https://rancher.com/ logo
#k3s
Title
# k3s
i

important-art-22288

08/05/2022, 4:59 PM
Hey team! I’m running k3s on a raspberry pi and trying to set up a networking configuration where some ingresses are exposed to the public internet (e.g. a public-facing API) and others that are only exposed to within my local network. My first pass was using Traefik’s IP Whitelist to try and only whitelist internal CIDR ranges, but after a lot of troubleshooting I found that doesn’t work due to the limitations of forwarding the client IP
x-forwarded-for
headers through the CNI — all requests were showing up internally with the internal IP of the CNI in the header. It looks like there are some complicated workarounds with Flannel there but I ditched that route given the complexity. Is there any good way to do this, or am I thinking about it wrong? All I need to do is to have some ingresses only exposed to the local network, and others exposed to the public internet, if possible. The current Pi networking config just forwards 443 and 80 through the router configuration, but if there’s a better way to do that I’m open to it
c

creamy-pencil-82913

08/05/2022, 5:25 PM
What I do is just set up traefik with multiple ports (entrypoints), and exposed one pair of http/https ports to the internet via my FW , and left the other two for private use. I can set the
<http://traefik.ingress.kubernetes.io/router.entrypoints|traefik.ingress.kubernetes.io/router.entrypoints>
annotation to which entrypoints I want that ingress resource to be exposed on.
basically, 80/443 is for me to use locally, and 8080/8443 is for stuff I want exposed to the internet
i

important-art-22288

08/05/2022, 5:53 PM
Hmm this seems promising — is all you need on the ingress
<http://traefik.ingress.kubernetes.io/router.entrypoints|traefik.ingress.kubernetes.io/router.entrypoints>: internalweb, internalwebsecure
? My traefik logs are saying
entryPoint \"internalwebsecure\" doesn't exist
when I go to apply it despite it existing in the helmchartconfig
c

creamy-pencil-82913

08/05/2022, 7:09 PM
Can you look at the actual traefik config and see if maybe the config didn’t take?
i

important-art-22288

08/07/2022, 1:19 AM
Yeah it seems that there was a config issue that I resolved — this solution worked, thank you!
3 Views