我的书签
添加书签
移除书签Traefik & Kubernetes
The Kubernetes Gateway API, The Experimental Way. {: .subtitle }
Configuration Examples
Configuring Kubernetes Gateway provider and Deploying/Exposing Services
Gateway API
---apiVersion: gateway.networking.k8s.io/v1alpha2kind: GatewayClassmetadata:name: my-gateway-classspec:controllerName: traefik.io/gateway-controller---apiVersion: gateway.networking.k8s.io/v1alpha2kind: Gatewaymetadata:name: my-gatewayspec:gatewayClassName: my-gateway-classlisteners:- name: httpsprotocol: HTTPSport: 443tls:certificateRefs:- kind: Secretname: mysecret---apiVersion: gateway.networking.k8s.io/v1alpha2kind: HTTPRoutemetadata:name: http-appnamespace: defaultspec:parentRefs:- name: my-gatewayhostnames:- whoamirules:- matches:- path:type: Exactvalue: /foobackendRefs:- name: whoamiport: 80weight: 1
Whoami Service
---apiVersion: apps/v1kind: Deploymentmetadata:name: whoamispec:replicas: 2selector:matchLabels:app: whoamitemplate:metadata:labels:app: whoamispec:containers:- name: whoamiimage: traefik/whoami---apiVersion: v1kind: Servicemetadata:name: whoamispec:selector:app: whoamiports:- protocol: TCPport: 80
Traefik Service
---apiVersion: v1kind: ServiceAccountmetadata:name: traefik-controller---apiVersion: apps/v1kind: Deploymentmetadata:name: traefikspec:replicas: 1selector:matchLabels:app: traefik-lbtemplate:metadata:labels:app: traefik-lbspec:serviceAccountName: traefik-controllercontainers:- name: traefikimage: traefik:v2.6args:- --entrypoints.web.address=:80- --entrypoints.websecure.address=:443- --experimental.kubernetesgateway- --providers.kubernetesgatewayports:- name: webcontainerPort: 80- name: websecurecontainerPort: 443---apiVersion: v1kind: Servicemetadata:name: traefikspec:type: LoadBalancerselector:app: traefik-lbports:- protocol: TCPport: 80targetPort: webname: web- protocol: TCPport: 443targetPort: websecurename: websecure
RBAC
---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: gateway-rolerules:- apiGroups:- ""resources:- namespacesverbs:- list- watch- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- gateway.networking.k8s.ioresources:- gatewayclasses- gateways- httproutes- tcproutes- tlsroutesverbs:- get- list- watch- apiGroups:- gateway.networking.k8s.ioresources:- gatewayclasses/status- gateways/status- httproutes/status- tcproutes/status- tlsroutes/statusverbs:- update---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: gateway-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: gateway-rolesubjects:- kind: ServiceAccountname: traefik-controllernamespace: default
Routing Configuration
Custom Resource Definition (CRD)
- You can find an exhaustive list, of the custom resources and their attributes in the reference page or in the Kubernetes Sigs
Gateway APIrepository. - Validate that the prerequisites are fulfilled before using the Traefik Kubernetes Gateway Provider.
You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:
| Kind | Purpose | Concept Behind |
|---|---|---|
| GatewayClass | Defines a set of Gateways that share a common configuration and behaviour | GatewayClass |
| Gateway | Describes how traffic can be translated to Services within the cluster | Gateway |
| HTTPRoute | HTTP rules for mapping requests from a Gateway to Kubernetes Services | Route |
| TCPRoute | Allows mapping TCP requests from a Gateway to Kubernetes Services | Route |
| TLSRoute | Allows mapping TLS requests from a Gateway to Kubernetes Services | Route |
Kind: GatewayClass
GatewayClass is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated. More details on the GatewayClass official documentation.
The GatewayClass should be declared by the infrastructure provider, otherwise please register the GatewayClass definition in the Kubernetes cluster before creating GatewayClass objects.
Declaring GatewayClass
apiVersion: gateway.networking.k8s.io/v1alpha2kind: GatewayClassmetadata:name: my-gateway-classspec:# Controller is a domain/path string that indicates# the controller that is managing Gateways of this class.controllerName: traefik.io/gateway-controller
Kind: Gateway
A Gateway is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the Gateway official documentation.
Register the Gateway definition in the Kubernetes cluster before creating Gateway objects.
Depending on the Listener Protocol, different modes and Route types are supported.
| Listener Protocol | TLS Mode | Route Type Supported |
|---|---|---|
| TCP | Not applicable | TCPRoute |
| TLS | Passthrough | TLSRoute, TCPRoute |
| TLS | Terminate | TLSRoute, TCPRoute |
| HTTP | Not applicable | HTTPRoute |
| HTTPS | Terminate | HTTPRoute |
Declaring Gateway
HTTP Listener
apiVersion: gateway.networking.k8s.io/v1alpha2kind: Gatewaymetadata:name: my-http-gatewaynamespace: defaultspec:gatewayClassName: my-gateway-class # [1]listeners: # [2]- name: http # [3]protocol: HTTP # [4]port: 80 # [5]allowedRoutes: # [9]kinds:- kind: HTTPRoute # [10]namespaces:from: Selector # [11]selector: # [12]matchLabels:app: foo
HTTPS Listener
apiVersion: gateway.networking.k8s.io/v1alpha2kind: Gatewaymetadata:name: my-https-gatewaynamespace: defaultspec:gatewayClassName: my-gateway-class # [1]listeners: # [2]- name: https # [3]protocol: HTTPS # [4]port: 443 # [5]tls: # [7]certificateRefs: # [8]- kind: "Secret"name: "mysecret"allowedRoutes: # [9]kinds:- kind: HTTPSRoute # [10]namespaces:from: Selector # [11]selector: # [12]matchLabels:app: foo
TCP Listener
apiVersion: gateway.networking.k8s.io/v1alpha2kind: Gatewaymetadata:name: my-tcp-gatewaynamespace: defaultspec:gatewayClassName: my-gateway-class # [1]listeners: # [2]- name: tcp # [3]protocol: TCP # [4]port: 8000 # [5]allowedRoutes: # [9]kinds:- kind: TCPRoute # [10]namespaces:from: Selector # [11]selector: # [12]matchLabels:app: footcp
TLS Listener
apiVersion: gateway.networking.k8s.io/v1alpha2kind: Gatewaymetadata:name: my-tls-gatewaynamespace: defaultspec:gatewayClassName: my-gateway-class # [1]listeners: # [2]- name: tls # [3]protocol: TLS # [4]port: 443 # [5]hostname: foo.com # [6]tls: # [7]certificateRefs: # [8]- kind: "Secret"name: "mysecret"allowedRoutes: # [9]kinds:- kind: TLSRoute # [10]namespaces:from: Selector # [11]selector: # [12]matchLabels:app: footcp
| Ref | Attribute | Description |
|---|---|---|
| [1] | gatewayClassName | GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. |
| [2] | listeners | Logical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified. |
| [3] | name | Name of the Listener. |
| [4] | protocol | The network protocol this listener expects to receive (only HTTP and HTTPS are implemented). |
| [5] | port | The network port. |
| [6] | hostname | Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, “”, or *, all hostnames are matched. |
| [7] | tls | TLS configuration for the Listener. This field is required if the Protocol field is “HTTPS” or “TLS” and ignored otherwise. |
| [8] | certificateRefs | The references to Kubernetes objects that contains TLS certificates and private keys (only one reference to a Kubernetes Secret is supported). |
| [9] | allowedRoutes | Defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. |
| [10] | kind | The kind of the Route. |
| [11] | from | From indicates in which namespaces the Routes will be selected for this Gateway. Possible values are All, Same and Selector (Defaults to Same). |
| [12] | selector | Selector must be specified when From is set to Selector. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. |
Kind: HTTPRoute
HTTPRoute defines HTTP rules for mapping requests from a Gateway to Kubernetes Services.
Register the HTTPRoute definition in the Kubernetes cluster before creating HTTPRoute objects.
Declaring HTTPRoute
apiVersion: gateway.networking.k8s.io/v1alpha2kind: HTTPRoutemetadata:name: http-appnamespace: defaultspec:parentRefs: # [1]- name: my-tcp-gateway # [2]namespace: default # [3]sectionName: tcp # [4]hostnames: # [5]- whoamirules: # [6]- matches: # [7]- path: # [8]type: Exact # [9]value: /bar # [10]- headers: # [11]name: foo # [12]value: bar # [13]- backendRefs: # [14]- name: whoamitcp # [15]weight: 1 # [16]port: 8080 # [17]- name: api@internalgroup: traefik.containo.us # [18]kind: TraefikService # [19]
| Ref | Attribute | Description |
|---|---|---|
| [1] | parentRefs | References the resources (usually Gateways) that a Route wants to be attached to. |
| [2] | name | Name of the referent. |
| [3] | namespace | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. |
| [4] | sectionName | Name of a section within the target resource (the Listener name). |
| [5] | hostnames | A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. |
| [6] | rules | A list of HTTP matchers, filters and actions. |
| [7] | matches | Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. |
| [8] | path | An HTTP request path matcher. If this field is not specified, a default prefix match on the “/“ path is provided. |
| [9] | type | Type of match against the path Value (supported types: Exact, Prefix). |
| [10] | value | The value of the HTTP path to match against. |
| [11] | headers | Conditions to select a HTTP route by matching HTTP request headers. |
| [12] | type | Type of match for the HTTP request header match against the values (supported types: Exact). |
| [13] | value | A map of HTTP Headers to be matched. It MUST contain at least one entry. |
| [14] | backendRefs | Defines the backend(s) where matching requests should be sent. |
| [15] | name | The name of the referent service. |
| [16] | weight | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). |
| [17] | port | The port of the referent service. |
| [18] | group | Group is the group of the referent. Only traefik.containo.us and gateway.networking.k8s.io values are supported. |
| [19] | kind | Kind is kind of the referent. Only TraefikService and Service values are supported. |
Kind: TCPRoute
TCPRoute allows mapping TCP requests from a Gateway to Kubernetes Services.
Register the TCPRoute definition in the Kubernetes cluster before creating TCPRoute objects.
Declaring TCPRoute
apiVersion: gateway.networking.k8s.io/v1alpha2kind: TCPRoutemetadata:name: tcp-appnamespace: defaultspec:parentRefs: # [1]- name: my-tcp-gateway # [2]namespace: default # [3]sectionName: tcp # [4]rules: # [5]- backendRefs: # [6]- name: whoamitcp # [7]weight: 1 # [8]port: 8080 # [9]- name: api@internalgroup: traefik.containo.us # [10]kind: TraefikService # [11]
| Ref | Attribute | Description |
|---|---|---|
| [1] | parentRefs | References the resources (usually Gateways) that a Route wants to be attached to. |
| [2] | name | Name of the referent. |
| [3] | namespace | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. |
| [4] | sectionName | Name of a section within the target resource (the Listener name). |
| [5] | rules | Rules are a list of TCP matchers and actions. |
| [6] | backendRefs | Defines the backend(s) where matching requests should be sent. |
| [7] | name | The name of the referent service. |
| [8] | weight | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). |
| [9] | port | The port of the referent service. |
| [10] | group | Group is the group of the referent. Only traefik.containo.us and gateway.networking.k8s.io values are supported. |
| [11] | kind | Kind is kind of the referent. Only TraefikService and Service values are supported. |
Kind: TLSRoute
TLSRoute allows mapping TLS requests from a Gateway to Kubernetes Services.
Register the TLSRoute definition in the Kubernetes cluster before creating TLSRoute objects.
Declaring TLSRoute
apiVersion: gateway.networking.k8s.io/v1alpha2kind: TLSRoutemetadata:name: tls-appnamespace: defaultspec:parentRefs: # [1]- name: my-tls-gateway # [2]namespace: default # [3]sectionName: tcp # [4]hostnames: # [5]- whoamirules: # [6]- backendRefs: # [7]- name: whoamitcp # [8]weight: 1 # [9]port: 8080 # [10]- name: api@internalgroup: traefik.containo.us # [11]kind: TraefikService # [12]
| Ref | Attribute | Description |
|---|---|---|
| [1] | parentRefs | References the resources (usually Gateways) that a Route wants to be attached to. |
| [2] | name | Name of the referent. |
| [3] | namespace | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. |
| [4] | sectionName | Name of a section within the target resource (the Listener name). |
| [5] | hostnames | Defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. |
| [6] | rules | Rules are a list of TCP matchers and actions. |
| [7] | backendRefs | Defines the backend(s) where matching requests should be sent. |
| [8] | name | The name of the referent service. |
| [9] | weight | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). |
| [10] | port | The port of the referent service. |
| [11] | group | Group is the group of the referent. Only traefik.containo.us and gateway.networking.k8s.io values are supported. |
| [12] | kind | Kind is kind of the referent. Only TraefikService and Service values are supported. |
