我的书签
添加书签
移除书签Traefik & Kubernetes
The Kubernetes Ingress Controller, The Custom Resource Way.
In early versions, Traefik supported Kubernetes only through the Kubernetes Ingress provider, which is a Kubernetes Ingress controller in the strict sense of the term.
However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations, the Traefik engineering team developed a Custom Resource Definition (CRD) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
Configuration Requirements
All Steps for a Successful Deployment
- Add/update all the Traefik resources definitions
- Add/update the RBAC for the Traefik custom resources
- Use Helm Chart or use a custom Traefik Deployment
- Enable the kubernetesCRD provider
- Apply the needed kubernetesCRD provider configuration
- Add all necessary Traefik custom resources
Deprecated apiextensions.k8s.io/v1beta1 CRD
The apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in Kubernetes v1.16+ and will be removed in v1.22+.
For Kubernetes v1.16+, please use the Traefik apiextensions.k8s.io/v1 CRDs instead.
Initializing Resource Definition and RBAC
Traefik Resource Definition
# All resources definition must be declared---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: ingressroutes.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRoute is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteSpec is a specification for a IngressRouteSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: Route contains the set of routes.properties:kind:enum:- Ruletype: stringmatch:type: stringmiddlewares:items:description: MiddlewareRef is a ref to the Middleware resources.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arraypriority:type: integerservices:items:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). Thedifferentiation between the two is specified in theKind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configurationbased on cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Namereferences a TraefikService object (and to be precise,one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayrequired:- kind- matchtype: objecttype: arraytls:description: "TLS contains the TLS certificates configuration of theroutes. To enable Let's Encrypt, use an empty TLS struct, e.g. inYAML: \n \t tls: {} # inline format \n \t tls: \t secretName:# block format"properties:certResolver:type: stringdomains:items:description: Domain holds a domain name with SANs.properties:main:type: stringsans:items:type: stringtype: arraytype: objecttype: arrayoptions:description: Options is a reference to a TLSOption, that specifiesthe parameters of the TLS connection.properties:name:type: stringnamespace:type: stringrequired:- nametype: objectsecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: Store is a reference to a TLSStore, that specifiesthe parameters of the TLS store.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: ingressroutetcps.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRouteTCPlistKind: IngressRouteTCPListplural: ingressroutetcpssingular: ingressroutetcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteTCP is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: RouteTCP contains the set of routes.properties:match:type: stringmiddlewares:description: Middlewares contains references to MiddlewareTCPresources.items:description: ObjectReference is a generic reference to a Traefikresource.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arrayservices:items:description: ServiceTCP defines an upstream to proxy traffic.properties:name:type: stringnamespace:type: stringport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueproxyProtocol:description: ProxyProtocol holds the ProxyProtocol configuration.properties:version:type: integertype: objectterminationDelay:type: integerweight:type: integerrequired:- name- porttype: objecttype: arrayrequired:- matchtype: objecttype: arraytls:description: "TLSTCP contains the TLS certificates configuration ofthe routes. To enable Let's Encrypt, use an empty TLS struct, e.g.in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:# block format"properties:certResolver:type: stringdomains:items:description: Domain holds a domain name with SANs.properties:main:type: stringsans:items:type: stringtype: arraytype: objecttype: arrayoptions:description: Options is a reference to a TLSOption, that specifiesthe parameters of the TLS connection.properties:name:type: stringnamespace:type: stringrequired:- nametype: objectpassthrough:type: booleansecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: Store is a reference to a TLSStore, that specifiesthe parameters of the TLS store.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: ingressrouteudps.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRouteUDPlistKind: IngressRouteUDPListplural: ingressrouteudpssingular: ingressrouteudpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteUDP is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: RouteUDP contains the set of routes.properties:services:items:description: ServiceUDP defines an upstream to proxy traffic.properties:name:type: stringnamespace:type: stringport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueweight:type: integerrequired:- name- porttype: objecttype: arraytype: objecttype: arrayrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: middlewares.traefik.containo.usspec:group: traefik.containo.usnames:kind: MiddlewarelistKind: MiddlewareListplural: middlewaressingular: middlewarescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: Middleware is a specification for a Middleware resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: MiddlewareSpec holds the Middleware configuration.properties:addPrefix:description: AddPrefix holds the AddPrefix configuration.properties:prefix:type: stringtype: objectbasicAuth:description: BasicAuth holds the HTTP basic authentication configuration.properties:headerField:type: stringrealm:type: stringremoveHeader:type: booleansecret:type: stringtype: objectbuffering:description: Buffering holds the request/response buffering configuration.properties:maxRequestBodyBytes:format: int64type: integermaxResponseBodyBytes:format: int64type: integermemRequestBodyBytes:format: int64type: integermemResponseBodyBytes:format: int64type: integerretryExpression:type: stringtype: objectchain:description: Chain holds a chain of middlewares.properties:middlewares:items:description: MiddlewareRef is a ref to the Middleware resources.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arraytype: objectcircuitBreaker:description: CircuitBreaker holds the circuit breaker configuration.properties:expression:type: stringtype: objectcompress:description: Compress holds the compress configuration.properties:excludedContentTypes:items:type: stringtype: arraytype: objectcontentType:description: ContentType middleware - or rather its unique `autoDetect`option - specifies whether to let the `Content-Type` header, ifit has not been set by the backend, be automatically set to a valuederived from the contents of the response. As a proxy, the defaultbehavior should be to leave the header alone, regardless of whatthe backend did with it. However, the historic default was to alwaysauto-detect and set the header if it was nil, and it is going tobe kept that way in order to support users currently relying onit. This middleware exists to enable the correct behavior untilat least the default one can be changed in a future version.properties:autoDetect:type: booleantype: objectdigestAuth:description: DigestAuth holds the Digest HTTP authentication configuration.properties:headerField:type: stringrealm:type: stringremoveHeader:type: booleansecret:type: stringtype: objecterrors:description: ErrorPage holds the custom error page configuration.properties:query:type: stringservice:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Service object(for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration for theforward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objectstatus:items:type: stringtype: arraytype: objectforwardAuth:description: ForwardAuth holds the http forward authentication configuration.properties:address:type: stringauthRequestHeaders:items:type: stringtype: arrayauthResponseHeaders:items:type: stringtype: arrayauthResponseHeadersRegex:type: stringtls:description: ClientTLS holds TLS specific configurations as client.properties:caOptional:type: booleancaSecret:type: stringcertSecret:type: stringinsecureSkipVerify:type: booleantype: objecttrustForwardHeader:type: booleantype: objectheaders:description: Headers holds the custom header configuration.properties:accessControlAllowCredentials:description: AccessControlAllowCredentials is only valid if true.false is ignored.type: booleanaccessControlAllowHeaders:description: AccessControlAllowHeaders must be used in responseto a preflight request with Access-Control-Request-Headers set.items:type: stringtype: arrayaccessControlAllowMethods:description: AccessControlAllowMethods must be used in responseto a preflight request with Access-Control-Request-Method set.items:type: stringtype: arrayaccessControlAllowOriginList:description: AccessControlAllowOriginList is a list of allowableorigins. Can also be a wildcard origin "*".items:type: stringtype: arrayaccessControlAllowOriginListRegex:description: AccessControlAllowOriginListRegex is a list of allowableorigins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).items:type: stringtype: arrayaccessControlExposeHeaders:description: AccessControlExposeHeaders sets valid headers forthe response.items:type: stringtype: arrayaccessControlMaxAge:description: AccessControlMaxAge sets the time that a preflightrequest may be cached.format: int64type: integeraddVaryHeader:description: AddVaryHeader controls if the Vary header is automaticallyadded/updated when the AccessControlAllowOriginList is set.type: booleanallowedHosts:items:type: stringtype: arraybrowserXssFilter:type: booleancontentSecurityPolicy:type: stringcontentTypeNosniff:type: booleancustomBrowserXSSValue:type: stringcustomFrameOptionsValue:type: stringcustomRequestHeaders:additionalProperties:type: stringtype: objectcustomResponseHeaders:additionalProperties:type: stringtype: objectfeaturePolicy:description: 'Deprecated: use PermissionsPolicy instead.'type: stringforceSTSHeader:type: booleanframeDeny:type: booleanhostsProxyHeaders:items:type: stringtype: arrayisDevelopment:type: booleanpermissionsPolicy:type: stringpublicKey:type: stringreferrerPolicy:type: stringsslForceHost:description: 'Deprecated: use RedirectRegex instead.'type: booleansslHost:description: 'Deprecated: use RedirectRegex instead.'type: stringsslProxyHeaders:additionalProperties:type: stringtype: objectsslRedirect:description: 'Deprecated: use EntryPoint redirection or RedirectSchemeinstead.'type: booleansslTemporaryRedirect:description: 'Deprecated: use EntryPoint redirection or RedirectSchemeinstead.'type: booleanstsIncludeSubdomains:type: booleanstsPreload:type: booleanstsSeconds:format: int64type: integertype: objectinFlightReq:description: InFlightReq limits the number of requests being processedand served concurrently.properties:amount:format: int64type: integersourceCriterion:description: SourceCriterion defines what criterion is used togroup requests as originating from a common source. If noneare set, the default is to use the request's remote addressfield. All fields are mutually exclusive.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectrequestHeaderName:type: stringrequestHost:type: booleantype: objecttype: objectipWhiteList:description: IPWhiteList holds the ip white list configuration.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectsourceRange:items:type: stringtype: arraytype: objectpassTLSClientCert:description: PassTLSClientCert holds the TLS client cert headers configuration.properties:info:description: TLSClientCertificateInfo holds the client TLS certificateinfo configuration.properties:issuer:description: TLSCLientCertificateDNInfo holds the client TLScertificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739properties:commonName:type: booleancountry:type: booleandomainComponent:type: booleanlocality:type: booleanorganization:type: booleanprovince:type: booleanserialNumber:type: booleantype: objectnotAfter:type: booleannotBefore:type: booleansans:type: booleanserialNumber:type: booleansubject:description: TLSCLientCertificateDNInfo holds the client TLScertificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739properties:commonName:type: booleancountry:type: booleandomainComponent:type: booleanlocality:type: booleanorganization:type: booleanprovince:type: booleanserialNumber:type: booleantype: objecttype: objectpem:type: booleantype: objectplugin:additionalProperties:x-kubernetes-preserve-unknown-fields: truetype: objectrateLimit:description: RateLimit holds the rate limiting configuration for agiven router.properties:average:format: int64type: integerburst:format: int64type: integerperiod:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: truesourceCriterion:description: SourceCriterion defines what criterion is used togroup requests as originating from a common source. If noneare set, the default is to use the request's remote addressfield. All fields are mutually exclusive.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectrequestHeaderName:type: stringrequestHost:type: booleantype: objecttype: objectredirectRegex:description: RedirectRegex holds the redirection configuration.properties:permanent:type: booleanregex:type: stringreplacement:type: stringtype: objectredirectScheme:description: RedirectScheme holds the scheme redirection configuration.properties:permanent:type: booleanport:type: stringscheme:type: stringtype: objectreplacePath:description: ReplacePath holds the ReplacePath configuration.properties:path:type: stringtype: objectreplacePathRegex:description: ReplacePathRegex holds the ReplacePathRegex configuration.properties:regex:type: stringreplacement:type: stringtype: objectretry:description: Retry holds the retry configuration.properties:attempts:type: integerinitialInterval:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: truetype: objectstripPrefix:description: StripPrefix holds the StripPrefix configuration.properties:forceSlash:type: booleanprefixes:items:type: stringtype: arraytype: objectstripPrefixRegex:description: StripPrefixRegex holds the StripPrefixRegex configuration.properties:regex:items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: middlewaretcps.traefik.containo.usspec:group: traefik.containo.usnames:kind: MiddlewareTCPlistKind: MiddlewareTCPListplural: middlewaretcpssingular: middlewaretcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: MiddlewareTCP is a specification for a MiddlewareTCP resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.properties:ipWhiteList:description: TCPIPWhiteList holds the TCP ip white list configuration.properties:sourceRange:items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: serverstransports.traefik.containo.usspec:group: traefik.containo.usnames:kind: ServersTransportlistKind: ServersTransportListplural: serverstransportssingular: serverstransportscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: ServersTransport is a specification for a ServersTransport resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ServersTransportSpec options to configure communication betweenTraefik and the servers.properties:certificatesSecrets:description: Certificates for mTLS.items:type: stringtype: arraydisableHTTP2:description: Disable HTTP/2 for connections with backend servers.type: booleanforwardingTimeouts:description: Timeouts for requests forwarded to the backend servers.properties:dialTimeout:anyOf:- type: integer- type: stringdescription: The amount of time to wait until a connection toa backend server can be established. If zero, no timeout exists.x-kubernetes-int-or-string: trueidleConnTimeout:anyOf:- type: integer- type: stringdescription: The maximum period for which an idle HTTP keep-aliveconnection will remain open before closing itself.x-kubernetes-int-or-string: trueresponseHeaderTimeout:anyOf:- type: integer- type: stringdescription: The amount of time to wait for a server's responseheaders after fully writing the request (including its body,if any). If zero, no timeout exists.x-kubernetes-int-or-string: truetype: objectinsecureSkipVerify:description: Disable SSL certificate verification.type: booleanmaxIdleConnsPerHost:description: If non-zero, controls the maximum idle (keep-alive) tokeep per-host. If zero, DefaultMaxIdleConnsPerHost is used.type: integerpeerCertURI:description: URI used to match against SAN URI during the peer certificateverification.type: stringrootCAsSecrets:description: Add cert file for self-signed certificate.items:type: stringtype: arrayserverName:description: ServerName used to contact the server.type: stringtype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: tlsoptions.traefik.containo.usspec:group: traefik.containo.usnames:kind: TLSOptionlistKind: TLSOptionListplural: tlsoptionssingular: tlsoptionscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TLSOption is a specification for a TLSOption resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: TLSOptionSpec configures TLS for an entry point.properties:alpnProtocols:items:type: stringtype: arraycipherSuites:items:type: stringtype: arrayclientAuth:description: ClientAuth defines the parameters of the client authenticationpart of the TLS connection, if any.properties:clientAuthType:description: ClientAuthType defines the client authenticationtype to apply.enum:- NoClientCert- RequestClientCert- VerifyClientCertIfGiven- RequireAndVerifyClientCerttype: stringsecretNames:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.items:type: stringtype: arraytype: objectcurvePreferences:items:type: stringtype: arraymaxVersion:type: stringminVersion:type: stringpreferServerCipherSuites:type: booleansniStrict:type: booleantype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: tlsstores.traefik.containo.usspec:group: traefik.containo.usnames:kind: TLSStorelistKind: TLSStoreListplural: tlsstoressingular: tlsstorescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TLSStore is a specification for a TLSStore resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: TLSStoreSpec configures a TLSStore resource.properties:defaultCertificate:description: DefaultCertificate holds a secret name for the TLSOptionresource.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objectrequired:- defaultCertificatetype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: traefikservices.traefik.containo.usspec:group: traefik.containo.usnames:kind: TraefikServicelistKind: TraefikServiceListplural: traefikservicessingular: traefikservicescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TraefikService is the specification for a service (that an IngressRouterefers to) that is usually not a terminal service (i.e. not a pod of servers),as opposed to a Kubernetes Service. That is to say, it usually refers toother (children) services, which themselves can be TraefikServices or Services.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ServiceSpec defines whether a TraefikService is a load-balancerof services or a mirroring service.properties:mirroring:description: Mirroring defines a mirroring service, which is composedof a main load-balancer, and a list of mirrors.properties:kind:enum:- Service- TraefikServicetype: stringmaxBodySize:format: int64type: integermirrors:items:description: MirrorService defines one of the mirrors of a Mirroringservice.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanpercent:type: integerport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayname:description: Name is a reference to a Kubernetes Service object(for a load-balancer of servers), or to a TraefikService object(service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration for the forwardof the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration based oncookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objectweighted:description: WeightedRoundRobin defines a load-balancer of services.properties:services:items:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration based oncookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []
RBAC for Traefik CRD
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerrules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- extensions- networking.k8s.ioresources:- ingresses- ingressclassesverbs:- get- list- watch- apiGroups:- extensionsresources:- ingresses/statusverbs:- update- apiGroups:- traefik.containo.usresources:- middlewares- middlewaretcps- ingressroutes- traefikservices- ingressroutetcps- ingressrouteudps- tlsoptions- tlsstores- serverstransportsverbs:- get- list- watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: default
Resource Configuration
When using KubernetesCRD as a provider, Traefik uses Custom Resource Definition to retrieve its routing configuration. Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
- The usage of
nameandnamespaceto refer to another Kubernetes resource. - The usage of secret for sensitive data (TLS certificates and credentials).
- The structure of the configuration.
- The requirement to declare all the definitions.
The Traefik CRDs are building blocks that you can assemble according to your needs. See the list of CRDs in the dedicated routing section.
LetsEncrypt Support with the Custom Resource Definition Provider
By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration. For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
When using a single instance of Traefik with Let’s Encrypt, you should encounter no issues. However, this could be a single point of failure. Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let’s Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses. Previous versions of Traefik used a KV store to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.
If you need Let’s Encrypt with HA in a Kubernetes environment, we recommend using Traefik Enterprise, which includes distributed Let’s Encrypt as a supported feature.
If you want to keep using Traefik Proxy, high availability for Let’s Encrypt can be achieved by using a Certificate Controller such as Cert-Manager. When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your ingress objects. When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs. A workaround is to enable the Kubernetes Ingress provider to allow Cert-Manager to create ingress objects to complete the challenges. Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.
Provider Configuration
endpoint
Optional, Default=””
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT or KUBECONFIG to construct the endpoint.
The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client. In this case, the endpoint is required. Specifically, it may be set to the URL used by kubectl proxy to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
File (YAML)
providers:kubernetesCRD:endpoint: "http://localhost:8080"# ...
File (TOML)
[providers.kubernetesCRD]endpoint = "http://localhost:8080"# ...
CLI
--providers.kubernetescrd.endpoint=http://localhost:8080
token
Optional, Default=””
Bearer token used for the Kubernetes client configuration.
File (YAML)
providers:kubernetesCRD:token: "mytoken"# ...
File (TOML)
[providers.kubernetesCRD]token = "mytoken"# ...
CLI
--providers.kubernetescrd.token=mytoken
certAuthFilePath
Optional, Default=””
Path to the certificate authority file. Used for the Kubernetes client configuration.
File (YAML)
providers:kubernetesCRD:certAuthFilePath: "/my/ca.crt"# ...
File (TOML)
[providers.kubernetesCRD]certAuthFilePath = "/my/ca.crt"# ...
CLI
--providers.kubernetescrd.certauthfilepath=/my/ca.crt
namespaces
Optional, Default: []
Array of namespaces to watch. If left empty, watches all namespaces if the value of namespaces.
File (YAML)
providers:kubernetesCRD:namespaces:- "default"- "production"# ...
File (TOML)
[providers.kubernetesCRD]namespaces = ["default", "production"]# ...
CLI
--providers.kubernetescrd.namespaces=default,production
labelselector
Optional, Default: “”
A label selector can be defined to filter on specific resource objects only, this applies only to Traefik Custom Resources and has no effect on Kubernetes Secrets, Endpoints and Services. If left empty, Traefik processes all resource objects in the configured namespaces.
See label-selectors for details.
Warning
Because the label selector is applied to all Traefik Custom Resources, they all must match the filter.
File (YAML)
providers:kubernetesCRD:labelselector: "app=traefik"# ...
File (TOML)
[providers.kubernetesCRD]labelselector = "app=traefik"# ...
CLI
--providers.kubernetescrd.labelselector="app=traefik"
ingressClass
Optional, Default: “”
Value of kubernetes.io/ingress.class annotation that identifies resource objects to be processed.
If the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed.
File (YAML)
providers:kubernetesCRD:ingressClass: "traefik-internal"# ...
File (TOML)
[providers.kubernetesCRD]ingressClass = "traefik-internal"# ...
CLI
--providers.kubernetescrd.ingressclass=traefik-internal
throttleDuration
Optional, Default: 0
The throttleDuration option defines how often the provider is allowed to handle events from Kubernetes. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
The value of throttleDuration should be provided in seconds or as a valid duration format, see time.ParseDuration.
File (YAML)
providers:kubernetesCRD:throttleDuration: "10s"# ...
File (TOML)
[providers.kubernetesCRD]throttleDuration = "10s"# ...
CLI
--providers.kubernetescrd.throttleDuration=10s
allowCrossNamespace
Optional, Default: false
If the parameter is set to true, IngressRoutes are able to reference resources in other namespaces than theirs.
File (YAML)
providers:kubernetesCRD:allowCrossNamespace: true# ...
File (TOML)
[providers.kubernetesCRD]allowCrossNamespace = true# ...
CLI
--providers.kubernetescrd.allowCrossNamespace=true
allowExternalNameServices
Optional, Default: false
If the parameter is set to true, IngressRoutes are able to reference ExternalName services.
File (YAML)
providers:kubernetesCRD:allowExternalNameServices: true# ...
File (TOML)
[providers.kubernetesCRD]allowExternalNameServices = true# ...
CLI
--providers.kubernetescrd.allowexternalnameservices=true
Full Example
For additional information, refer to the full example with Let’s Encrypt.
