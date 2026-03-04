Kubernetes
Kubernetes ↗ is a container orchestration tool that is used to deploy applications onto physical or virtual machines, scale the deployment to meet traffic demands, and push updates without downtime. The Kubernetes cluster, or environment, where the application instances are running is connected internally through a private network. You can install the
cloudflared daemon inside of the Kubernetes cluster in order to connect applications inside of the cluster to Cloudflare.
This guide will cover how to expose a Kubernetes service to the public Internet using a remotely-managed Cloudflare Tunnel. For the purposes of this example, we will deploy a basic web application alongside
cloudflared in Google Kubernetes Engine (GKE). The same principles apply to any other Kubernetes environment (such as
minikube,
kubeadm, or a cloud-based Kubernetes service) where
cloudflared can connect to Cloudflare's network.
As shown in the diagram, we recommend setting up
cloudflared as an adjacent deployment ↗ to the application deployments. Having a separate Kubernetes deployment for
cloudflared allows you to scale
cloudflared independently of the application. In the
cloudflared deployment, you can spin up multiple replicas running the same Cloudflare Tunnel — there is no need to build a dedicated tunnel for each
cloudflared pod. Each
cloudflared replica / pod can reach all Kubernetes services in the cluster.
Once the cluster is connected to Cloudflare, you can configure Cloudflare Tunnel routes to control how
cloudflared will proxy traffic to services within the cluster. For example, you may wish to publish certain Kubernetes applications to the Internet and restrict other applications to internal WARP client users.
To complete the following procedure, you will need:
To create a new Kubernetes cluster in Google Cloud:
-
Open Google Cloud ↗ and go to Kubernetes Engine.
-
In Clusters, select Create.
-
Name the cluster. In this example, we will name it
cloudflare-tunnel.
-
(Optional) Choose your desired region and other cluster specifications. For this example, we will use the default specifications.
-
Select Create.
-
To connect to the cluster:
- Select the three-dot menu.
- Select Connect.
- Select Run in Cloud Shell to open a terminal in the browser.
- Select Authorize.
- Press
Enterto run the pre-populated
gcloudcommand.
- (Recommended) In the Cloud Shell menu, select Open Editor to launch the built-in IDE.
-
In the Cloud Shell terminal, run the following command to check the cluster status:
A pod represents an instance of a running process in the cluster. In this example, we will deploy the httpbin ↗ application with two pods and make the pods accessible inside the cluster at
httpbin-service:80.
-
Create a folder for your Kubernetes manifest files:
-
Change into the directory:
-
In the
tunnel-exampledirectory, create a new file called
httpbin.yaml. This file defines the Kubernetes deployment for the httpbin app.
-
Create a new
httpbinsvc.yamlfile. This file defines a Kubernetes service that allows other apps in the cluster (such as
cloudflared) to access the set of httpbin pods.
-
Use the following command to run the application inside the cluster:
-
Check the status of your deployment:
To create a Cloudflare Tunnel:
- In the Cloudflare dashboard, go to Networking > Tunnels.
- Select Create Tunnel.
Enter a name for your tunnel (for example,
gke-tunnel).
Select Save tunnel.
Under Choose an environment, select Docker.
Applications must be packaged into a containerized image before you can run it in Kubernetes. Therefore, we will use the
cloudflaredDocker container image to deploy the tunnel in Kubernetes.
Instead of running the installation command, copy just the token value rather than the whole command. The token value is of the form
eyJhIjoiNWFiNGU5Z...You will need the token for the Kubernetes manifest file.
Leave the Cloudflare Tunnel browser tab open while we focus on the Kubernetes deployment.
cloudflared uses a tunnel token to run a remotely-managed Cloudflare Tunnel. You can store the tunnel token in a Kubernetes secret ↗.
-
In GKE Cloud Shell, create a
tunnel-token.yamlfile with the following content. Make sure to replace
<YOUR_TUNNEL_TOKEN>with your tunnel token (
eyJhIjoiNWFiNGU5Z...).
-
Create the secret:
-
Check the newly created secret:
To run the Cloudflare Tunnel in Kubernetes:
-
Create a Kubernetes deployment for a remotely-managed Cloudflare Tunnel:
-
Deploy
cloudflaredto the cluster:
Kubernetes will install the
cloudflaredimage on two pods and run the tunnel using the command
cloudflared tunnel --no-autoupdate --loglevel info --metrics 0.0.0.0:2000 run.
cloudflaredwill consume the tunnel token from the
TUNNEL_TOKENenvironment variable.
-
Check the status of your cluster:
You should see two
cloudflared pods and two
httpbin pods with a
Running status. If your
cloudflared pods keep restarting, check the
command syntax in
tunnel.yaml and make sure that the tunnel run parameters are in the correct order.
To print logs for a
cloudflared instance:
Now that the tunnel is up and running, we can route the httpbin service through the tunnel.
- In the Cloudflare dashboard, go to Networking > Tunnels and select your tunnel.
- Under Routes, select Add route > Published application.
- Enter a hostname for the application (for example,
httpbin.<your-domain>.com).
- Under Service, enter
http://httpbin-service.
httpbin-serviceis the name of the Kubernetes service defined in
httpbinsvc.yaml.
- Select Add route.
To test, open a new browser tab and go to
httpbin.<your-domain>.com. You should see the httpbin homepage.
You can optionally add Cloudflare Access to control who can access the service.