There can be many ways to achieve it.
The first one I’d try is restricting the /cluster-admin HTTP path to some trusted IPs. For example, the list of loopback and private networks.
Enter the environment of traefik1
runagent -m traefik1
Create a file, _custom_middlewares.yml with the following contents:
http:
middlewares:
MwTrustedNetworks:
IPAllowList:
sourceRange:
- "127.0.0.0/8"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Edit _api_server.yml, and add the custom middleware to the builtin cluster-admin HTTP router:
diff --git a/_api_server.yml.orig b/_api_server.yml
index 5628491..0160ece 100644
--- a/_api_server.yml.orig
+++ b/_api_server.yml
@@ -22,6 +22,7 @@ http:
entrypoints:
- https
middlewares:
+ - MwTrustedNetworks
- ApiServerMw2
- ApiServer-stripprefix
priority: '100000'
More information Traefik HTTP Middlewares IPAllowList - Traefik
The custom middleware can be referenced from other HTTP routes as wanted.