Hey team! I’m running k3s on a raspberry pi and trying to set up a networking configuration where some ingresses are exposed to the public internet (e.g. a public-facing API) and others that are only exposed to within my local network. My first pass was using Traefik’s IP Whitelist to try and only whitelist internal CIDR ranges, but after a lot of troubleshooting I found that doesn’t work due to the limitations of forwarding the client IP

x-forwarded-for

headers through the CNI — all requests were showing up internally with the internal IP of the CNI in the header. It looks like there are some complicated workarounds with Flannel there but I ditched that route given the complexity. Is there any good way to do this, or am I thinking about it wrong? All I need to do is to have some ingresses only exposed to the local network, and others exposed to the public internet, if possible. The current Pi networking config just forwards 443 and 80 through the router configuration, but if there’s a better way to do that I’m open to it

What I do is just set up traefik with multiple ports (entrypoints), and exposed one pair of http/https ports to the internet via my FW , and left the other two for private use. I can set the

<http://traefik.ingress.kubernetes.io/router.entrypoints|traefik.ingress.kubernetes.io/router.entrypoints>

annotation to which entrypoints I want that ingress resource to be exposed on.

Hmm this seems promising — is all you need on the ingress

<http://traefik.ingress.kubernetes.io/router.entrypoints|traefik.ingress.kubernetes.io/router.entrypoints>: internalweb, internalwebsecure

? My traefik logs are saying

entryPoint \"internalwebsecure\" doesn't exist

when I go to apply it despite it existing in the helmchartconfig

Can you look at the actual traefik config and see if maybe the config didn’t take?

Yeah it seems that there was a config issue that I resolved — this solution worked, thank you!