Skip to main content

Configuring IP whitelists for Traefik

Anthony Windebank
  • Updated

When configuring Ingress to your Konvoy cluster it may be beneficial to configure a whitelist of IP address ranges that are allowed to connect to your clusters services. In order to accomplish this we must first configure the Traefik addon to enable this functionality:

        - name: traefik
          enabled: true
          values: |
            externalTrafficPolicy: Local
            proxyProtocol:
              enabled: true
              # trustedIPs is required when enabled
              trustedIPs:
                - 10.4.6.0/24
            forwardedHeaders:
              enabled: true
              # trustedIPs is required when enabled
              trustedIPs:
                - 10.4.6.0/24


After configuring the above Traefik should now treat the 10.4.6.0/24 subnet as trusted, but we still need to add an annotation to our specific ingress objects to make use of this. Before we create an ingress object lets set up a backend service to route traffic to:
 

kubectl apply -f https://k8s.io/examples/application/deployment.yaml

 

Next lets expose this deployment via a service:
 

kubectl expose deployment nginx-deployment --type=LoadBalancer


Finally lets create an ingress object and define the IP ranges we want to be able to access this service:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/whitelist-source-range: 10.4.6.0/24
    traefik.ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
  labels:
    app.kubernetes.io/instance: nginx-ingress
    app.kubernetes.io/name: nginx-ingress
  name: nginx-ingress
spec:
  rules:
  - host: nginx-test.mydomain
    http:
      paths:
      - backend:
          serviceName: nginx-deployment
          servicePort: 80


Save the above as ingress.yaml and then apply it via: 

kubectl apply -f ingress.yaml

Now if we attempt to access the backend nginx deployment from outside the cluster and we're not in the approved range of IP addresses, we'll get a message indicating this:

curl --header "X-Forwarded-For: 10.4.7.22" https://nginx-test.domain --insecure
Forbidden


If you want to add multiple IP addresses or ranges, you can just list them separated by a comma in your Ingress annotation:

 traefik.ingress.kubernetes.io/whitelist-source-range: "10.4.6.0/24, 192.188.2.0/16, 10.0.0.0/24"


Successfully configuring whitelists for Ingress will make your Konvoy cluster more secure. For more information on configuring Traefik please see their official documentation here: https://doc.traefik.io/traefik/v1.7/configuration/backends/kubernetes/