Securing an Ingress

This page demonstrates how to deploy a example application on Kubernetes and use Access Control Policies (ACP) to secure it with HTTP authentication.

Before you begin¶

Before getting started, make sure you have the following:

An account registered on the Traefik Hub platform
A Kubernetes cluster
kubectl installed and configured
The Traefik Hub Agent installed and running

Publishing an Example Application¶

In this example, you will be using a demo application called whoami, a web server answering with host-related information.

In the following diagram, you can see the architecture you are going to create.

The whoami application exposes the port 80, and you will create an Ingress to forward incoming traffic to it using the Traefik Proxy Ingress controller.

The first step is to have an application running. This application is excellent for testing networking and routing.

To install whoami on your cluster, use the following command:

CLI

kubectl create deployment whoami --image=traefik/whoami

Create a service to reach the whoami deployment pods:

CLI

kubectl create service clusterip whoami --tcp=80:80

Traefik Proxy and Ingress¶

The Access Control Policies make use of the Ingress controller features to work.

For this tutorial, you are using Traefik Proxy. You can install it with the following command:

CLI

helm install traefik traefik/traefik \
  --set ingressClass.enabled=true \
  --set ingressClass.isDefaultClass=true

Traefik Proxy service

Helm automatically creates a service LoadBalancer exposing port 80 and 443.

Create an Ingress to configure Traefik Proxy to expose the whoami service on example.com/whoami.

CLI

kubectl create ingress whoami \
  --rule="example.com/whoami=whoami:80"

At this point, the application is reachable. Try accessing example.com/whoami in your web browser or with curl.

Access Control Policy¶

The next step is to protect the application using the Traefik Hub Access Control features.

Open the Traefik Hub UI and find the whoami service on the service listing page.

The Traefik Hub Agent detects the Ingress and displays the information configured on the Ingress (for example host and path).

Choose the Edit button next to the whoami Ingress and select Create new ACP.

Enter a name, select the basic authentication method and enter user credentials.

Save the Access Control Policy by selecting Save.

Select Save and Publish to save and publish Ingress.

As last step select Publish the service to publish your application.

After a few seconds, the Access Control Policy is applied and the application is protected.

To verify this, go to example.com/whoami in your browser.

If the browser asks for credentials, the Access Control Policy has been successfully implemented.

What's next¶

Learn more about other authentication methods