Whitelist Configuration

I currently have traefik implemented in my cluster using ingressroutes but can't seem to get the ipwhitelist middleware working. I've specified my local network subnet to be allowed but any requests from such are still forbidden. I've tried using the depth specification but to no avail either. The only tweak that works is whitelisting the ip of the loadbalancer that traefik itself is running on, but that just allows all traffic. This should be a simple configuration so I'm not sure what the issue is. Config shown in pic.

Hello @clanktron,

Can you provide DEBUG logs from traefik ?

time="2022-03-26T05:15:36Z" level=debug msg="rejecting request &{Method:GET URL:/ Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.5] Dnt:[1] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Sec-Gpc:[1] Te:[trailers] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0] X-Forwarded-Host:[pve.claytonc.dev] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[traefik-8458959b77-ss8rf] X-Real-Ip:[]] Body:0xc001570c30 GetBody: ContentLength:0 TransferEncoding:[] Close:false Host:pve.claytonc.dev Form:map[] PostForm:map[] MultipartForm: Trailer:map[] RemoteAddr: RequestURI:/ TLS: Cancel: Response: }: "" matched none of the trusted IPs" middlewareName=pve-whitelist@kubernetescrd middlewareType=IPWhiteLister

Its reading the cluster ip of traefik rather than the real ip of the client.

Turns out it was a configuration issue. When using a load balancer like metallb the requests get proxied though kube-proxy as well which obscures the client ip. Setting the external traffic policy to "local" instead of "cluster" on the given service alleviates that issue.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.