Kubernetes and Traefik v2 forward traffic to external IP
In my internal network I have couple of devices that I would love to expose to internet. However as we all know those devices are not the most secure, so providing added layer of security via Kubernetes and Traefik v2 seemed like easiest and best idea. Traefik already obtains Letsencrypt certificates for the domains and is also able to forward traffic to addresses external to your Kubernetes cluster.
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-cert
namespace: example
spec:
commonName: example.the-mori.com
secretName: example-the-mori-cert
dnsNames:
- example.the-mori.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: outside-server-example
name: outside-server-example
namespace: example
spec:
type: ExternalName
ports:
- name: outside-server-example
port: 80
targetPort: 80
externalName: 192.168.0.196
selector:
app.kubernetes.io/instance: traefik
app.kubernetes.io/name: traefik
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: outside-server-ingress
namespace: example
spec:
entryPoints:
- websecure
routes:
- match: Host(`example.the-mori.com`)
kind: Rule
services:
- name: outside-server-example
kind: Service
port: 80
tls:
secretName: example-the-mori-cert
# It is this easy to use Traefik to forward traffic to a server external to your Kubernetes cluster. A fair warning is that this ideally should be within your local network as the main reason is to provide an additional layer of security and not expose vulnerable devices to the internet.
# With Traefik 2.5.x the issue is that (via Helm Chart) you need to enable external services using this two arguments
additionalArguments:
- "--providers.kubernetesingress.allowexternalnameservices"
- "--providers.kubernetescrd.allowexternalnameservices"