Hi Readers, In this blog, we are going to see how to Whitelist IPs Using Traefik Ingress Controller. In this blog, we are using version 2 of the Traefik ingress controller for exposing services to the internet, the IPs that are whitelisted only those IPs will be able to access your domain.
What is IP Whitelisting?
IP whitelisting will allow you to create lists of IP addresses or IP ranges from which your users can access your domains. It provides a security feature often used for controlling and limiting access only to trusted users.
What is Traefik?
Traefik is an open-source most popular ingress controller which is used to expose the services to the internet. It receives the request and finds the service from where the request will serve. Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, etc.
Create A Deployment
Now first we will create a Deployment object with a simple web application image.I will deploy in a namespace called traefik you can deploy it on the default namespace. To create a namespace use the below command
$ kubectl create namespace <namespace_name>apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: traefik
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: my-app
replicas: 1
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-container
image: ahmad33/maintenance:1.02
ports:
- containerPort: 80Now first deploy the deployment using kubectl command:
$ kubectl create -f <deployment-file-name>Create a Service For Deployment
Now we will create a service that is used by traefik ingress controller for serving my web application.
apiVersion: v1
kind: Service
metadata:
name: my-app-service
namespace: traefik
labels:
app: my-app
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: my-app
type: ClusterIPNow create service using kubectl command:
$ kubectl create -f <service-file-name>Create a Middleware Object
So for whitelisting IPs we will use Kubernetes middleware object in which we will define SourceRange IPs for whitelist.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
namespace: traefik
spec:
ipWhiteList:
sourceRange:
- 192.168.43.203
- 172.28.0.1/32Use Kubectl Command to create middleware based on the above config:
$ kubectl create -f <middleware-file-name>Create Ingress Object
Now we will create a Kubernetes ingress object in which we will add two annotations, the first is the ingress class that will be traefik and the second one will be for Middleware that we have created. Also, we will define some routing rules for our service.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ip-whitelist
namespace: traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.middlewares: traefik-test-ipwhitelist@kubernetescrd
spec:
rules:
- host: test.whitelist.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80Now create the ingress object using kubectl command:
$ kubectl create -f <ingress-file-name>
wait for the address, and map IP addresses to URLs in the /etc/hosts file.
Now go to your browser and hit your domain. By changing IPs in the middleware object under the SourceRange section you can test.
References:
https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/
Conclusion:
That’s all for this blog, In this blog, we have seen how to whitelist IPs when using the traefik ingress controller. I hope you liked it, if you have any suggestions or modifications please do let me know. Thank You.
