Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare Tunnel works without an established connection—why? #1400

Closed
imuneeeb opened this issue Jan 27, 2025 · 1 comment
Closed

Cloudflare Tunnel works without an established connection—why? #1400

imuneeeb opened this issue Jan 27, 2025 · 1 comment

Comments

@imuneeeb
Copy link

Description

Cloudflare Tunnel appears to work without establishing a connection to the required ports (443 or 7844). Even these ports are not allowed through Kubernetes network policies, the tunnel still seems operational, which is unexpected.

Steps to Reproduce

  1. Deploy Cloudflared Pod in Kubernetes:

    • Deploy a cloudflared pod in a Kubernetes cluster configured to use Cloudflare Tunnel.

  2. Configure Egress Network Policy:

    • Create a NetworkPolicy that allow outbound traffic only for specific ports such as 53 (DNS) or 3306 (MySQL).
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cloudflare-zero-trust
  namespace: zero-trust
spec:
  egress:
    - ports:
        - port: 53
          protocol: UDP
      to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
    - ports:
        - port: 3306
          protocol: TCP
        - port: 5432
          protocol: TCP
      to:
        - ipBlock:
            cidr: 172.xy.x.z/16
  podSelector:
    matchLabels:
      pod: cloudflared
  policyTypes:
    - Egress
  1. Verify Tunnel Functionality:
    • Attempt to route traffic through the Cloudflare Tunnel and observe if it still works despite the connection errors.

Expected Behavior

The Cloudflare Tunnel should fail to establish a connection and stop working when outbound traffic to the required ports (443 or 7844) is blocked.

Actual Behavior

The Cloudflare Tunnel appears to remain functional even when outbound traffic to the required ports is blocked, leading to unexpected behavior.

Environment

  • Kubernetes Cluster
  • Cloudflared Pod
  • Egress rules managed through Kubernetes Network Policies

Additional Notes

This issue raises concerns about whether the tunnel is falling back to alternative mechanisms or routes that bypass the explicitly blocked ports. Any insights or clarifications regarding this behavior would be appreciated.
@jcsf
Copy link
Contributor

jcsf commented Jan 27, 2025

Hi,

This doesn't seem to be a cloudflared issue, but rather a configuration problem with your Kubernetes setup. Cloudflared establishes connections to our network on a specific IP range and ports. After establishing these connections, it will use them to proxy traffic to your origins.

To troubleshoot this issue, I recommend that you investigate your Kubernetes setup further. For example:

  1. Create a test pod with netcat installed and attempt to establish connections to servers outside the cluster on specific ports. This will help confirm whether the issue lies with the cluster's ability to block outgoing connections.
  2. Review all network policies within the cluster to determine if any rules are allowing traffic. Specifically, check if there are any policies that allow traffic to flow to the internet or if the default behavior of the cluster is not to block outbound connections.

@jcsf jcsf closed this as not planned Won't fix, can't repro, duplicate, stale Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcsf @imuneeeb