Traefik 2.0 IPWhitelist for TCP - Kubernetes CRD

10/15/2019

We are using Kubernetes along with Traefik 2.0. We are using Kubernetes CRD (IngressRoute) as provider with Traefik.

From Traefik Documentaion, it doesn't look like Middlewares can be used for TCP routers.

We would like to use IP Whitelist middleware with TCP router , but so far it's been working with Http Router only.

Here is our ipWhitelist definition:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: testIPwhitelist
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7

Here is Traefik Service Definition:

apiVersion: v1
kind: Service
metadata:
  name: traefik

spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - protocol: TCP
      name: web
      port: 8000
    - protocol: TCP
      name: admin
      port: 8080
    - protocol: TCP
      name: websecure
      port: 4443
    - protocol: TCP
      name: mongodb
      port: 27017
  selector:
    app: traefik

IngressRoutes defintions:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: PathPrefix(`/who`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
      - name: testIPwhitelist
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroute.mongo

spec:
  entryPoints:
    - mongodb
  routes:
  # Match is the rule corresponding to an underlying router.
  - match: HostSNI(`*`)
    services:
    - name: mongodb
      port: 27017

    middlewares:
      - name: testIPwhitelist

Is there any way of restricting IPs with traefik TCP router ?

For more resources on the traefik with Kubernetes CRD you can go here

-- Abba
kubernetes
kubernetes-ingress
traefik
traefik-ingress

1 Answer

10/22/2019

You are right, Middlewares can't be used for TCP routers. IPWhitelist through Middleware concept is acceptable only for HTTP router. You can follow issue on github requesting middlewares for TCP routers.

-- muscat
Source: StackOverflow