I want to create IP based subdomain access rules for traefik (1.7.11) ingress controller running on Kubernetes (EKS). All IP's are allowed to talk to an external/frontend entry point
traefik.toml: |
defaultEntryPoints = ["http","https"]
logLevel = "INFO"
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.http.whiteList]
sourceRange = ["0.0.0.0/0"]
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[entryPoints.https.whiteList]
sourceRange = ["0.0.0.0/0"]
But we have only prod environments running in this cluster.
Want to limit certain endpoints like monitoring.domain.com accessible from limited IP's (Office location) and keep *.domain.com (default) accessible from the public internet.
anyway I can do it in traefik ?
You can try using the traefik.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/x, xxxx::/x" Traefik annotation on you Ingress object. You can also have 4 Ingress objects. One for each stage.domain.com, qa.domain.com, dev.domain.com and prod.domain.com.
For anything other than prod.domain.com you can add a whitelist.
Another option is to change your traefik.toml with [entryPoints.http.whitelist] but you may have to have different ingress controllers with a different ingress class for each environment.