Tunnel without starting cloudflared


I’ve a setup whereby containers contain an SSH server for a specific access reason. These containers live on a kubernetes host.

Each container runs its own instance of cloudflared and setups up a tunnel to the CF network. Teams access and policy is set up when the container is started by a startup script. Teams governs who can access the hosts per a policy basis.

Given that I potentially have hundreds of these bastion hosts for various things, it seems difficult to spin up a cloudflared instance every time I need to connect to a host, is there a way to integrate this last step with WARP or something?

Are you asking about auto-configuring cloudflared every time you create a new container?

Or would this be more like port-knocking where you do something unique to fire up cloudflared so you can connect?

This would be close to port-knocking where I do something unique to fire up cloudflared, I suppose I could write a bash script which handles cloudflared and SSHs into the container, however, I don’t think there’s a good way to kill the client tunnel connection when I log out of the container.

If it’s just you, can’t you have a script periodically see who’s logged in, then kill cloudflared if nobody’s logged in?

It won’t be just me, sadly.

Doesn’t that mean you need cloudflared running until there are zero users logged in?

Yep, CF on the tunnel creation side / server side runs all the time. It’s the client size I’m worried about, that said, I think I’ve found a solution, I just need cloudflared deployed to our engineers who will be accessing these hosts.

I can write a bash script which runs

ssh -o ProxyCommand="/usr/local/bin/cloudflared access ssh --hostname hostname" [email protected]

That said would be nicer without having to deploy cloudflared to the client machines.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.