Make an app public

By default your apps are private — reachable only inside the cluster and over the tailnet. When you want one reachable from the open internet, you give it an Ingress with a hostname under dubnubdubnub.com. A Cloudflare tunnel running in the cluster picks it up and serves it with automatic HTTPS — and because it rides Cloudflare’s edge, it gets DDoS protection for free. No firewall changes, no public IP.

1. Make sure your app has a Service

Your app needs a Service in front of it (the kubectl expose from the deploy guide creates one):

kubectl get svc

2. Add an Ingress

Create an Ingress in your namespace pointing your chosen hostname at your Service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
spec:
  rules:
    - host: myapp.dubnubdubnub.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: hello      # your Service name
                port:
                  number: 80

kubectl apply -f ingress.yaml

3. Ask for the hostname to be routed

Hostnames are added to the Cloudflare tunnel by the cluster admin (this is the one step that isn’t self-serve, so two tenants can’t grab the same name). Send your requested hostname (myapp.dubnubdubnub.com) and your namespace, and it’ll be wired up — usually in a minute.

Once routed, your app is live at https://myapp.dubnubdubnub.com with a valid certificate.

Why a manual step?

The tunnel maps public hostnames to the cluster centrally, which prevents collisions and keeps a record of what’s exposed. Everything behind the hostname — the app, scaling, updates — stays fully in your control.