Traefik Kubernetes Knative Provider Documentation
Since v3.6
The Traefik Hub API Gateway Kubernetes Knative provider enables native integration with Knative Serving, allowing Traefik to act as the networking layer for serverless workloads. This provider manages access to Knative services by supporting the Knative Serving specification.
The Knative provider is currently an experimental feature in Traefik Hub API Gateway. To use it, you must explicitly enable it in the experimental section of your configuration.
Overview
Traefik Hub API Gateway is the only proxy that can seamlessly operate at the edge of:
- Cloud Native workloads (containers)
- Traditional workloads (Virtual Machines)
- Serverless workloads (Knative)
By integrating Knative with Traefik, you gain a unified infrastructure for service discovery, scaling events, and traffic routing across all your workload types. This eliminates the need to maintain multiple specialized proxies for different deployment patterns.
Prerequisites
Before enabling the Knative provider, you must install Knative Serving and configure it to use Traefik as the ingress controller.
1. Install Knative CRDs
Install the Knative Custom Resource Definitions (version 1.19.0):
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-crds.yaml
2. Install Knative Serving
Deploy the Knative Serving core components:
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-core.yaml
3. Configure Knative to Use Traefik
Patch the Knative network configuration to use Traefik as the ingress class:
kubectl patch configmap/config-network \
-n knative-serving \
--type merge \
-p '{"data":{"ingress.class":"traefik.ingress.networking.knative.dev"}}'
4. Configure Custom Domain
Configure a custom domain for your Knative services. This is required for exposing your services with meaningful URLs:
kubectl patch configmap/config-domain \
-n knative-serving \
--type merge \
-p '{"data":{"example.com":""}}'
Replace example.com with your actual domain. This configures Knative to use your domain as the suffix for service URLs.
For example, a service named whoami in the default namespace will be accessible at whoami.default.example.com.
5. Apply Traefik RBAC Permissions
Ensure Traefik has the necessary RBAC permissions to watch Knative resources. The required permissions are included in the standard Traefik Hub Helm chart when the Knative provider is enabled.
If you're installing manually, ensure your ClusterRole includes permissions for:
ingresses.networking.internal.knative.dev(get, list, watch)services.serving.knative.dev(get, list, watch)
Configuration Example
As this provider is an experimental feature, it needs to be enabled in both the experimental and provider sections of the configuration.
- Install Configuration
- Helm Chart Values
experimental:
knative: true
providers:
knative: {}
# values.yaml
experimental:
knative:
enabled: true
providers:
knative:
enabled: true
The provider then watches for incoming Knative Service and Ingress events, derives the corresponding routing configuration, and creates the resulting routers, services, and handlers.
Configuration Options
| Field | Description | Default | Required |
|---|---|---|---|
providers.providersThrottleDuration | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event. If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded. This option cannot be set per provider, but the throttling algorithm applies to each of them independently. | 2s | No |
providers.knative.endpoint | Kubernetes API server endpoint URL. More information in the endpoint section. | "" | No |
providers.knative.token | Bearer token used for the Kubernetes client configuration. | "" | No |
providers.knative.certAuthFilePath | Path to the certificate authority file. Used for the Kubernetes client configuration. | "" | No |
providers.knative.namespaces | Array of namespaces to watch. If empty, watches all namespaces. | [] | No |
providers.knative.labelselector | Label selector to filter Knative Ingress objects. Must be a valid label selector query. | "" | No |
providers.knative.throttleduration | Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik Hub API Gateway configuration. If set to 0, every event is caught. | 0s | No |
endpoint
The Kubernetes API server endpoint URL.
When deployed inside Kubernetes, Traefik Hub API Gateway automatically reads the environment variables
KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT or KUBECONFIG to construct the endpoint.
The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token
and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik Hub API Gateway tries to connect to the Kubernetes API server with an external-cluster client. In this case, the endpoint is required.
Specifically, it may be set to the URL used by kubectl proxy to connect to a Kubernetes
cluster using the granted authentication and authorization of the associated kubeconfig.
Example
- Install Configuration
- Helm Chart Values
providers:
knative:
endpoint: "http://localhost:8080"
# ...
# values.yaml
providers:
knative:
endpoint: "http://localhost:8080"
Routing Configuration
See the dedicated section in routing for detailed information about:
- Knative Service routing patterns
- Traffic splitting and tag-based routing
- Access patterns and URL structures
- TLS configuration
- Use cases and examples