Traefik & Kubernetes

The Kubernetes Ingress Controller.

Routing Configuration

The provider then watches for incoming ingresses events, such as the example below, and derives the corresponding dynamic configuration from it, which in turn will create the resulting routers, services, handlers, etc.

Configuration Example

Configuring Kubernetes Ingress Controller

RBAC

  1. ---
  2. kind: ClusterRole
  3. apiVersion: rbac.authorization.k8s.io/v1beta1
  4. metadata:
  5.   name: traefik-ingress-controller
  6. rules:
  7.   - apiGroups:
  8.       - ""
  9.     resources:
  10.       - services
  11.       - endpoints
  12.       - secrets
  13.     verbs:
  14.       - get
  15.       - list
  16.       - watch
  17.   - apiGroups:
  18.       - extensions
  19.       - networking.k8s.io
  20.     resources:
  21.       - ingresses
  22.       - ingressclasses
  23.     verbs:
  24.       - get
  25.       - list
  26.       - watch
  27.   - apiGroups:
  28.       - extensions
  29.     resources:
  30.       - ingresses/status
  31.     verbs:
  32.       - update
  34. ---
  35. kind: ClusterRoleBinding
  36. apiVersion: rbac.authorization.k8s.io/v1beta1
  37. metadata:
  38.   name: traefik-ingress-controller
  39. roleRef:
  40.   apiGroup: rbac.authorization.k8s.io
  41.   kind: ClusterRole
  42.   name: traefik-ingress-controller
  43. subjects:
  44.   - kind: ServiceAccount
  45.     name: traefik-ingress-controller
  46.     namespace: default

Ingress

  1. kind: Ingress
  2. apiVersion: networking.k8s.io/v1beta1
  3. metadata:
  4.   name: myingress
  5.   annotations:
  6.     traefik.ingress.kubernetes.io/router.entrypoints: web
  8. spec:
  9.   rules:
  10.     - host: example.com
  11.       http:
  12.         paths:
  13.           - path: /bar
  14.             backend:
  15.               serviceName: whoami
  16.               servicePort: 80
  17.           - path: /foo
  18.             backend:
  19.               serviceName: whoami
  20.               servicePort: 80

Traefik

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   name: traefik-ingress-controller
  6. ---
  7. kind: Deployment
  8. apiVersion: apps/v1
  9. metadata:
  10.   name: traefik
  11.   labels:
  12.     app: traefik
  14. spec:
  15.   replicas: 1
  16.   selector:
  17.     matchLabels:
  18.       app: traefik
  19.   template:
  20.     metadata:
  21.       labels:
  22.         app: traefik
  23.     spec:
  24.       serviceAccountName: traefik-ingress-controller
  25.       containers:
  26.         - name: traefik
  27.           image: traefik:v2.3
  28.           args:
  29.             - --log.level=DEBUG
  30.             - --api
  31.             - --api.insecure
  32.             - --entrypoints.web.address=:80
  33.             - --providers.kubernetesingress
  34.           ports:
  35.             - name: web
  36.               containerPort: 80
  37.             - name: admin
  38.               containerPort: 8080
  40. ---
  41. apiVersion: v1
  42. kind: Service
  43. metadata:
  44.   name: traefik
  45. spec:
  46.   type: LoadBalancer
  47.   selector:
  48.     app: traefik
  49.   ports:
  50.     - protocol: TCP
  51.       port: 80
  52.       name: web
  53.       targetPort: 80
  54.     - protocol: TCP
  55.       port: 8080
  56.       name: admin
  57.       targetPort: 8080

Whoami

  1. kind: Deployment
  2. apiVersion: apps/v1
  3. metadata:
  4.   name: whoami
  5.   labels:
  6.     app: traefiklabs
  7.     name: whoami
  9. spec:
  10.   replicas: 2
  11.   selector:
  12.     matchLabels:
  13.       app: traefiklabs
  14.       task: whoami
  15.   template:
  16.     metadata:
  17.       labels:
  18.         app: traefiklabs
  19.         task: whoami
  20.     spec:
  21.       containers:
  22.         - name: whoami
  23.           image: traefik/whoami
  24.           ports:
  25.             - containerPort: 80
  27. ---
  28. apiVersion: v1
  29. kind: Service
  30. metadata:
  31.   name: whoami
  33. spec:
  34.   ports:
  35.     - name: http
  36.       port: 80
  37.   selector:
  38.     app: traefiklabs
  39.     task: whoami

Annotations

On Ingress

traefik.ingress.kubernetes.io/router.entrypoints

See entry points for more information.

  1. traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2

traefik.ingress.kubernetes.io/router.middlewares

See middlewares and middlewares overview for more information.

  1. traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kubernetescrd,cb@file

traefik.ingress.kubernetes.io/router.priority

See priority for more information.

  1. traefik.ingress.kubernetes.io/router.priority: "42"

traefik.ingress.kubernetes.io/router.pathmatcher

Overrides the default router rule type used for a path.
Only path-related matcher name can be specified: Path, PathPrefix.

Default PathPrefix

  1. traefik.ingress.kubernetes.io/router.pathmatcher: Path

traefik.ingress.kubernetes.io/router.tls

See tls for more information.

  1. traefik.ingress.kubernetes.io/router.tls: "true"

traefik.ingress.kubernetes.io/router.tls.certresolver

See certResolver for more information.

  1. traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver

traefik.ingress.kubernetes.io/router.tls.domains.n.main

See domains for more information.

  1. traefik.ingress.kubernetes.io/router.tls.domains.0.main: example.org

traefik.ingress.kubernetes.io/router.tls.domains.n.sans

See domains for more information.

  1. traefik.ingress.kubernetes.io/router.tls.domains.0.sans: test.example.org,dev.example.org

traefik.ingress.kubernetes.io/router.tls.options

See options for more information.

  1. traefik.ingress.kubernetes.io/router.tls.options: foobar

On Service

traefik.ingress.kubernetes.io/service.serversscheme

Overrides the default scheme.

  1. traefik.ingress.kubernetes.io/service.serversscheme: h2c

traefik.ingress.kubernetes.io/service.passhostheader

See pass Host header for more information.

  1. traefik.ingress.kubernetes.io/service.passhostheader: "true"

traefik.ingress.kubernetes.io/service.sticky.cookie

See sticky sessions for more information.

  1. traefik.ingress.kubernetes.io/service.sticky.cookie: "true"

traefik.ingress.kubernetes.io/service.sticky.cookie.name

See sticky sessions for more information.

  1. traefik.ingress.kubernetes.io/service.sticky.cookie.name: foobar

traefik.ingress.kubernetes.io/service.sticky.cookie.secure

See sticky sessions for more information.

  1. traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"

traefik.ingress.kubernetes.io/service.sticky.cookie.samesite

See sticky sessions for more information.

  1. traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: "none"

traefik.ingress.kubernetes.io/service.sticky.cookie.httponly

See sticky sessions for more information.

  1. traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"

Path Types on Kubernetes 1.18+

If the Kubernetes cluster version is 1.18+, the new pathType property can be leveraged to define the rules matchers:

  • Exact: This path type forces the rule matcher to Path
  • Prefix: This path type forces the rule matcher to PathPrefix

Please see this documentation for more information.

Multiple Matches

In the case of multiple matches, Traefik will not ensure the priority of a Path matcher over a PathPrefix matcher, as stated in this documentation.

TLS

Communication Between Traefik and Pods

Traefik automatically requests endpoint information based on the service provided in the ingress spec. Although Traefik will connect directly to the endpoints (pods), it still checks the service port to see if TLS communication is required.

There are 3 ways to configure Traefik to use https to communicate with pods:

  1. If the service port defined in the ingress spec is 443 (note that you can still use targetPort to use a different port on your pod).
  2. If the service port defined in the ingress spec has a name that starts with https (such as https-api, https-web or just https).
  3. If the ingress spec includes the annotation traefik.ingress.kubernetes.io/service.serversscheme: https.

If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.

Info

Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name. If this is not an option, you may need to skip TLS certificate verification. See the insecureSkipVerify setting for more details.

Certificates Management

Using a secret

Ingress

  1. kind: Ingress
  2. apiVersion: networking.k8s.io/v1beta1
  3. metadata:
  4.   name: foo
  5.   namespace: production
  7. spec:
  8.   rules:
  9.   - host: example.net
  10.     http:
  11.       paths:
  12.       - path: /bar
  13.         backend:
  14.           serviceName: service1
  15.           servicePort: 80
  17.   tls:
  18.   - secretName: supersecret

Secret

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4.   name: supersecret
  6. data:
  7.   tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  8.   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

TLS certificates can be managed in Secrets objects.

Info

Only TLS certificates provided by users can be stored in Kubernetes Secrets. Let’s Encrypt certificates cannot be managed in Kubernetes Secrets yet.

Global Default Backend Ingresses

Ingresses can be created that look like the following:

  1. apiVersion: networking.k8s.io/v1beta1
  2. kind: Ingress
  3. metadata:
  4.  name: cheese
  6. spec:
  7.  backend:
  8.    serviceName: stilton
  9.    servicePort: 80

This ingress follows the Global Default Backend property of ingresses. This will allow users to create a “default router” that will match all unmatched requests.

Info

Due to Traefik’s use of priorities, you may have to set this ingress priority lower than other ingresses in your environment, to avoid this global ingress from satisfying requests that could match other ingresses.

To do this, use the traefik.ingress.kubernetes.io/router.priority annotation (as seen in Annotations on Ingress) on your ingresses accordingly.