Global IP whitelisting

zespri · September 24, 2019, 2:57am

@ldez Could you please also look at the whitelists at the same time? They used to be on entry points, but now it's a middleware, which means, that in kubernetes scenarios, it needs to be attached to every single Ingress / Ingress Route.

I used to use whitelist on entry points to make sure that only authorized traffic can reach the cluster ingress, that is I had a hardware load balancer in front of the cluster, that would forward incoming request to each node where traefik listens to.

The incoming IP of the load balancer was whitelisted, so that no one else could access traefik end points.

With version 2 of traefik this is now problematic. People who author kubernetes manifests (that is developers) do not really care about white-listing, so it would be unreasonable to ask them to include the middleware in each ingress route manifest.

Of course, depending on your kubernetes deployment pipeline, it could be possible to include some manifest transformations before they are applied to cluster to account for the mandatory middleware.

However, from security perspective it means that if somehow by accident a middleware is missing from a particular service this service is less secure. By applying whitelisting globally, we make sure that any request does not get past the entry point, thus making the whole integration more secure.

Do you think this could be possible?

remotezygote · November 21, 2019, 4:33pm

I have the same question about global header stripping middlewares. The lack of ability to globally apply middlewares is a severe flaw in 2.0 - it actually has me looking at what else is out there - not good for Containous. They really need to have a solution for this real quick or they're gonna lose people. I've tried posting my question multiple times and have gotten no answer (I tried GitHub issues, where people actually want support).

ekjuanrejon · November 21, 2019, 7:37pm

Have you tries to use the namespaces? It work. I have all my middle wares in one namespace and access it on a different namespace

remotezygote · November 21, 2019, 7:57pm

Can you elaborate? I have no idea what you mean.

ekjuanrejon · November 22, 2019, 9:16am

So I have created a helm chart with a bunch of middle wares. I have also created chains so that in my ingressRoute I only use a chain and then just later update the chain with more middlewares.

Middle-ware are awesome, at least to me. The ingressRoute is no longer couple with so many annotation.

@dduportal would be good to have support for the native kubernetes ingress. I have to use community based helm charts that don't provide support to Traefik ingressRoute

middlewares:
    - name: known-ips
      namespace: default

Topic		Replies	Views
Global IP whitelist Traefik v2 kubernetes-crd	0	430	March 10, 2020
Problems with the whitelist in GKE Traefik v2 kubernetes-ingress , middleware	4	1437	February 3, 2021
Ingress resource - whitelisting Traefik v2 kubernetes-ingress	4	954	August 25, 2022
Is ingress.kubernetes.io/whitelist-source-range supposed to work using Traefik 2? Traefik v2 kubernetes-ingress	3	1321	March 9, 2022
Black-/Whitelisting IPs to my HTTP/S services Traefik v2 kubernetes-crd , kubernetes-ingress	0	157	April 25, 2024

Global IP whitelisting

Related topics