[Security] Cross-Account Certificate Usage Query

Zero Trust Cloudflare Tunnel
1

I have two separate accounts, referred to as TLD_A and TLD_B.

I have logged into Cloudflared using the cloudflared tunnel login command on the TLD_A account. Now, I have configured the Ingress with the following settings:

"hostname": "k8s.TLD_B"
"originRequest":
  "proxyType": "socks"
"service": "tcp://kubernetes.default.svc:443"

Even though I am still using the cert.pem from TLD_A, I am able to use the following command successfully:

cloudflared access tcp --hostname k8s.TLD_B --url 127.0.0.1:1234

Afterwards, I can use the env HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl get pods command as if nothing is out of the ordinary. Is this behavior intentional, or is it a bug?

P.S. The question above was revised with the help of ChatGPT.

3

Define accounts? Two separate logins to Cloudflare each containing a different domain? Or are you using account to mean 2 different domains in the same account?

4

Difference email/account for each domain.
Email [email protected] to domain TLD_A and [email protected] to domain TLD_B.

This is what my cloudflared tunnel list showing.

$ cloudflared tunnel list
No tunnels were found for the given filter flags. You can use 'cloudflared tunnel create' to create a tunnel.

But I can still use

cloudflared access tcp --hostname k8s.TLD_B --url 127.0.0.1:1234

And connect as normal.

5

And in that account TLD_B is in an active state and there is a DNS entry for k8s which is a CNAME to something.cfargotunnel.com? And that something.cfargotunnel.com is a tunnel listed in the account which has TLD_A?

6

TLD_B is an active domain.
k8s.TLD_B has CNAME of cfargotunnel.com but should be listed on TLD_B’s account. Nothing share between these domains except the owner (its me).

8

Retested on a brand new machine.

Without doing cloudflared tunnel login I can still run cloudflared access tcp --hostname _k.TLD_B --url 0.0.0.0:1234 and connect to my service.

I though Cloudflare Tunnel would have some kind of prevention such as “I must login and have a right to proxy” but its not. So, its still a security hole to expose k8s server to outside world using Cloudflare tunnel follow this tutorial. Connect through Cloudflare Access using kubectl · Cloudflare Zero Trust docs

9

It doesn’t.

It’s not if you configure authentication as described at the beginning of the article.

  1. To create a new application, go to Zero Trust. From the sidebar, select the Applications page. Select Add an application.

Location of Add an application button above Application list
Location of Add an application button above Application list1621×492 65.9 KB

  1. On the next page, choose Self-hosted.
  2. Within Application Domain, input a subdomain. This will be the hostname where your application will be available to users.
  3. Create rules to control who can reach the application.
  4. To save the policy, select Save. You can edit the policy later to change allowed users or authentication providers.
10

This isn’t a command to authenticate to an application protected by access.

It will look somethign like this if there is an access policy:

11

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.