Unable to route to Traefik2 dashboard through IngressRoute without insecure API

Hello all, I am struggling with upgrading to Traefik2 on a k8s cluster and would really appreciate some help.

I deployed traefik as a DaemonSet as follows (all resources are in a dedicated "traefik2" namespace since I already have traefik1 deployed in kube-system):

kind: DaemonSet
apiVersion: apps/v1
metadata:
  namespace: traefik2
  name: traefik
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.0
          args:
            - --api.dashboard=true
            - --api.insecure=false
            - --accesslog
            - --entrypoints.web.Address=:8000
            - --entrypoints.websecure.Address=:4443
            - --providers.kubernetescrd
          ports:
            - name: web
              containerPort: 8000
              hostPort: 81
            - name: websecure
              containerPort: 4443
              hostPort: 444
            - name: admin
              containerPort: 8080
              hostPort: 82
          securityContext:
            capabilities:
              add:
                - NET_BIND_SERVICE
              drop:
                - ALL

I have defined a service for traefik:

apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: traefik2
spec:
  ports:
    - protocol: TCP
      name: web
      port: 8000
    - protocol: TCP
      name: admin
      port: 8080
    - protocol: TCP
      name: websecure
      port: 4443
  selector:
    app: traefik

And an IngressRoute for the dashboard:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-web-ui
  namespace: traefik2
spec:
  entryPoints:
    - web
  routes:
  - match: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
    kind: Rule
    services:
    - name: traefik
      port: 8080

With API security enabled as recommended:

  • when I try to access the dashboard through the admin port I get connection refused as expected
  • when I try to access the dashboard through the web port I get "Bad Gateway"

With API security disabled for testing:

  • when I try to access the dashboard through the admin port I get the dashboard OK
  • when I try to access the dashboard through the web port I get the dashboard OK

I also tried to apply the recommended secure dashboard deployment (https://docs.traefik.io/operations/dashboard/#secure-mode) but I am unsure how to specify the dynamic configuration with CRD. I tried to use api@internal as the service name without port in the CRD above (instead of traefik/8080), but traefik complains that it cannot find the service:

time="2019-11-28T11:10:50Z" level=error msg="Cannot create service: service not found traefik2/api@internal" namespace=traefik2 serviceName=api@internal servicePort=0 providerName=kubernetescrd ingress=traefik-web-ui

Cheers

Hi @lmaib, the support of the "internal services" for the ingress route is upcoming in Traefik v2.1.
It means that if you want the dashboard without the flag --api.insecure, then you must use Traefik v2.1.0-rc2 at least.

You can check the Helm chart for v2 (still in experimental mode, any feedbacks welcome) at https://github.com/containous/traefik-helm-chart (in particular, the syntax of the IngressRoute: https://github.com/containous/traefik-helm-chart/blob/master/templates/dashboard-hook-ingressroute.yaml).

However, if you want to stay on the 2.0 stable until 2.1 is released, don't be scared by the flag --api.insecure: as your goal is to expose the API and dashboard, security can happen by restricting the access on the service on 8080 , or by adding authentication on the ingressroute by the dashboard.

=> Important note: if you deploy Traefik as a DaemonSet, then it means that you have one dashboard per instance of Traefik. There is no "distributed" mode: be aware of this (such HA setting is on the Enterprise Edition)

Thanks @dduportal, I tried with a basic auth middleware with v2.0 and it worked fine.
I have now moved to v2.1 and after adding the new CRD and updating RBAC I was able to get the dashboard without --api.insecure.

Note: thanks for the tip about multiple dashboard instances; in my case it should not be an issue as each instance provides the same status/information.

1 Like