How to not expose Traefik port to the internet?

Question

I am very new to Traefik and Kubernetes. I installed Traefik through helm (repo: https://traefik.github.io/traefik-helm-chart/, helm version 3.5.2, chart traefik-9.19.1). Then I wanted to get prometheus metrics from it.

Here is an extract of my values.yaml file:

ports:
  metrics:
    expose: true
    port: 3333
    exposedPort: 3333
    protocol: TCP

additionalArguments:
  - "--metrics.prometheus=true"
  - "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
  - "--metrics.prometheus.addEntryPointsLabels=true"
  - "--metrics.prometheus.addServicesLabels=true"
  - "--entrypoints.metrics.address=:3333/tcp"
  - "--metrics.prometheus.entryPoint=metrics"

My problem is: this configuration exposes the TCP port 3333 to the Internet. For security reasons, I would prefer to avoid this.

Is there a way to expose port 3333 only to my cluster?

Answer 1

Try to remove the expose and exposedPort parameter.

Answer 2

Try this:

ports:
  metrics:
    expose: true
    port: 3333
    exposedPort: 3333
    protocol: TCP

env:
- name: POD_IP
  valueFrom:
    fieldRef:
      apiVersion: v1
      fieldPath: status.podIP

additionalArguments:
- "--metrics.prometheus=true"
- "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
- "--metrics.prometheus.addEntryPointsLabels=true"
- "--metrics.prometheus.addServicesLabels=true"
- "--entrypoints.metrics.address=$(POD_IP):3333/tcp"
- "--metrics.prometheus.entryPoint=metrics"

Traefik will expose metrics only at POD_IP network interface.

And/or additionally, i'd propose to update firewall settings at your workers (iptables, etc...)