Skip to content

Securing an Ingress

This document demonstrates how to secure an ingress already used by an ingress controller.

Requirements

Before getting started, make sure you have the following:

  • An account registered on the Traefik Hub platform
  • A cluster running with Kubernetes
  • The Traefik Hub Agent installed and running

Publishing an Example Application

In this getting started guide, we will be using a demo application called whoami which is provided by Traefik Labs and responds to HTTP calls by host-related information.

In the following diagram, you can see the architecture we are going to create. The whoami application exposes the port 80, and we will create an ingress to forward incoming traffic to it using the Traefik Proxy ingress controller.

diagram

The first step is to have an application running. The whoami application is excellent for testing networking and routing.

To install whoami on your cluster, use the following command:

kubectl create deployment whoami --image=traefik/whoami

Works with any application

This tutorial works for any application you would like to use. The concepts remain the same, whatever your use case.

Create a service to reach the whoami deployment pods:

kubectl create service clusterip whoami --tcp=80:80

Traefik Proxy and Ingress

The Access Control Policies make use of the ingress controller features to work. Currently, we support Traefik Proxy as well as Nginx ingress controllers.

For this tutorial, we are using Traefik Proxy. You can install it with the following command:

helm install traefik traefik/traefik \
  --set ingressClass.enabled=true \
  --set ingressClass.isDefaultClass=true

Traefik Proxy service

Helm automatically creates a service LoadBalancer exposing port 80 and 443.

Create an Ingress to configure Traefik Proxy to expose the whoami service on example.com/whoami.

kubectl create ingress whoami \
  --rule="example.com/whoami=whoami:80"

At this point, the application is reachable. Try accessing example.com/whoami on your web browser or curl.

Access Control Policy

The next step is to protect the application using the Traefik Hub Access Control features. Open the Traefik Hub UI and find the whoami service on the service listing page.

services page

The Traefik Hub Agent detects the ingress and displays the information configured on the ingress (e.g. host and path). Click on the Edit button next to the whoami ingress and click on Create new ACP.

whoami service with ingress

whoami ingress edition

Enter a name, select the basic authentication method and enter user credentials. Save the Access Control Policy, and save the ingress.

create basic auth ACP

save whoami ingress with basic auth ACP

whoami ingress with basic auth ACP

After a few seconds, the Access Control Policy is applied and the application is protected. To verify this, get to example.com/whoami on your browser. If the browser asks for credentials, the Access Control Policy has been successfully implemented.

Going Further

You can continue by looking at other authentication mode.