Cloudflare Access Controller synchronizes Kubernetes Ingress with Cloudflare Access
| Kubernetes Version | Cloudflare Access Controller Version |
|---|---|
| >= 1.22 | >= 2.1.0 |
| <= 1.21 | 2.0.0 |
kubectl apply -f deploy/cloudflare-access-controller.yamlAccess Policy is created with the name cac-policy-{#number}. Policy without start cac-policy- is ignored, so it can
be configured by adding or changing it directly in your Cloudflare Dashboard.
Image is available here: ghcr.io/dingggu/cloudflare-access-controller:latest
Execute with the following command:
./cloudflare-access-controller \
-z cloudflare.zone.name \
-c identifier.cluster.nameor figure out with
./cloudflare-access-controller -h
annotations:
access.cloudflare.com/application-sub-domain: 'subdomain' # required, if set '', will applied domain
access.cloudflare.com/application-path: '/path-url' # if not set, default '/'
access.cloudflare.com/session-duration: 30m, 6h, 12h, 24h, 168h, 730h # if not set, default 24h
access.cloudflare.com/policies: |
"[]"
# https://api.cloudflare.com/#access-policy-create-access-policy- Allow login account email ends with ggu.la and mah.ye and IP address require 123.123.123.123/32
[{"decision":"allow","include":[{"email_domain":{"domain":"ggu.la"}},{"email_domain":{"domain":"google.com"}}],"require":[{"ip":{"ip":"123.123.123.123/32"}}]}]- Bypass IP Address 123.123.123.123/32 and Denied IP Address 192.168.0.1/32
[{"decision":"bypass","require":[{"ip":{"ip":"123.123.123.123/32"}}]},{"decision":"deny","require":[{"ip":{"ip":"192.168.0.1/32"}}]}]- More example: https://developers.cloudflare.com/access/setting-up-access/configuring-access-policies/
Cloudflare is recommended, as it is more secure when used with Argo tunnels.
If not use with Argo tunnel, Access must be proxied (a.k.a orange cloud enabled). ExternalDNS makes it easy to manage Cloudflare's DNS with Kubernetes. It is strongly recommend using it with that.