Delivering on our promise to relieve organizations from connectivity chaos, today, we are announcing the release of the latest Traefik Enterprise version.
The 2.10 release is short and sweet but has three new features to help current and future customers better secure and manage their APIs and services.
Let’s take a closer look.
OIDC middleware now inspects claims in access tokens
OIDC is being widely used for authentication and authorization purposes. To use OIDC as an authorization method, users need to implement claims. Claims contain user information and meta information on the OIDC service in the form of a name/value pair.
Until now, the OIDC middleware inspected claims in ID tokens, validated if the claim group, grp
, has the value admin
, and restricted the workload, allowing access only to the ID token that contains the claim grp
and value admin
.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-oidcAuth
spec:
plugin:
oidcAuth:
source: oidcSource
redirectUrl: example.com/callback
session:
secret: mysupersecret123
claims: Equals(`grp`, `admin`) # Check the claim in the ID Token
While ID tokens are obtained only with the explicit consent of a human, access tokens are obtained through an automated process between systems and are considered a more secure method of adding an authorization layer to OIDC.
With the 2.10 release, we allow Traefik Enterprise users to add claims in Access tokens as well, enabling them to secure their APIs and services better.
Here is an example of how to use claims in Access tokens with the OIDC middleware.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-oidcAuth
spec:
plugin:
oidcAuth:
source: oidcSource
redirectUrl: example.com/callback
session:
secret: mysupersecret123
claims: Equals(`access_token.grp`, `admin`) # Check the claim in the Access Token
Note: This feature works with JWT access tokens only.
Load sensitive data from Kubernetes Secrets
With this release, we are further improving how customers secure their APIs in Traefik Enterprise, by allowing for sensitive options values to be referenced in Traefik Enterprise using the Secrets object in Kubernetes.
With this improvement, credentials and other sensitive information are hidden in the static configuration.
To reference a Kubernetes Secret in Traefik Enterprise, use the form of a URN:
urn:k8s:secret:[namespace]:[name]:[valueKey]
Here’s an example of this configuration with JWT:
#...
authSources:
jwtSource:
jwt:
signingSecret: urn:k8s:secret:traefikee:jwt-secret:secretValue
Note: The Traefik Enterprise Controllers need to be running within a Kubernetes cluster and users need to load the Kubernetes Secrets within the Traefik Enterprise deployment namespace.
Rate limiting is essential to API security. Limiting how often APIs can be called and throttling connections helps protect against traffic spikes and DDoS attacks.
This feature is an excellent addition for users who want to limit API consumers to a predefined number of requests per minute and inform consumers on the fly about their remaining amount of requests.
Using the ResponseHeaders
option, users can configure Traefik Enterprise to inject the X-Rate-Limit-Remaining
header in the response. This indicates how many tokens an API consumer has left in the token bucket before they get a 429 response.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
plugin:
rateLimit:
responseHeaders: true
Summing up
Traefik Enterprise 2.10 is by no means a major release, but we are confident that it offers substantial benefits for customers looking to streamline their API security. If you are currently looking to level up your API game and solve the challenges that come with APIs, join our upcoming webinar and learn:
- How an API gateway unlocks APIs in a cloud native world
- How API gateways deliver great time-to-value and reduce infrastructure complexity
And in case you haven’t heard, we are at KubeCon Europe 2023! Feel free to drop by Booth S24 for a chat and a live demo of our new industry’s-first Kubernetes-native API management solution, Traefik Hub.
This is a companion discussion topic for the original entry at https://traefik.io/blog/announcing-traefik-enterprise-2-10/