I'm having trouble putting using Traefik's IPWhitelist middleware in my kubernetes (1.14) cluster.
I'm using the DaemonSet config from here:
https://docs.traefik.io/user-guide/kubernetes/
I'd like to apply this whitelist to all traffic in/out of the cluster.
Thank you!
Here's what I have so far:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: cloudflare-whitelist
spec:
ipWhiteList:
sourceRange:
- 2400:cb00::/32
...
- 131.0.72.0/22
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: allup
annotations:
traefik.frontend.rule.type: PathPrefixStrip
spec:
tls:
- secretName: cloudflare-tls-cert
rules:
- host: example.com
http:
paths:
- path: /
backend:
serviceName: app-www-service
servicePort: http
- host: stuff.example.com
http:
paths:
- path: /
backend:
serviceName: app-stuff-service
servicePort: http
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: cloudflare-whitelist
namespace: ingress
spec:
entryPoints:
- web # <- what is this for?
routes:
- match: Host(`example.com`) # <- Howto apply to all ingress?
kind: Rule
middlewares:
- name: cloudflare-whitelist
- match: Host(`stuff.example.com`)
kind: Rule
middlewares:
- name: cloudflare-whitelist
Thank you!
Ok, here's what I found, from the helpful peeps on Traefik Slack. The code above is for Traefik v2.0 which is still in Alpha.
For Traefik 1.7 (the current release referenced in the Kubernetes Guide as I write this)
For 1.7, use regular annotations
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: allup
annotations:
traefik.ingress.kubernetes.io/whitelist-source-range: "2400:cb00::/32, 2606:4700::/32, 2803:f800::/32, 2405:b500::/32, 2405:8100::/32, 2a06:98c0::/29, 2c0f:f248::/32, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/12, 172.64.0.0/13, 131.0.72.0/22"
spec:
tls:
- secretName: cloudflare-tls-cert
rules:
- host: example.com
http:
paths:
- path: /
backend:
serviceName: app-www-service
servicePort: http