When configuring Ingress to your Konvoy cluster it may be beneficial to configure a whitelist of IP address ranges that are allowed to connect to your clusters services. In order to accomplish this we must first configure the Traefik addon to enable this functionality:
- name: traefik enabled: true values: | externalTrafficPolicy: Local proxyProtocol: enabled: true # trustedIPs is required when enabled trustedIPs: - 10.4.6.0/24 forwardedHeaders: enabled: true # trustedIPs is required when enabled trustedIPs: - 10.4.6.0/24
After configuring the above Traefik should now treat the 10.4.6.0/24 subnet as trusted, but we still need to add an annotation to our specific ingress objects to make use of this. Before we create an ingress object lets set up a backend service to route traffic to:
kubectl apply -f https://k8s.io/examples/application/deployment.yaml
Next lets expose this deployment via a service:
kubectl expose deployment nginx-deployment --type=LoadBalancer
Finally lets create an ingress object and define the IP ranges we want to be able to access this service:
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: traefik.ingress.kubernetes.io/whitelist-source-range: 10.4.6.0/24 traefik.ingress.kubernetes.io/whitelist-x-forwarded-for: "true" labels: app.kubernetes.io/instance: nginx-ingress app.kubernetes.io/name: nginx-ingress name: nginx-ingress spec: rules: - host: nginx-test.mydomain http: paths: - backend: serviceName: nginx-deployment servicePort: 80
Save the above as ingress.yaml and then apply it via:
kubectl apply -f ingress.yaml
Now if we attempt to access the backend nginx deployment from outside the cluster and we're not in the approved range of IP addresses, we'll get a message indicating this:
curl --header "X-Forwarded-For: 10.4.7.22" https://nginx-test.domain --insecure Forbidden
If you want to add multiple IP addresses or ranges, you can just list them separated by a comma in your Ingress annotation:
traefik.ingress.kubernetes.io/whitelist-source-range: "10.4.6.0/24, 192.188.2.0/16, 10.0.0.0/24"
Successfully configuring whitelists for Ingress will make your Konvoy cluster more secure. For more information on configuring Traefik please see their official documentation here: https://doc.traefik.io/traefik/v1.7/configuration/backends/kubernetes/