7

I am very new to Traefik and Kubernetes. I installed Traefik through helm (repo: https://traefik.github.io/traefik-helm-chart/, helm version 3.5.2, chart traefik-9.19.1). Then I wanted to get prometheus metrics from it.

Here is an extract of my values.yaml file:

ports:
  metrics:
    expose: true
    port: 3333
    exposedPort: 3333
    protocol: TCP

additionalArguments:
  - "--metrics.prometheus=true"
  - "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
  - "--metrics.prometheus.addEntryPointsLabels=true"
  - "--metrics.prometheus.addServicesLabels=true"
  - "--entrypoints.metrics.address=:3333/tcp"
  - "--metrics.prometheus.entryPoint=metrics"

My problem is: this configuration exposes the TCP port 3333 to the Internet. For security reasons, I would prefer to avoid this.

Is there a way to expose port 3333 only to my cluster?

Software Engineer
  • 15,457
  • 7
  • 74
  • 102
n0n0bstan
  • 1,790
  • 4
  • 15
  • 26
  • Can you let us know which helm chart you are using? – kirin nee Apr 23 '21 at 14:34
  • If you only want other resources from reaching this app, you should use a `Service` resource. And, if you configure a DNS server inside your cluster, you can reference it from other resources by name, not by its IP. For example, if your `Service` was called `app` and was running on the `production` namespace, you can reach it by the name: `app.production`. `Ingresses` are used to provide external access to your cluster resources. – guzmonne May 22 '21 at 13:34
  • please share your full values file. From what you're telling us, if port 3333 is reachable outside of your SDN, my guess is that you have set `.Values.hostNetwork` to `true`. – SYN Dec 05 '21 at 22:09

4 Answers4

2

Try to remove the expose and exposedPort parameter.

XciD
  • 2,537
  • 14
  • 40
2

Try this:

ports:
  metrics:
    expose: true
    port: 3333
    exposedPort: 3333
    protocol: TCP

env:
- name: POD_IP
  valueFrom:
    fieldRef:
      apiVersion: v1
      fieldPath: status.podIP

additionalArguments:
- "--metrics.prometheus=true"
- "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
- "--metrics.prometheus.addEntryPointsLabels=true"
- "--metrics.prometheus.addServicesLabels=true"
- "--entrypoints.metrics.address=$(POD_IP):3333/tcp"
- "--metrics.prometheus.entryPoint=metrics"

Traefik will expose metrics only at POD_IP network interface.

And/or additionally, i'd propose to update firewall settings at your workers (iptables, etc...)

0

If you prefer to set a configuration outside of traefik : I think that you can use something like iptable to block access to this port from outside of your server. Or only accept to this port for a specific sub network.

iptables -A INPUT -s 0.0.0.0  -i eth0 --protocol tcp --dport 3333 -j DROP
Kévin
  • 497
  • 10
  • 37
0

Exposing a traefik port ONLY to other containers in the cluster you have to create a new service and map the ports.

My use case was to expose the /metrics endpoint to other pods without having /metrics accessible on the internet.

DO not change any of the metrics values in the helm chart, it just makes it more confusing to get it initialized. The helm chart will open port 9100 to access /metrics by default without exposing to the internet.

Here is my service to accessing /metrics. To test go into a container and do curl ${service_cluster_ip}:9100/metrics

# Traefik exposes /metrics on port 9100 and need to let other containers access it.
apiVersion: v1
kind: Service
metadata:
  name: traefik-metrics
  namespace: default
  labels:
    app.kubernetes.io/instance: traefik
    app.kubernetes.io/name: traefik-metrics
spec:
  type: ClusterIP
  ports:
  - name: traefik
    port: 9100
    targetPort: metrics
    protocol: TCP
  selector:
    app.kubernetes.io/instance: traefik
    app.kubernetes.io/name: traefik

Run the helm install and adding the service should get it to work

torrybr
  • 23
  • 4