Securing an Ingress¶
This document demonstrates how to secure an ingress already used by an ingress controller.
Before getting started, make sure you have the following:
- An account registered on the Traefik Hub platform
- A cluster running with Kubernetes
- The Traefik Hub Agent installed and running
Publishing an Example Application¶
In this getting started guide, we will be using a demo application called whoami which is provided by Traefik Labs and responds to HTTP calls by host-related information.
In the following diagram, you can see the architecture we are going to create. The whoami application exposes the port 80, and we will create an ingress to forward incoming traffic to it using the Traefik Proxy ingress controller.
The first step is to have an application running. The whoami application is excellent for testing networking and routing.
To install whoami on your cluster, use the following command:
kubectl create deployment whoami --image=traefik/whoami
Works with any application
This tutorial works for any application you would like to use. The concepts remain the same, whatever your use case.
Create a service to reach the whoami deployment pods:
kubectl create service clusterip whoami --tcp=80:80
Traefik Proxy and Ingress¶
The Access Control Policies make use of the ingress controller features to work. Currently, we support Traefik Proxy as well as Nginx ingress controllers.
For this tutorial, we are using Traefik Proxy. You can install it with the following command:
helm install traefik traefik/traefik \ --set ingressClass.enabled=true \ --set ingressClass.isDefaultClass=true
Traefik Proxy service
Helm automatically creates a service
LoadBalancer exposing port
Create an Ingress to configure Traefik Proxy to expose the whoami service on
kubectl create ingress whoami \ --rule="example.com/whoami=whoami:80"
At this point, the application is reachable.
example.com/whoami on your web browser or curl.
Access Control Policy¶
The next step is to protect the application using the Traefik Hub Access Control features. Open the Traefik Hub UI and find the whoami service on the service listing page.
The Traefik Hub Agent detects the ingress and displays the information configured on the ingress (e.g. host and path). Click on the Edit button next to the whoami ingress and click on Create new ACP.
Enter a name, select the basic authentication method and enter user credentials. Save the Access Control Policy, and save the ingress.
After a few seconds, the Access Control Policy is applied and the application is protected.
To verify this, get to
example.com/whoami on your browser.
If the browser asks for credentials, the Access Control Policy has been successfully implemented.
You can continue by looking at other authentication mode.