Hi,
I’m currently evaluating migrating from nginx ingress to traefik. I’m new to traefik so this may be a beginner’s question. Please be gentle 
With nginx, we have some rules that restrict the access to the k8 cluster globally, like allow access only from certain ip ranges, or allow access only if certain headers or cookies are set. This can be done straightforward in nginx with global configuration or LUA snippets which are simply executed before any Ingress routing takes place.
I try to establish the same with traefik, but somehow can’t find any documentation or examples.
What I found out so far: The tools traefik is providing here are the IPAllowLIst and Router middlewares. I could add those to an individual ingress and control the access there.
But I want this to happen globally, centralised at the ingress controller, so the developers do not have to care about this when they set up an Ingress.
I learned about setting up routers at the ingress using dynmic configuration and defining them in the yaml. I could define my rules for that router, but the routers require a service (I assume that’s a k8s Service endpoint) as a target, which I don’t have.
To me, currently it looks like if I want to restrict access to a cluster, I have to add the same IngresRoute and IPAllowList each and every time any developers creates an Ingress which feels like a nightmare.
TLDR: The first thing that should happen with a request is “if header X is not set return 403”, and then after that the Ingresses should be considered. This should be configured at a central location at the ingress controller.