Hi, I'm able to use ipallowlist middleware to filter traffic to my Ingress and ingressroutes, but what i want to achieve is set that middleware at namespace, and then try to refine ip access depending on service.
(the reason is we need to limit the access to the services deployed on certain namespace where an external user works. We want to keep under control which ips are allowed to reach that services without having to provide them to the user and make him modify their ingresses. Also I don't know if network policies is a better aproach to achieve this)
This is the configuration I made but forbidden is not triggered. What I'm missing? Is even possible what I want to achieve? Do you suggest any other strategy to ip-white-list access to a service?
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: whoamitests
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- name: web
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: whoamitests
spec:
ports:
- name: web
port: 80
targetPort: web
selector:
app: whoami
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: global-middleware
namespace: whoamitests
spec:
ipAllowList:
sourceRange:
- 172.27.0.213
# - 172.27.0.211
---
apiVersion: v1
kind: Namespace
metadata:
name: whoamitests
annotations:
traefik.ingress.kubernetes.io/router.middlewares: "whoamitests-global-middleware@kubernetescrd"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
namespace: whoamitests
# annotations:
# traefik.ingress.kubernetes.io/router.middlewares: "whoamitests-global-middleware@kubernetescrd"
spec:
rules:
- host: k8s-dev-whoami.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
Working on k8s 1.31