Fail access to kubectl with Cloudflare Zero Trust

I’m following this guide <> to enable private access to my GKE private cluster.
The GKE private cluster exposes an public cluster endpoint:

apiVersion: v1
- cluster:
    certificate-authority-data: access-key-blahblah
    server: h.t.t.p.s
  name: gke_private_cluster_1

Steps are followed carefully, even I add Cloudflare cert to my laptop. The dashboard help. teams. Cloudflare .com show that I was fully protected by WARP client (logged in).
From my local, I can nc to this IP/port but when I try to get cluster credential, it said

Cloudflare Gateway

Insecure upstream

HTTP Response Code: 526

Please contact your administrator for further assistance.

Any one has experience with config Cloudflare Zero Trust with GKE private cluster?