Traefik ipwhitelist middleware example for kubernetes

6/3/2019

I'm having trouble putting using Traefik's IPWhitelist middleware in my kubernetes (1.14) cluster.

I'm using the DaemonSet config from here:

https://docs.traefik.io/user-guide/kubernetes/

I'd like to apply this whitelist to all traffic in/out of the cluster.

  • Howto apply to all traffic?
  • Can I use an annotation instead of an IngressRoute?
  • Is there an example or documentation I missed?

Thank you!

Here's what I have so far:

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: cloudflare-whitelist
spec:
  ipWhiteList:
    sourceRange:
    - 2400:cb00::/32
    ...
    - 131.0.72.0/22
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: allup
  annotations:
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  tls:
    - secretName: cloudflare-tls-cert
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: app-www-service
              servicePort: http
    - host: stuff.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: app-stuff-service
              servicePort: http
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: cloudflare-whitelist
  namespace: ingress
spec:
  entryPoints:
    - web  # <- what is this for?
  routes:
    - match: Host(`example.com`)  # <- Howto apply to all ingress?
      kind: Rule
      middlewares:
        - name: cloudflare-whitelist
    - match: Host(`stuff.example.com`)
      kind: Rule
      middlewares:
        - name: cloudflare-whitelist
  • Howto apply to all traffic?
  • Can I use an annotation instead of an IngressRoute?
  • Is there an example or documentation I missed?

Thank you!

-- Michael Cole
kubernetes
traefik
traefik-ingress

1 Answer

6/14/2019

Ok, here's what I found, from the helpful peeps on Traefik Slack. The code above is for Traefik v2.0 which is still in Alpha.

For Traefik 1.7 (the current release referenced in the Kubernetes Guide as I write this)

For 1.7, use regular annotations

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: allup
  annotations:
    traefik.ingress.kubernetes.io/whitelist-source-range: "2400:cb00::/32, 2606:4700::/32, 2803:f800::/32, 2405:b500::/32, 2405:8100::/32, 2a06:98c0::/29, 2c0f:f248::/32, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/12, 172.64.0.0/13, 131.0.72.0/22"
spec:
  tls:
    - secretName: cloudflare-tls-cert
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: app-www-service
              servicePort: http
-- Michael Cole
Source: StackOverflow