K
Q

Restrict allowed methods on Traefik routes

9/19/2019

I'm currently using traefik 1.6.x as ingress controller in my K8s clusters. I wanted to update to 1.7.x (and then to 2.x later on), but my ingresses are not working anymore after the update.

The issue seems to be, that I do http method restrictions on my ingresses by adding the methods to the traefik.frontend.rule.type annotation as follows:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-name
  namespace: namespace1
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: "Method: CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT; PathPrefix"
    ingress.kubernetes.io/hsts-max-age: "315360000"
    ingress.kubernetes.io/hsts-include-subdomains: "true"
    ingress.kubernetes.io/custom-frame-options-value: "SAMEORIGIN"
    ingress.kubernetes.io/content-type-nosniff: "true"
    ingress.kubernetes.io/browser-xss-filter: "true"
    ingress.kubernetes.io/custom-response-headers: "Server:||X-Application-Context:||X-Powered-By:||exception:"
spec:
  rules:
    - host: ...

I don't know if this was ever intended to be done in this way, but apparently it worked. I found that in some other StackOverflow post, iirc.

Removing the Method part (or the whole annotation then, because PathPrefix is the default) brings the routes back to life. But of course this allows the TRACE method again, for example.

Is there another way to restrict those (maybe even for all ingresses) with traefik versions from 1.7.x?

Thanks in advance!

-- razr
http
kubernetes
traefik
traefik-ingress

Similar Questions

Cannot understand the difference between gluster and gluster-block volumes
Scaling Down Replicas On Completion Without Termination
golang creating watcher/controller on kubernetes to attach a sidecar container to any pod/deployment that has pvc attachments
traefik v2.0 labels with rancher 2.2.8 not allowed
Dynamically configure alertmanager routes with kubernetes labels?
getting {"code":"unauthorized","message":"unauthorized access"} after using "query" http api
Spring boot kubernetes discovery client does not find instance by service name from kubernetes

1 Answer

1/10/2020

Actually the comment of @Crou about CORS headers worked! I just now stumbled upon this problem again and moved the method part to the custom-reponse-headers and it seems to work:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-name
  namespace: namespace1
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/hsts-max-age: "315360000"
    ingress.kubernetes.io/hsts-include-subdomains: "true"
    ingress.kubernetes.io/custom-frame-options-value: "SAMEORIGIN"
    ingress.kubernetes.io/content-type-nosniff: "true"
    ingress.kubernetes.io/browser-xss-filter: "true"
    ingress.kubernetes.io/custom-response-headers: "Server:||X-Application-Context:||X-Powered-By:||exception:||Access-Control-Allow-Headers:CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT"
spec:
  rules:
    - host: ...

I removed the traefik.frontend.rule.type part then completely, since PathPrefix is the default.

(!) I only moved up to traefik 1.7.20. I've not managed to do the migration to traefik 2 yet. So I'm not sure if this works with traefik 2!

-- razr
Source: StackOverflow