Global IP whitelisting

@ldez Could you please also look at the whitelists at the same time? They used to be on entry points, but now it's a middleware, which means, that in kubernetes scenarios, it needs to be attached to every single Ingress / Ingress Route.

I used to use whitelist on entry points to make sure that only authorized traffic can reach the cluster ingress, that is I had a hardware load balancer in front of the cluster, that would forward incoming request to each node where traefik listens to.

The incoming IP of the load balancer was whitelisted, so that no one else could access traefik end points.

With version 2 of traefik this is now problematic. People who author kubernetes manifests (that is developers) do not really care about white-listing, so it would be unreasonable to ask them to include the middleware in each ingress route manifest.

Of course, depending on your kubernetes deployment pipeline, it could be possible to include some manifest transformations before they are applied to cluster to account for the mandatory middleware.

However, from security perspective it means that if somehow by accident a middleware is missing from a particular service this service is less secure. By applying whitelisting globally, we make sure that any request does not get past the entry point, thus making the whole integration more secure.

Do you think this could be possible?

I have the same question about global header stripping middlewares. The lack of ability to globally apply middlewares is a severe flaw in 2.0 - it actually has me looking at what else is out there - not good for Containous. They really need to have a solution for this real quick or they're gonna lose people. I've tried posting my question multiple times and have gotten no answer (I tried GitHub issues, where people actually want support).

1 Like

Have you tries to use the namespaces? It work. I have all my middle wares in one namespace and access it on a different namespace

Can you elaborate? I have no idea what you mean.

So I have created a helm chart with a bunch of middle wares. I have also created chains so that in my ingressRoute I only use a chain and then just later update the chain with more middlewares.

Middle-ware are awesome, at least to me. The ingressRoute is no longer couple with so many annotation.

@dduportal would be good to have support for the native kubernetes ingress. I have to use community based helm charts that don't provide support to Traefik ingressRoute

    - name: known-ips
      namespace: default