defaults/main.yml

@@ -11,8 +11,8 @@ traefik_namespace: "traefik"
 traefik_cpu_limit: 500m
 traefik_memory_limit: 300Mi
 traefik_entrypoints:
-    - { name: "http", port: 80, proto: "TCP" }
+    - { name: "http", port: 8000, proto: "TCP", hostport: 80 }
-    - { name: "https", port: 443, proto: "TCP", tls: true }
+    - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true }
     - { name: "traefik", port: 8080, proto: "TCP" }
 
 basic_auth: false

tasks/main.yml

@@ -49,7 +49,7 @@
     k8s_info:
       context: "{{ my_context }}"
       api_version: v1
-      kind: Deployment
+      kind: DaemonSet
       name: traefik
       namespace: '{{ traefik_namespace }}'
       field_selectors:
@@ -82,18 +82,19 @@
       resource_definition: "{{ lookup('template', item) | from_yaml }}"
     with_items:
       - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}"
+      - traefik-psp.yml.j2
       - traefik-cm.yml.j2
       - traefik-sa.yml.j2
       - traefik-dp.yml.j2
-      - traefik-svc.yml.j2
+#      - traefik-svc.yml.j2
-      - traefik-dashboard-svc.yml.j2
+#      - traefik-dashboard-svc.yml.j2
       - traefik-middleware-httpsredirect.yml.j2
       - traefik-middleware-basicauth.yml.j2
       - traefik-middleware-headers.yml.j2
       - traefik-tls-options.yml.j2
-      - traefik-dashboard.yml.j2
+      - traefik-ingressroute.yml.j2
       - traefik-dashboard-insecure.yml.j2
-      - traefik-ping.yml.j2
+#      - traefik-ping.yml.j2
 
 
   - name: Define state of ipwhitelist middleware to present

templates/2.2/traefik-clusterrole.yml.j2

@@ -4,6 +4,10 @@ metadata:
   name: traefik-ingress-controller
 
 rules:
+  - apiGroups:     ['policy']
+    resources:     ['podsecuritypolicies']
+    verbs:         ['use']
+    resourceNames: ['traefik-ingress-controller']
   - apiGroups:
       - ""
     resources:

templates/2.3/traefik-clusterrole.yml.j2

@@ -1,5 +1,5 @@
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: traefik-ingress-controller
 

templates/traefik-dashboard-insecure.yml.j2

@@ -19,21 +19,22 @@ spec:
     # only support "Rule".
     kind: Rule
     # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
     middlewares:
 {% if ingress_whitelist is defined %}
       - name: traefik-ipwhitelist
 {% endif %}
       - name: https-only
     services:
-    - name: traefik-dashboard
+    - name: api@internal
-      port: 8080
+      kind: TraefikService
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+#    - name: traefik-dashboard
-      weight: 1
+#      port: 8080
-      # (default true) PassHostHeader controls whether to leave the request's Host
+#      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
+#      weight: 1
-      # to the destination (backend) host.
+#      # (default true) PassHostHeader controls whether to leave the request's Host
-      passHostHeader: true
+#      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      responseForwarding:
+#      # to the destination (backend) host.
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
+#      passHostHeader: true
-        flushInterval: 100ms
+#      responseForwarding:
+#        # (default 100ms) Interval between flushes of the buffered response body to the client.
+#        flushInterval: 100ms

templates/traefik-dashboard-svc.yml.j2

@@ -12,9 +12,9 @@ spec:
     port: 80
     protocol: TCP
     targetPort: 80
-  - name: traefik
+#  - name: traefik
-    port: 8080
+#    port: 8080
-    protocol: TCP
+#    protocol: TCP
   - protocol: TCP
     port: 443
     name: https

templates/traefik-dp.yml.j2

@@ -19,6 +19,10 @@ spec:
         app: traefik
     spec:
       serviceAccountName: traefik-ingress-controller
+#      securityContext:
+#        sysctls:
+#        - name: kernel.net.ipv4.ip_unprivileged_port_start
+#          value: "80"
       containers:
         - name: traefik
           image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }}
@@ -30,7 +34,9 @@ spec:
             - name: {{ traefik_entrypoint.name }}
               containerPort: {{ traefik_entrypoint.port }}
               protocol: {{ traefik_entrypoint.proto }}
-              hostPort: {{ traefik_entrypoint.port }}
+{% if traefik_entrypoint.hostport is defined %}
+              hostPort: {{ traefik_entrypoint.hostport }}
+{% endif %}
 {% endfor %}
           readinessProbe:
             httpGet:
@@ -56,6 +62,9 @@ spec:
                 - ALL
               add:
                 - NET_BIND_SERVICE
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: true
           resources:
             limits:
               cpu: {{ traefik_cpu_limit }}

templates/traefik-ingressroute.yml.j2

@@ -1,7 +1,7 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: traefik-dashboard
+  name: traefik
   namespace: {{ traefik_namespace }}
   labels:
     app: traefik
@@ -13,13 +13,11 @@ spec:
   # Match is the rule corresponding to an underlying router.
   # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
   # but for now we only support a traefik style matching rule.
-  - match: Host(`traefik.{{ traefik_domain }}`)
+  - match: Host(`traefik.{{ traefik_domain }}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
     # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
     # "Parameter", etc, to support simpler forms of rule matching, but for now we
     # only support "Rule".
     kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
 {% if basic_auth is defined or ingress_whitelist is defined %}
     middlewares:
 {% if ingress_whitelist is defined %}
@@ -30,17 +28,32 @@ spec:
 {% endif %}
 {% endif %}
     services:
-    - name: traefik-dashboard
+    - name: api@internal
-      port: 8080
+      kind: TraefikService
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+#    - name: traefik-dashboard
-      weight: 1
+#      port: 8080
-      # (default true) PassHostHeader controls whether to leave the request's Host
+#      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
+#      weight: 1
-      # to the destination (backend) host.
+#      # (default true) PassHostHeader controls whether to leave the request's Host
-      passHostHeader: true
+#      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      responseForwarding:
+#      # to the destination (backend) host.
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
+#      passHostHeader: true
-        flushInterval: 100ms
+#      responseForwarding:
+#        # (default 100ms) Interval between flushes of the buffered response body to the client.
+#        flushInterval: 100ms
+  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
+    kind: Rule
+    services:
+    - name: ping@internal
+      kind: TraefikService
+  - match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/metrics`)
+    kind: Rule
+    services:
+    - name: prometheus@internal
+      kind: TraefikService
+
+
+
   tls:
 {% if traefik_dashboard_certificate is defined %}
     secretName: {{ traefik_dashboard_certificate }}

templates/traefik-ping.yml.j2

@@ -21,17 +21,19 @@ spec:
     # (optional) Priority disambiguates rules of the same length, for route matching.
     priority: 14
     services:
-    - name: traefik-dashboard
+    - name: ping@internal
-      port: 8080
+      kind: TraefikService
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+#    - name: traefik-dashboard
-      weight: 1
+#      port: 8080
-      # (default true) PassHostHeader controls whether to leave the request's Host
+#      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      # Header as it was before it reached the proxy, or whether to let the proxy set it
+#      weight: 1
-      # to the destination (backend) host.
+#      # (default true) PassHostHeader controls whether to leave the request's Host
-      passHostHeader: true
+#      # Header as it was before it reached the proxy, or whether to let the proxy set it
-      responseForwarding:
+#      # to the destination (backend) host.
-        # (default 100ms) Interval between flushes of the buffered response body to the client.
+#      passHostHeader: true
-        flushInterval: 100ms
+#      responseForwarding:
+#        # (default 100ms) Interval between flushes of the buffered response body to the client.
+#        flushInterval: 100ms
   tls:
     secretName: wildcard-cluster
     options:

templates/traefik-psp.yml.j2

@@ -0,0 +1,49 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+  name: traefik-ingress-controller
+spec:
+  requiredDropCapabilities:
+    - ALL
+  allowedCapabilities:
+    - NET_BIND_SERVICE
+  privileged: false
+  allowPrivilegeEscalation: false
+  # Allow core volume types.
+  volumes:
+    - configMap
+    - downwardAPI
+    - secret
+    - emptyDir
+    - projected
+  #  - persistentVolumeClaim
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    # Require the container to run without root privileges.
+    rule: 'MustRunAsNonRoot'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+    hostPorts:
+  readOnlyRootFilesystem: true
+  seLinux:
+    rule: 'RunAsAny'
+  hostPorts:
+    - max: 65535
+      min: 1
+  #allowedUnsafeSysctls:
+  #  - kernel.net.ipv4.ip_unprivileged_port_start

vars/main.yml

@@ -29,7 +29,7 @@ traefik_2_2_list:
   - 2.2/traefik-clusterrole.yml.j2
   - 2.2/traefik-clusterrolebinding.yml.j2
 
-traefik_version_2_3: 2.3.1
+traefik_version_2_3: 2.3.2
 traefik_2_3_list:
   - 2.3/traefik-crd-ingressroutes.yml.j2
   - 2.3/traefik-crd-ingressroutetcps.yml.j2