It is strongly recommended to protect your cluster against requests which could bypass the Cloudflare proxy. This can be done by simply using curl:
curl --silent --verbose https://anya.example.com --resolve anya.example.com:443:<your-ip-address> --insecure
You can secure your setup with these options:
Firewalls are configured to first deny all access for all ports on all IP ranges (0.0.0.0/0). Then there should be a rule with higher priority, which allows only the Cloudflares IP ranges on port 443 (tcp:443).
Watch out: check your firewall carefully with the curl command from above. It is very likely that there is already a firewall rule, which allows all tcp:80/443 traffic. Simply deactivate this one.
nginx-values.yamlfile to configure the Whitelisting:
controller: service: annotations: nginx.ingress.kubernetes.io/whitelist-source-range: 184.108.40.206/22, 220.127.116.11/22, 18.104.22.168/22, 22.214.171.124/12, [...]
anya-values.yamlfile to configure the Whitelisting:
ingress: annotations: nginx.ingress.kubernetes.io/whitelist-source-range: 126.96.36.199/22, 188.8.131.52/22, 184.108.40.206/22, 220.127.116.11/12, [...]
Cloudflare offers the possibility to validate a provided JWT token with a key. Every request will send a JWT token and the receiving application needs to verify the validity of it. So it will be necessary to build a gateway for this. There is also a possibility to use annotations of the nginx plus for this.
Cloudflare provides the possibility to tunnel all requests to the cluster. To make this work, you will need to install a specific cloudflare ingress controller.