How to Secure an Exposed Kubernetes Dashboard Using Cloudflare Zero Trust Tunnel
A team discovered their Kubernetes Dashboard was publicly accessible via an open kubectl proxy during a routine Shodan scan of their own IP ranges, with no VPN or access policy protecting it. The exposure prompted them to build a repeatable security checklist using Cloudflare Tunnel and Zero Trust Access instead of a traditional VPN solution. Cloudflare's cloudflared agent establishes an outbound-only connection from inside the cluster to Cloudflare's edge, eliminating the need to open any inbound ports. The checklist covers key hardening steps including storing tunnel credentials in Kubernetes Secrets, targeting ClusterIP rather than NodePort, enforcing identity-based Access policies, and removing overly broad cluster-admin RBAC bindings. The guide targets teams already running Kubernetes Dashboard v2.7.0 and a Zero Trust-enabled Cloudflare account, with the free tier supporting up to 50 users.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in