Cloudflare Zero Trust Kubernetes Operator

Hi everyone :wave:,

I wanted to introduce the Cloudflare Zero Trust Operator for Kubernetes;

https://github.com/BojanZelic/cloudflare-zero-trust-operator

This is a project I’ve been working on for the past month that allows you to configure Cloudflare Zero Trust rules straight from Kubernetes by creating and applying declarative yaml;

Resources can be created in Kubernetes and then the operator will reconcile them via the Cloudflare api;

You simply install the operator and create some new Kubernetes manifests;
example:

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  namespace: default
spec:
  name: my application
  domain: domain.example.com
  policies: 
    - name: Allow testemail1
      decision: allow
      include:
        - emails:
          - [email protected]

This would then go and create the resource for you inside of your Cloudflare backend;

Currently in a very early alpha, but it supports:

  • CloudflareAccessGroups
  • CloudflareAccessApplications
  • CloudflareServiceToken

Benefits:

  • Teams can manage their own Cloudflare Application rules
  • Operators will reconcile the actual resource constantly to ensure that it matches what we expect;

Installation can be done easily via helm or customize;

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - https://github.com/BojanZelic/cloudflare-zero-trust-operator//config/default?ref=0.1.7

secretGenerator:
- name: cloudflare-creds
  behavior: replace
  literals:
    - CLOUDFLARE_API_KEY=""
    - CLOUDFLARE_API_EMAIL=""
    - CLOUDFLARE_ACCOUNT_ID=""
    - CLOUDFLARE_API_TOKEN=""

See for additional instructions:

https://github.com/BojanZelic/cloudflare-zero-trust-operator#install

How does this compare w/Terraform?

  • We can manage the whole lifecycle of an application with Kubernetes instead of additional complexity with Terraform;
  • If you have an application running in kubernetes, it makes sense to manage the configuration in Kubernetes
  • You don’t have to set up separate runners, CI/CD pipelines, or infrastructure related to terraform

Contributions welcome!