diff --git a/README.md b/README.md
index 4c6934c..62fa85f 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ No modules.
 | [cloudflare_dns_record.spf](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_dns_record.www](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_ruleset.cache_rules](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) | resource |
+| [cloudflare_zero_trust_access_application.k3s](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) | resource |
 | [cloudflare_zero_trust_access_application.warp](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) | resource |
 | [cloudflare_zero_trust_access_group.admins](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_group) | resource |
 | [cloudflare_zero_trust_access_identity_provider.github](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) | resource |
diff --git a/cf-access-k3s.tf b/cf-access-k3s.tf
new file mode 100644
index 0000000..ab0616f
--- /dev/null
+++ b/cf-access-k3s.tf
@@ -0,0 +1,34 @@
+# Cloudflare Access application protecting the k3s API server tunnel.
+#
+# Pairs with the TunnelBinding in kustomize-cluster (workloads/kubectl-tunnel)
+# that fronts kubernetes.default.svc:443 over k3s.makeitwork.cloud as a TCP
+# tunnel. Clients reach the apiserver via:
+#
+#   cloudflared access tcp --hostname k3s.makeitwork.cloud --url localhost:6443
+#
+# `cloudflared access` runs the Access OIDC flow against this app before the
+# TCP tunnel opens, so only org admins authenticated via GitHub can connect.
+resource "cloudflare_zero_trust_access_application" "k3s" {
+  account_id       = local.account_id
+  name             = "k3s API"
+  type             = "self_hosted"
+  domain           = "k3s.makeitwork.cloud"
+  session_duration = "24h"
+
+  allowed_idps = [
+    cloudflare_zero_trust_access_identity_provider.github.id,
+  ]
+
+  policies = [
+    {
+      name             = "makeitworkcloud-admins"
+      decision         = "allow"
+      session_duration = "24h"
+      include = [{
+        group = {
+          id = cloudflare_zero_trust_access_group.admins.id
+        }
+      }]
+    }
+  ]
+}
diff --git a/cf-tunnels.tf b/cf-tunnels.tf
index a0ff90e..4da96a0 100644
--- a/cf-tunnels.tf
+++ b/cf-tunnels.tf
@@ -21,8 +21,9 @@ locals {
   cluster_apps_hostnames = [
     "argocd",
     "grafana",
+    "headlamp",
+    "k3s",
     "status",
-    "ansible",
   ]
 }