Running internal and external web apps within kubernetes

blank · January 4, 2024, 1:11am

I am at a lost, and there is probably something that I don't understand as kubernetes is still new to me.

I am running k3s, with metal-lb and traefik.
I have some websites that I am hosting internally trough traefik, and now I have a site that I want to host externally.

lets say I host site www.internalsite.com internally
and I now want to host www.externalsite.com externally,

I have setup 2 traefik services

kubectl get svc -n kube-system
NAME                         TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                        AGE
traefik                      LoadBalancer   10.43.7.101    192.168.80.30   80:32500/TCP,443:30774/TCP     20m
traefik-extservices          LoadBalancer   10.43.53.245   192.168.80.35   80:32747/TCP,443:31434/TCP     20m

and as an example, lets take my unifi ingress

kubectl get ing -n unifi
NAME               CLASS     HOSTS                ADDRESS         PORTS     AGE
unifi-controller   traefik   unifi.example.com   192.168.80.30   80, 443   12d

So, unifi use the traefik class, and have address 192.168.80.30

but even though, if I curl from both 192.168.80.30 or 192.168.80.35 I reach unifi

curl -L --resolve 192.168.80.30 http://unifi.example.com
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>UniFi Network</title><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" unifi-prevent-focus-zoom><meta name="apple-itunes-app" content="app-id=1057750338"><base href="/manage/"><link rel="apple-touch-icon-precomposed" href="angular/g1d599cf54/images/favicons/favicon-192.png?v=2"><meta name="msapplication-TileColor" content="#0193d7"><meta name="msapplication-TileImage" content="angular/g1d599cf54/images/favicons/favicon-192.png?v=2"><link rel="apple-touch-icon-precomposed" sizes="192x192" href="angular/g1d599cf54/images/favicons/favicon-192.png?v=2"><link rel="apple-touch-icon-precomposed" href="angular/g1d599cf54/images/favicons/favicon-64.png?v=2" sizes="64x64"><link rel="icon" href="angular/g1d599cf54/images/favicons/favicon-32.png?v=2" sizes="32x32"><link rel="icon" href="angular/g1d599cf54/images/favicons/favicon-16.png?v=2" sizes="16x16"><script src="angular/g1d599cf54/js/index.js" defer></script></head><body id="unifi-network-app-container"></body></html>


curl -L --resolve 192.168.80.35 http://unifi.example.com
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>UniFi Network</title><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" unifi-prevent-focus-zoom><meta name="apple-itunes-app" content="app-id=1057750338"><base href="/manage/"><link rel="apple-touch-icon-precomposed" href="angular/g1d599cf54/images/favicons/favicon-192.png?v=2"><meta name="msapplication-TileColor" content="#0193d7"><meta name="msapplication-TileImage" content="angular/g1d599cf54/images/favicons/favicon-192.png?v=2"><link rel="apple-touch-icon-precomposed" sizes="192x192" href="angular/g1d599cf54/images/favicons/favicon-192.png?v=2"><link rel="apple-touch-icon-precomposed" href="angular/g1d599cf54/images/favicons/favicon-64.png?v=2" sizes="64x64"><link rel="icon" href="angular/g1d599cf54/images/favicons/favicon-32.png?v=2" sizes="32x32"><link rel="icon" href="angular/g1d599cf54/images/favicons/favicon-16.png?v=2" sizes="16x16"><script src="angular/g1d599cf54/js/index.js" defer></script></head><body id="unifi-network-app-container"></body></html>

what am I missing?

blank · January 6, 2024, 1:03am

No one?
I'm sure its possible, I just haven't cracked it yet.

Well, for now I decided for what I consider a workaround, which doesn't work entirely for me either.

I use IP whitelist as middleware, it works just fine internally, but if I try to connect externally either through VPN or Cloudflare, then traefik thinks the traffic is coming from a natted IP address, and as far as I can see, this would be solved with depth
But then what to do when the traffic is internal, as that is not natted, and then ip whitelist sees an empty IP..

And again, i think whitelist middleware is a workaround and not a correct solution, and the proper solution is to somehow separate internal and external traffic on an IP basis as mentioned above.

Or maybe even a third option I haven't thought of

bluepuma77 · January 6, 2024, 7:43am

What’s an "internal" and "external" app? Why do you use Traefik twice? Where is your Traefik static and dynamic config?

blank · January 6, 2024, 10:57am

With internal and external app, I mean what is reachable from local network (internal) and external through port forwarding.

I have a blog that a host for everyone, while I also have several apps for internal use, such as home assistant, node-red etc.
Those should only be reachable internally.

Topic		Replies	Views
Use traefik as an external ingress controller Traefik v1 kubernetes-ingress	2	2995	July 6, 2019
Feature request for Traefik running as a proxy external to kubernetes Traefik v2 kubernetes-ingress	0	502	June 25, 2020
Route to ip within the network, outside of kubernetes Traefik v2 kubernetes-ingress	1	345	March 22, 2024
Using Traefik as Ingress on different MetalLB loadbalancerIP? Traefik v2 kubernetes-ingress	6	9109	January 10, 2023
Traefik, K8S and an External Service Traefik v1 kubernetes-ingress	4	9505	June 15, 2020

Running internal and external web apps within kubernetes

Related Topics