Uplink EntryPoints
Uplink Entry Points are specialized entry points used for inter-cluster communication in multi-cluster deployments. They are configured on child clusters and serve two purposes:
- Expose advertised workloads: Parent clusters poll child clusters to discover advertised workloads
- Receive forwarded traffic: Parent clusters forward traffic to child clusters through these entry points
Overview
Uplink Entry Points are separate from regular entry points to ensure proper isolation:
- Regular entry points handle direct client traffic
- Uplink entry points handle inter-cluster traffic from parent clusters
This separation prevents routers without explicit entry points from accidentally receiving inter-cluster traffic.
Configuration Example
Configure uplink entry points on child clusters in the Hub static configuration:
- Helm Chart
- Install Configuration
ports:
multicluster:
port: 9443
uplink: true
asDefault: true
expose:
default: true
http:
tls:
enabled: true
hub:
uplinkEntryPoints:
multicluster:
address: ":9443"
asDefault: true
http:
tls: {}
Configuration Options
Uplink entry points support the same configuration options as regular entry points. The key options are:
| Field | Description | Default | Required |
|---|---|---|---|
hub.uplinkEntryPoints.<name>.address | The address to listen on, in the format [host]:port. | - | Yes |
hub.uplinkEntryPoints.<name>.asDefault | Mark this uplink entry point as default. Uplinks without explicit entryPoints use default uplink entry points. | false | No |
hub.uplinkEntryPoints.<name>.http.tls | Enable TLS on this entry point. Recommended for production. | - | No |
hub.uplinkEntryPoints.<name>.http.tls.options | Reference a TLSOption for advanced TLS settings. | - | No |
hub.uplinkEntryPoints.<name>.http.tls.certResolver | Use a certificate resolver (e.g., Let's Encrypt) for automatic certificates. | - | No |
hub.uplinkEntryPoints.<name>.proxyProtocol.trustedIPs | Trust PROXY protocol headers from these IPs. Useful when behind a load balancer. | - | No |
hub.uplinkEntryPoints.<name>.transport.respondingTimeouts.readTimeout | Maximum duration for reading the entire request. | 60s | No |
hub.uplinkEntryPoints.<name>.transport.respondingTimeouts.writeTimeout | Maximum duration for writing the response. | 0s | No |
For a complete list of options, see the EntryPoints reference.
Default Behavior
The asDefault option controls which uplink entry points are used when an Uplink resource doesn't specify explicit entry points:
- If no uplink entry point has
asDefault: true: All uplink entry points will publish the route with the uplink reference - If at least one uplink entry point has
asDefault: true: Only those marked as default will publish the route with the uplink reference
This mirrors the behavior of regular entry points.
Example: Default vs Explicit Entry Points
- Uplink Entry Points Config
- Uplink without entryPoints
- Uplink with explicit entryPoints
hub:
uplinkEntryPoints:
public:
address: ":9443"
asDefault: true # Used by uplinks without explicit entryPoints
internal:
address: ":9443"
asDefault: false # Only used when explicitly referenced
# This Uplink uses the default entry point (public:9443)
apiVersion: hub.traefik.io/v1alpha1
kind: Uplink
metadata:
name: api-service
spec:
weight: 10
# No entryPoints specified - uses defaults
# This Uplink uses only the internal entry point
apiVersion: hub.traefik.io/v1alpha1
kind: Uplink
metadata:
name: internal-service
spec:
entryPoints:
- internal # Explicitly use internal:9443
weight: 5
Validation Rules
Uplink entry points have specific validation rules:
- No name conflicts: Uplink entry point names must not conflict with regular entry point names
- HTTP only: Uplink entry points handle HTTP traffic only. UDP protocol is not supported in the entry point address.
# Invalid: conflicts with regular entryPoint named "websecure"
entryPoints:
websecure:
address: ":443"
hub:
uplinkEntryPoints:
websecure: # Error: conflicts with regular entryPoint
address: ":9443"
Security Considerations
Uplink entry points share TLS and transport configuration options with regular entry points, but they differ in what they expose and how authentication works:
| Aspect | Regular EntryPoint | Uplink EntryPoint |
|---|---|---|
| Traffic | Direct client requests | Inter-cluster traffic from parent |
| Discovery API | None | Exposes GET /uplinks for parent polling |
| Authentication | Middlewares on the router (JWT, BasicAuth, etc.) | Typically handled on the parent cluster — child routes on this port are accessible without parent-side auth |
| TLS | Standard TLS | mTLS recommended — the child verifies the parent's client certificate |
| Network access | Public-facing | Should be restricted to parent cluster IPs |
Authentication middlewares configured on the parent cluster do not protect the uplink entry point. If the uplink port is publicly reachable, an attacker can discover advertised routes via the discovery API and send requests directly to child routers, bypassing the parent entirely.
To secure uplink entry points:
- Restrict network access: Use firewall rules or private networks so only the parent cluster can reach the uplink port.
- Enable mTLS: Configure mutual TLS so the child verifies the parent's client certificate (see TLS Configuration below and Securing Inter-Cluster Communication).
- Add child-side middlewares (e.g., IP allowlisting, rate limiting) for defense-in-depth.
TLS Configuration
For production deployments, always enable TLS on uplink entry points:
- Self-Signed (Development)
- Custom Certificates
- Let's Encrypt
# Child cluster
hub:
uplinkEntryPoints:
multicluster:
address: ":9443"
http:
tls: {} # Traefik generates a self-signed certificate
When tls: {} is set without explicit certificates, Traefik generates an ephemeral self-signed certificate in memory at each startup. This certificate is not written to disk and changes on every restart,
so the parent cluster cannot pin or trust it with rootCAs. Instead, the parent must skip server certificate verification:
# Parent cluster - child configuration
hub:
providers:
multicluster:
children:
cluster-1:
address: "https://child-address:9443"
serversTransport:
insecureSkipVerify: true # Required for self-signed certs
This disables server identity verification and should only be used for development. For production, use Custom Certificates or Let's Encrypt so the parent can verify the child's identity.
# Install configuration with file provider
hub:
uplinkEntryPoints:
multicluster:
address: ":9443"
http:
tls:
options: strict-tls@file
# Routing configuration with file provider
tls:
options:
strict-tls:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
certificates:
- certFile: /certs/cluster.crt
keyFile: /certs/cluster.key
# Install configuration
certificatesResolvers:
le:
acme:
email: [email protected]
storage: /data/acme.json
httpChallenge:
entryPoint: web
hub:
uplinkEntryPoints:
multicluster:
address: ":9443"
http:
tls:
certResolver: le
domains:
- main: child1.example.com
Network Considerations
When deploying multi-cluster setups:
- Firewall Rules: Restrict access to the uplink port so that only the parent cluster can reach it.
Without mTLS, any client that can reach the uplink port can forge the internal
Hub-Uplinkheader and access child routes directly. - Load Balancers: If using load balancers in front of child clusters, configure them to forward to the uplink entry point port. Consider using internal load balancers that are not publicly accessible.
- Service Exposure: In Kubernetes, expose uplink entry points via a Service (LoadBalancer or NodePort). When using the Helm chart with
expose.default: true, the uplink port is automatically added to the existing Traefik LoadBalancer service — no separate service is needed.
The uplink entry point does not validate the Hub-Uplink header used for internal routing. If the uplink port is publicly reachable without mTLS,
a malicious client can craft requests with this header to access any route advertised through the uplink. Always use mTLS (see Security Considerations)
or strict firewall rules (allow only parent cluster IPs) to protect the uplink port in production.
Kubernetes Service Example (non-Helm)
If you are not using the Helm chart, create a Kubernetes Service to expose the uplink entry point. You can add the uplink port to your existing Traefik service:
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: traefik
spec:
type: LoadBalancer
selector:
app.kubernetes.io/name: traefik
ports:
- name: web
port: 80
targetPort: 8000
protocol: TCP
- name: websecure
port: 443
targetPort: 8443
protocol: TCP
- name: multicluster
port: 9443
targetPort: 9443
protocol: TCP
Related Content
- Multi-Cluster Provider: Configure the parent cluster to connect to children
- Uplink Resource: Advertise workloads from child clusters
- EntryPoints Reference: Full entry point configuration options
- TLS Options: Advanced TLS configuration
