Hi @Cyborgium ,
I'm glad you're giving Traefik a run for your Kubernetes environment. I believe that using ip deny / allow lists is not the way to go to separate internal to public traffic in Kubernetes environment, or even cloud environments in general, and that could be bias from your familiarity with Nginx, but feel free to disagree of course
Here is my take on it, first you need to understand the concept of a service in Kubernetes and how it handles publishing on your cluster as that affects Traefik as well. Basically you have a few options to expose a service on Kube that allows you to reach it from the outside, what we are most interested in for Traefik as an Ingress controller would be either NodePort or LoadBalancer.
NodePort would bind the host port of the kubernetes node running the pod to the pod directly, here you need to take care of the load balancing in front of the service. On the other hand LoadBalancer would rely on your Kubernetes cloud provider ability to provision an external load balancer that would do the round robin between all available pods for that service.
Considering you deployed Traefik with the helm chart and the default values it will be using a LoadBalancer type.
Now Traefik has the concept of entrypoints, which are basically the port that it will listen on the container/pod for incoming connections. You can configure multiple entrypoints with different options.
Given what I pointed about Kubernetes services you can realize that for each entrypoint in Traefik there must be a correlation to map a k8s service port to it, it could be separate service definitions or just the addition of another port mapping on the existing service.
And for me here is the correct way to achieve isolation, you create a separate service definition that also targets Traefik but this time with a service type ClusterIP, which will not allocate an external load balancer or expose the port on the node, instead it only allocates an ip address valid inside your kubernetes cluster that can be accessed by any other services running in it.
Here are snippets of an example:
#Traefik static configuration
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
internal:
address: ":6000"
#Kubernetes service manifest
apiVersion: v1
kind: Service
metadata:
name: "proxy-svc"
namespace: traefik
labels:
app: traefik
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: "proxy-svc"
namespace: traefik
labels:
app: traefik
spec:
type: ClusterIP
ports:
- name: internal
port: 6000
targetPort: 6000
selector:
app: traefik
Then on your ingress routes you can always specify the entrypoint it is attached to:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
spec:
entryPoints:
- internal
routes:
- match: Host(`whoami.docker.localhost`)
kind: Rule
services:
- name: whoami
port: 80