Coverage Matrix

Chkk Curated Release Notesv2022.8.4 to latest
Private RegistrySupported
Custom Built ImagesSupported
Safety, Health, and Readiness Checksv2023.6.0 to latest
Supported PackagesHelm, Kustomize, Kube
EOL InformationAvailable
Version Incompatibility InformationAvailable
Upgrade TemplatesIn-Place, Blue-Green
PreverificationAvailable

Cloudflared Overview

Cloudflared is an open-source tunneling daemon that securely connects your Kubernetes cluster or services to Cloudflare’s global network, enabling secure external access without opening inbound firewall ports. It establishes outbound-only, encrypted connections to Cloudflare’s edge, enabling Zero Trust security principles by limiting ingress exposure. Traffic routed through Cloudflare’s edge network benefits from built-in security services such as DDoS mitigation, WAF, and identity verification through Cloudflare Access. Cloudflared eliminates the need for traditional load balancers or ingress controllers when publishing external services while preserving existing application and network architecture.

Chkk Coverage

Curated Release Notes

Chkk tracks Cloudflared releases, highlighting relevant new features, critical fixes, and breaking changes that could impact your infrastructure. Important updates—such as deprecated flags, new logging mechanisms, or OS compatibility changes—are specifically flagged to simplify operational oversight. Instead of parsing lengthy upstream changelogs, Chkk provides concise summaries of version-specific impacts, allowing for proactive cluster management and upgrade planning.

Preflight & Postflight Checks

Chkk’s preflight checks verify Cloudflared configurations, credential validity, resource allocations, and compatibility with the intended upgrade version. Postflight checks confirm stable tunnel re-establishment, monitor logs for connectivity errors, and validate the uniformity of deployed versions. This structured validation ensures predictable upgrades, immediately identifying issues like authentication problems or mixed-version deployments before they affect service availability.

Version Recommendations

Chkk proactively identifies Cloudflared versions approaching end-of-life or known operational issues, referencing Cloudflare’s official support policy. Recommendations balance stability and feature availability, advising platform teams to select versions proven reliable by community experience and official guidance. Chkk clearly communicates compatibility considerations, ensuring clusters avoid deploying unsupported versions or configurations incompatible with specific hardware architectures.

Upgrade Templates

Chkk provides comprehensive Upgrade Templates for both in-place rolling updates and blue-green deployments. Rolling update templates focus on seamless pod transitions to avoid downtime, while blue-green strategies facilitate parallel deployments, verifying stability before traffic cutover. Each template details explicit steps, rollback procedures, and best practices for safely updating Cloudflared instances within Kubernetes.

Preverification

Chkk’s Preverification simulates Cloudflared upgrades in an isolated environment mirroring production configurations, identifying potential issues such as configuration mismatches, credential problems, or resource constraints. This dry-run ensures issues surface in pre-production testing, enabling adjustments before applying changes to live environments. Platform engineers can thus confidently execute upgrades, significantly reducing risk during production rollouts.

Supported Packages

Chkk supports Cloudflared deployments across Kubernetes manifests, Helm charts, container images, and standalone binary packages, accommodating diverse operational workflows. Custom images, private registries, and GitOps or Terraform-managed configurations are fully compatible, ensuring consistency across various management practices. Chkk’s analysis directly aligns with existing deployment methods, suggesting targeted manifest changes required for safe version upgrades.

Common Operational Considerations

  • Firewall Egress Requirements: Ensure outbound connectivity on TCP/UDP port 7844 (QUIC/HTTP2) is permitted to Cloudflare endpoints to prevent tunnel connection issues.
  • Multiple Instances for High Availability: Deploy multiple Cloudflared instances per tunnel to prevent single points of failure, ensuring continuous traffic flow during updates or instance failures.
  • Auto-Update Control: Disable automatic updates (--no-autoupdate) to maintain version control within Kubernetes-managed deployments and avoid unexpected service interruptions.
  • Graceful Termination: Configure proper termination grace periods using Kubernetes’ terminationGracePeriodSeconds to ensure Cloudflared instances close tunnels gracefully during restarts.
  • Ingress Rule Precedence: Arrange Cloudflared ingress rules from most specific to general, always including a final catch-all rule to ensure correct traffic routing and avoid unintended request handling.
  • Credential Management: Securely manage and rotate Cloudflared tunnel credentials using Kubernetes Secrets, ensuring updates propagate cluster-wide to prevent unauthorized access or tunnel disruptions.

Additional Resources