How to not expose Traefik port to the internet?
Try this:
ports: metrics: expose: true port: 3333 exposedPort: 3333 protocol: TCPenv:- name: POD_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIPadditionalArguments:- "--metrics.prometheus=true"- "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"- "--metrics.prometheus.addEntryPointsLabels=true"- "--metrics.prometheus.addServicesLabels=true"- "--entrypoints.metrics.address=$(POD_IP):3333/tcp"- "--metrics.prometheus.entryPoint=metrics"
Traefik will expose metrics only at POD_IP network interface.
And/or additionally, i'd propose to update firewall settings at your workers (iptables, etc...)
If you prefer to set a configuration outside of traefik :I think that you can use something like iptable to block access to this port from outside of your server. Or only accept to this port for a specific sub network.
iptables -A INPUT -s 0.0.0.0 -i eth0 --protocol tcp --dport 3333 -j DROP