feat(kubectl-tunnel): expose kube-apiserver via cluster-apps tunnel#14
Merged
feat(kubectl-tunnel): expose kube-apiserver via cluster-apps tunnel#14
Conversation
TunnelBinding in `default` namespace fronts the kubernetes Service
(kube-apiserver) on k3s.makeitwork.cloud as a TCP tunnel through the
existing cluster-apps Cloudflare Tunnel. Combined with the Cloudflare
Access self-hosted application in tfroot-cloudflare, only authenticated
makeitworkcloud-admins can connect.
Client usage (no VPN required, no apiserver port exposed publicly):
cloudflared login # one-time browser OIDC
cloudflared access tcp \
--hostname k3s.makeitwork.cloud \
--url localhost:6443 &
kubectl --server=https://localhost:6443 …
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Expose the kube-apiserver as a TCP tunnel through the existing cluster-apps Cloudflare Tunnel so admins can reach `kubectl` from anywhere without VPN, without opening the apiserver to the public internet, and gated on GitHub-org-admin authentication via the Cloudflare Access app already provisioned in tfroot-cloudflare.
`workloads/kubectl-tunnel/tunnel-binding.yaml`
TunnelBinding in `default` ns referencing the `kubernetes` Service:
```yaml
subjects:
spec:
fqdn: k3s.makeitwork.cloud
protocol: tcp
target: tcp://kubernetes.default.svc:443
```
`workloads/apps/kubectl-tunnel-app.yaml` + `kustomization.yaml`
Standard ArgoCD Application wiring; sync wave 1 (after gitops-operators brings up cloudflare-operator).
Pairs with
Client usage (one-time setup per laptop)
```
brew install cloudflared
cloudflared login # browser OIDC, stores cert
cloudflared access tcp \
--hostname k3s.makeitwork.cloud \
--url localhost:6443 & # backgrounded shim
kubeconfig points at the local shim
kubectl config set-cluster k3s --server=https://localhost:6443 --insecure-skip-tls-verify
```
(Use `--insecure-skip-tls-verify` only if you don't have the apiserver CA pinned; ideally embed the cluster CA cert in the kubeconfig instead.)
Test plan
🤖 Generated with Claude Code