToken	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Service token for M2M

Gateway & Security

CRD	API Version	Scope	Description
GatewayRule	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Gateway policy rule
GatewayList	`networking.cloudflare-operator.io/v1alpha2`	Cluster	List for gateway rules
GatewayConfiguration	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Global gateway settings

Device Management

CRD	API Version	Scope	Description
DeviceSettingsPolicy	`networking.cloudflare-operator.io/v1alpha2`	Cluster	WARP client settings
DevicePostureRule	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Device posture check

DNS & Connectivity

CRD	API Version	Scope	Description
DNSRecord	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	DNS record management
WARPConnector	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	WARP connector deployment
AccessTunnel	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Access tunnel configuration

SSL/TLS & Certificates

CRD	API Version	Scope	Description
OriginCACertificate	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Cloudflare Origin CA certificate with K8s Secret

R2 Storage

CRD	API Version	Scope	Description
R2Bucket	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	R2 storage bucket with lifecycle rules
R2BucketDomain	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Custom domain for R2 bucket
R2BucketNotification	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Event notifications for R2 bucket

Rules Engine

CRD	API Version	Scope	Description
ZoneRuleset	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	Zone ruleset (WAF, rate limiting, etc.)
TransformRule	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	URL rewrite & header modification
RedirectRule	`networking.cloudflare-operator.io/v1alpha2`	Namespaced	URL redirect rules

Registrar (Enterprise)

CRD	API Version	Scope	Description
DomainRegistration	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Domain registration settings

Kubernetes Integration

CRD	API Version	Scope	Description
TunnelIngressClassConfig	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Config for Ingress integration
TunnelGatewayClassConfig	`networking.cloudflare-operator.io/v1alpha2`	Cluster	Config for Gateway API integration

Note: The operator also supports native Kubernetes Ingress and Gateway API (Gateway, HTTPRoute, TCPRoute, UDPRoute) resources when configured with the appropriate IngressClass or GatewayClass.

Examples

See the examples directory for comprehensive usage examples:

Basic - Credentials, Tunnels, DNS, Service Binding
Private Network - Virtual Networks, Routes, Private Services
Zero Trust - Access Apps, Groups, Identity Providers
Gateway - Gateway Rules, Lists
Device - Device Policies, Posture Rules
Scenarios - Complete real-world scenarios

Documentation

Language	Link
English	docs/en/README.md
中文	docs/zh/README.md

Documentation includes:

Installation Guide
API Token Permissions
Complete CRD Reference
Troubleshooting Guide
Migration Guide (v1alpha1 → v1alpha2)

API Token Permissions

Feature	Permission	Scope
Tunnels	`Account:Cloudflare Tunnel:Edit`	Account
DNS	`Zone:DNS:Edit`	Zone
Access	`Account:Access: Apps and Policies:Edit`	Account
Gateway	`Account:Zero Trust:Edit`	Account
Zone Settings	`Zone:Zone Settings:Edit`	Zone
SSL/TLS	`Zone:SSL and Certificates:Edit`	Zone
R2	`Account:Workers R2 Storage:Edit`	Account
Rules	`Zone:Zone Rulesets:Edit`	Zone
Registrar	`Account:Registrar:Edit`	Account

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Acknowledgements

This project is forked from adyanth/cloudflare-operator. We extend our gratitude to @adyanth and all original contributors for their excellent work on the initial implementation.

What's Different

This fork extends the original project with:

Complete Zero Trust resource support (Access, Gateway, Device management)
v1alpha2 API with improved resource management
Native Kubernetes Ingress and Gateway API integration
R2 Storage management (buckets, custom domains, notifications)
Zone settings and rules engine (SSL/TLS, Cache, WAF, Transform/Redirect rules)
Origin CA certificate integration
Domain registration management (Enterprise)
Enhanced error handling and status reporting
Comprehensive documentation and examples

License

Apache License 2.0 - See LICENSE for details.

Directories ¶

Path	Synopsis
api
cloudflare/v1alpha1 Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.	Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.
v1alpha1 Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +kubebuilder:object:generate=true +groupName=networking.cloudflare-operator.io	Package v1alpha1 contains API Schema definitions for the networking v1alpha1 API group +kubebuilder:object:generate=true +groupName=networking.cloudflare-operator.io
v1alpha2 Package v1alpha2 contains API Schema definitions for the networking v1alpha2 API group.	Package v1alpha2 contains API Schema definitions for the networking v1alpha2 API group.
cmd
internal
clients/cf
clients/cf/mock Package mock is a generated GoMock package.	Package mock is a generated GoMock package.
clients/k8s
controller
controller/accessapplication
controller/accessgroup
controller/accessidentityprovider
controller/accessservicetoken
controller/accesstunnel Package accesstunnel contains the code associated with the reconciliation process for the accessTunnel resource	Package accesstunnel contains the code associated with the reconciliation process for the accessTunnel resource
controller/cloudflarecredentials
controller/cloudflaredomain
controller/deviceposturerule
controller/devicesettingspolicy
controller/dnsrecord
controller/domainregistration Package domainregistration provides a controller for managing Cloudflare Registrar domains.	Package domainregistration provides a controller for managing Cloudflare Registrar domains.
controller/gateway Package gateway implements Kubernetes Gateway API controllers for cloudflared tunnels.	Package gateway implements Kubernetes Gateway API controllers for cloudflared tunnels.
controller/gatewayconfiguration
controller/gatewaylist
controller/gatewayrule
controller/ingress Package ingress implements the Kubernetes Ingress Controller for Cloudflare Tunnels.	Package ingress implements the Kubernetes Ingress Controller for Cloudflare Tunnels.
controller/networkroute
controller/origincacertificate Package origincacertificate provides a controller for managing Cloudflare Origin CA certificates.	Package origincacertificate provides a controller for managing Cloudflare Origin CA certificates.
controller/privateservice
controller/r2bucket Package r2bucket provides a controller for managing Cloudflare R2 storage buckets.	Package r2bucket provides a controller for managing Cloudflare R2 storage buckets.
controller/r2bucketdomain Package r2bucketdomain provides a controller for managing Cloudflare R2 bucket custom domains.	Package r2bucketdomain provides a controller for managing Cloudflare R2 bucket custom domains.
controller/r2bucketnotification Package r2bucketnotification provides a controller for managing R2 bucket event notifications.	Package r2bucketnotification provides a controller for managing R2 bucket event notifications.
controller/redirectrule Package redirectrule provides a controller for managing Cloudflare Redirect Rules.	Package redirectrule provides a controller for managing Cloudflare Redirect Rules.
controller/route Package route provides shared utilities for building cloudflared ingress rules from various Kubernetes resources (Ingress, Gateway API routes, TunnelBinding).	Package route provides shared utilities for building cloudflared ingress rules from various Kubernetes resources (Ingress, Gateway API routes, TunnelBinding).
controller/transformrule Package transformrule provides a controller for managing Cloudflare Transform Rules.	Package transformrule provides a controller for managing Cloudflare Transform Rules.
controller/tunnel Package tunnel provides shared tunnel resolution and management utilities for controllers that work with Tunnel and ClusterTunnel resources.	Package tunnel provides shared tunnel resolution and management utilities for controllers that work with Tunnel and ClusterTunnel resources.
controller/virtualnetwork
controller/warpconnector
controller/zoneruleset Package zoneruleset provides a controller for managing Cloudflare zone rulesets.	Package zoneruleset provides a controller for managing Cloudflare zone rulesets.
credentials Package credentials provides utilities for loading Cloudflare API credentials from various sources including CloudflareCredentials resources and Kubernetes secrets.	Package credentials provides utilities for loading Cloudflare API credentials from various sources including CloudflareCredentials resources and Kubernetes secrets.
resolver Package resolver provides hostname to CloudflareDomain resolution using longest suffix match.	Package resolver provides hostname to CloudflareDomain resolution using longest suffix match.
webhook/v1alpha2

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL