traefik 1.7.11 subdomain based access rules setup

5/17/2019

I want to create IP based subdomain access rules for traefik (1.7.11) ingress controller running on Kubernetes (EKS). All IP's are allowed to talk to an external/frontend entry point

traefik.toml: |
  defaultEntryPoints = ["http","https"]
  logLevel = "INFO"
  [entryPoints]
    [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.http.redirect]
      entryPoint = "https"
      [entryPoints.http.whiteList]
      sourceRange = ["0.0.0.0/0"]
    [entryPoints.https]
      address = ":443"
      compress = true
      [entryPoints.https.tls]
      [entryPoints.https.whiteList]
      sourceRange = ["0.0.0.0/0"]

But we have only prod environments running in this cluster.

Want to limit certain endpoints like monitoring.domain.com accessible from limited IP's (Office location) and keep *.domain.com (default) accessible from the public internet.

anyway I can do it in traefik ?

-- roy
kube-dns
kubernetes
kubernetes-ingress
traefik
traefik-ingress

1 Answer

5/17/2019

You can try using the traefik.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/x, xxxx::/x" Traefik annotation on you Ingress object. You can also have 4 Ingress objects. One for each stage.domain.com, qa.domain.com, dev.domain.com and prod.domain.com.

For anything other than prod.domain.com you can add a whitelist.

Another option is to change your traefik.toml with [entryPoints.http.whitelist] but you may have to have different ingress controllers with a different ingress class for each environment.

-- Rico
Source: StackOverflow