K
Q

Traefik ipwhitelist middleware example for kubernetes

6/3/2019

I'm having trouble putting using Traefik's IPWhitelist middleware in my kubernetes (1.14) cluster.

I'm using the DaemonSet config from here:

https://docs.traefik.io/user-guide/kubernetes/

I'd like to apply this whitelist to all traffic in/out of the cluster.

  • Howto apply to all traffic?
  • Can I use an annotation instead of an IngressRoute?
  • Is there an example or documentation I missed?

Thank you!

Here's what I have so far:

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cloudflare-whitelist
spec:
  ipWhiteList:
    sourceRange:
    - 2400:cb00::/32
    ...
    - 131.0.72.0/22
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: allup
  annotations:
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  tls:
    - secretName: cloudflare-tls-cert
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: app-www-service
              servicePort: http
    - host: stuff.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: app-stuff-service
              servicePort: http
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: cloudflare-whitelist
  namespace: ingress
spec:
  entryPoints:
    - web  # <- what is this for?
  routes:
    - match: Host(`example.com`)  # <- Howto apply to all ingress?
      kind: Rule
      middlewares:
        - name: cloudflare-whitelist
    - match: Host(`stuff.example.com`)
      kind: Rule
      middlewares:
        - name: cloudflare-whitelist
  • Howto apply to all traffic?
  • Can I use an annotation instead of an IngressRoute?
  • Is there an example or documentation I missed?

Thank you!

-- Michael Cole
kubernetes
traefik
traefik-ingress

Similar Questions

Failed to provision volume with StorageClass "slow": Failed to get GCE GCECloudProvider with error <nil>
Azure Kubernetes with virtual nodes and autoscale - is this possible?
Connection to a software's key server failing from inside pod. Ping to the server working fine
Custom metric API server not in Go
Authentication microservices, databases in Kubernetes
Migration of GKE from Default to Shared VPC and Public to Private GKE CLuster
How to get the FQDN of a service in Istio? Are there any APIs which expose this?
Get the Mounted FS logs in kubernets pod
GCE health check not working with ingress nginx controller
Routing issues with nginx ingress controller and basic django app
Kubernetes Dashboard &amp; Ingress on Docker Desktop
Calico for policy and flannel not working in kubeadm (k8s -v1.22.3) , calico-kube-controllers are not ready (CrashLoopBackOff)

1 Answer

6/14/2019

Ok, here's what I found, from the helpful peeps on Traefik Slack. The code above is for Traefik v2.0 which is still in Alpha.

For Traefik 1.7 (the current release referenced in the Kubernetes Guide as I write this)

For 1.7, use regular annotations

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: allup
  annotations:
    traefik.ingress.kubernetes.io/whitelist-source-range: "2400:cb00::/32, 2606:4700::/32, 2803:f800::/32, 2405:b500::/32, 2405:8100::/32, 2a06:98c0::/29, 2c0f:f248::/32, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/12, 172.64.0.0/13, 131.0.72.0/22"
spec:
  tls:
    - secretName: cloudflare-tls-cert
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: app-www-service
              servicePort: http
-- Michael Cole
Source: StackOverflow