Cloudflare Zero-Trust operator allow you to manage your zero-trust configuration directly from kubernetes
Cloudflare Access Group
apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessGroup
metadata:
name: accessgroup-example
annotations:
# (optional) default: "false"
# ensures that the resource isn't removed from cloudflare if the CR is deleted
cloudflare.zelic.io/prevent-destroy: "true"
spec:
name: my access group
include:
- emails:
- [email protected]
- [email protected]apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
name: domain-example
annotations:
# (optional) default: "false"
# ensures that the resource isn't removed from cloudflare if the CR is deleted
cloudflare.zelic.io/prevent-destroy: "true"
spec:
name: my application
domain: domain.example.com
autoRedirectToIdentity: true
policies:
- name: Allow testemail1
decision: allow
include:
- emails:
- [email protected]
Currently in Project scope
- Manage Cloudflare Access Groups
- Manage Cloudflare Access Applications
- Manage Cloudflare Access Tokens
apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
name: domain-example
annotations:
cloudflare.zelic.io/prevent-destroy: "false"
spec:
name: my application
domain: domain.example.com
autoRedirectToIdentity: true
appLauncherVisible: true
type: self_hosted
allowedIdps:
- "699d98642c564d2e855e9661899b7252"
sessionDuration: 24h
enableBindingCookie: false
httpOnlyCookieAttribute: true
logoUrl: "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg"
policies:
- name: Allow my rules
decision: allow
include:
- emails:
- [email protected]
- emailDomains:
- my-domain.com
- ipRanges:
- "11.22.33.44/32"
- accessGroups:
- value: "my-access-group-id"
- googleGroups:
- email: [email protected]
identityProviderId: 00000000-0000-0000-0000-00000000000000
- oktaGroup:
- name: my-okta-group
identityProviderId: 10000000-0000-0000-0000-00000000000000See some more examples of how to use the cloudflare zero-trust operator here
On your Cloudflare Dashboard; Create a custom API token with the following permissions:
- Access: Service Tokens:Edit
- Access: Organizations, Identity Providers, and Groups: Edit
- Access: Apps and Policies:Edit
This token will be used referenced as CLOUDFLARE_API_TOKEN in the secret below;
- Create your namespace
kubectl create ns zero-trust-system
- Create a secret with your cloudflare credentials
apiVersion: v1
metadata:
name: cloudflare-creds
namespace: zero-trust-system
kind: Secret
type: Opaque
stringData:
CLOUDFLARE_ACCOUNT_ID: <id>
# Either EMAIL+KEY or TOKEN must be supplied
CLOUDFLARE_API_EMAIL: <email>
CLOUDFLARE_API_KEY: <api_key>
CLOUDFLARE_API_TOKEN: <api_token>- Install the helm repo
helm repo add zelic-io https://zelic-io.github.io/charts
helm install --namespace=zero-trust-system --set secretRef=cloudflare-creds cloudflare-zero-trust-operator zelic-io/cloudflare-zero-trust-operatorkustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/BojanZelic/cloudflare-zero-trust-operator//config/default?ref=main
secretGenerator:
- name: cloudflare-creds
literals:
- CLOUDFLARE_API_KEY=""
- CLOUDFLARE_API_EMAIL=""
- CLOUDFLARE_ACCOUNT_ID=""
- CLOUDFLARE_API_TOKEN=""This provider's versions are able to install and manage the following versions of Kubernetes:
| v1.22 | v1.23 | v1.24 | v1.25 | v1.26 | |
|---|---|---|---|---|---|
| Cloudflare Zero Trust Operator v0.0.1-current | ✓ | ✓ | ✓ | ✓ | ✓ |
cp .env.example .env.integration
vim .env.integration # add your creds here
make integration-test
Copyright 2022.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.