Skip to main content

Traefik Service in Kubernetes

A TraefikService is a Traefik Hub API Gateway Custom Resource that can be put on top of the Kubernetes Services. It brings advanced load-balancing feature such as a Weighted Round Robin load balancing or a Mirroring between your Kubernetes Services.


Weighted Round Robin

The WRR is able to load balance the requests between multiple services based on weights. The WRR TraefikService allows you to load balance the traffic between Kubernetes Services and other instances of TraefikService (another WRR service -, or a mirroring service).

Configuration Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test-name
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
# Set a WRR TraefikService
- name: wrr1
namespace: apps
kind: TraefikService
tls:
# Add a TLS certificate from a Kubernetes Secret
secretName: supersecret

Configuration Options

FieldDescriptionDefaultRequired
servicesList of any combination of TraefikService and Kubernetes service.
More information here.
No
services[m].
kind
Kind of the service targeted.
Two values allowed:
- Service: Kubernetes Service
TraefikService: Traefik Service.
More information here
""No
services[m].
name
Service name.
The character @ is not authorized.
""Yes
services[m].
namespace
Service namespace.
More information here.
""No
services[m].
port
Service port (number or port name).
Evaluated only if the kind is Service.
""No
services[m].
responseForwarding.
flushInterval
Interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.
Evaluated only if the kind is Service.
100msNo
services[m].
scheme
Scheme to use for the request to the upstream Kubernetes Service.
Evaluated only if the kind is Service.
"http"
"https" if port is 443 or contains the string https.
No
services[m].
serversTransport
Name of ServersTransport resource to use to configure the transport between Traefik and your servers.
Evaluated only if the kind is Service.
""No
services[m].
passHostHeader
Forward client Host header to server.
Evaluated only if the kind is Service.
trueNo
services[m].
healthCheck.scheme
Server URL scheme for the health check endpoint.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
""No
services[m].
healthCheck.mode
Health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
"http"No
services[m].
healthCheck.path
Server URL path for the health check endpoint.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
""No
services[m].
healthCheck.interval
Frequency of the health check calls.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
"100ms"No
services[m].
healthCheck.method
HTTP method for the health check endpoint.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
"GET"No
services[m].
healthCheck.status
Expected HTTP status code of the response to the health check request.
Only for Kubernetes service of type ExternalName.
If not set, expect a status between 200 and 399.
Evaluated only if the kind is Service.
No
services[m].
healthCheck.port
URL port for the health check endpoint.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
No
services[m].
healthCheck.timeout
Maximum duration to wait before considering the server unhealthy.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
"5s"No
services[m].
healthCheck.hostname
Value in the Host header of the health check request.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
""No
services[m].
healthCheck.
followRedirect
Follow the redirections during the healtchcheck.
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
trueNo
services[m].
healthCheck.headers
Map of header to send to the health check endpoint
Evaluated only if the kind is Service.
Only for Kubernetes service of type ExternalName.
No
services[m].
sticky.
cookie.name
Name of the cookie used for the stickiness.
Evaluated only if the kind is Service.
Abbreviation of a sha1
(ex: _1d52e).
No
services[m].
sticky.
cookie.httpOnly
Allow the cookie can be accessed by client-side APIs, such as JavaScript.
Evaluated only if the kind is Service.
falseNo
services[m].
sticky.
cookie.secure
Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).
Evaluated only if the kind is Service.
falseNo
services[m].
sticky.
cookie.sameSite
SameSite policy.
Allowed values:
-none
-lax
strict
Evaluated only if the kind is Service.
""No
services[m].
sticky.
cookie.maxAge
Number of seconds until the cookie expires.
Negative number, the cookie expires immediately.
0, the cookie never expires.
Evaluated only if the kind is Service.
0No
services[m].
strategy
Load balancing strategy between the servers.
RoundRobin is the only supported value yet.
Evaluated only if the kind is Service.
"RoundRobin"No
services[m].
weight
Service weight.
To use only to refer to WRR TraefikService
""No
services[m].
nativeLB
Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik Hub API Gateway.
Evaluated only if the kind is Service.
falseNo
services[m].
nodePortLB
Use the nodePort IP address when the service type is NodePort.
It allows services to be reachable when Traefik Hub APi Gateway runs externally from the Kubernetes cluster but within the same network of the nodes.
Evaluated only if the kind is Service.
falseNo
sticky.
cookie.name
Name of the cookie used for the stickiness at the WRR service level.
When sticky sessions are enabled, a Set-Cookie header is set on the initial response to let the client know which server handles the first response.
On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.
If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
More information about WRR stickiness here
Abbreviation of a sha1
(ex: _1d52e).
No
sticky.
cookie.httpOnly
Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript.
More information about WRR stickiness here
falseNo
sticky.
cookie.secure
Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS).
More information about WRR stickiness here
falseNo
sticky.
cookie.sameSite
SameSite policy for the cookie used for the stickiness at the WRR service level.
Allowed values:
-none
-lax
strict
More information about WRR stickiness here
""No
sticky.
cookie.maxAge
Number of seconds until the cookie used for the stickiness at the WRR service level expires.
Negative number, the cookie expires immediately.
0, the cookie never expires.
0No

Stickiness on multiple levels

When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.

Sticky sessions, for stickiness to work all the way, must be specified at each load-balancing level.

For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: apps
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: wrr1
namespace: apps
kind: TraefikService

In the example above, to keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:

# Assuming `10.42.0.6` is the IP address of one of the replicas (a pod then) of the `whoami1` service.
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo

Mirroring

The mirroring is able to mirror requests sent to a service to other services.

A mirroring service allows you to send the trafiic to many services together:

  • The main service receives 100% of the traffic,
  • The mirror services receive a percentage of the traffic.

For example, to upgrade the version of your application. You can set the service that targets current version as the main service, and the service of the new version a mirror service. Thus you can start testing the behavior of the new version keeping the current version reachable.

The mirroring TraefikService allows you to reference Kubernetes Services and other instances of TraefikService (another WRR service -, or a mirroring service).

Please note that by default the whole request is buffered in memory while it is being mirrored. See the maxBodySize option in the example below for how to modify this behavior.

Configuration Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test-name
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
# Set a Mirror TraefikService
- name: mirror1
namespace: apps
kind: TraefikService
tls:
# Add a TLS certificate from a Kubernetes Secret
secretName: supersecret

Configuration Options

"Main and mirrored services"

The main service properties are set as the option root level.

The mirrored services properties are set in the mirrors list.

FieldDescriptionDefaultRequired
kindKind of the main service.
Two values allowed:
- Service: Kubernetes Service
- TraefikService: Traefik Service.
More information here
""No
nameMain service name.
The character @ is not authorized.
""Yes
namespaceMain service namespace.
More information here.
""No
portMain service port (number or port name).
Evaluated only if the kind of the main service is Service.
""No
responseForwarding.
flushInterval
Interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.
Evaluated only if the kind of the main service is Service.
100msNo
schemeScheme to use for the request to the upstream Kubernetes Service.
Evaluated only if the kind of the main service is Service.
"http"
"https" if port is 443 or contains the string https.
No
serversTransportName of ServersTransport resource to use to configure the transport between Traefik and the main service's servers.
Evaluated only if the kind of the main service is Service.
""No
passHostHeaderForward client Host header to main service's server.
Evaluated only if the kind of the main service is Service.
trueNo
healthCheck.schemeServer URL scheme for the health check endpoint.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
""No
healthCheck.modeHealth check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
"http"No
healthCheck.pathServer URL path for the health check endpoint.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
""No
healthCheck.intervalFrequency of the health check calls.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
"100ms"No
healthCheck.methodHTTP method for the health check endpoint.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
"GET"No
healthCheck.statusExpected HTTP status code of the response to the health check request.
Only for Kubernetes service of type ExternalName.
If not set, expect a status between 200 and 399.
Evaluated only if the kind of the main service is Service.
No
healthCheck.portURL port for the health check endpoint.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
No
healthCheck.timeoutMaximum duration to wait before considering the server unhealthy.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
"5s"No
healthCheck.hostnameValue in the Host header of the health check request.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
""No
healthCheck.
followRedirect
Follow the redirections during the healtchcheck.
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
trueNo
healthCheck.headersMap of header to send to the health check endpoint
Evaluated only if the kind of the main service is Service.
Only for Kubernetes service of type ExternalName.
No
sticky.
cookie.name
Name of the cookie used for the stickiness on the main service.
Evaluated only if the kind of the main service is Service.
Abbreviation of a sha1
(ex: _1d52e).
No
sticky.
cookie.httpOnly
Allow the cookie can be accessed by client-side APIs, such as JavaScript.
Evaluated only if the kind of the main service is Service.
falseNo
sticky.
cookie.secure
Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).
Evaluated only if the kind of the main service is Service.
falseNo
sticky.
cookie.sameSite
SameSite policy.
Allowed values:
-none
-lax
strict
Evaluated only if the kind of the main service is Service.
""No
sticky.
cookie.maxAge
Number of seconds until the cookie expires.
Negative number, the cookie expires immediately.
0, the cookie never expires.
Evaluated only if the kind of the main service is Service.
0No
strategyLoad balancing strategy between the main service's servers.
RoundRobin is the only supported value yet.
Evaluated only if the kind of the main service is Service.
"RoundRobin"No
weightService weight.
To use only to refer to WRR TraefikService
""No
nativeLBAllow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik Hub API Gateway.
Evaluated only if the kind of the main service is Service.
falseNo
nodePortLBUse the nodePort IP address when the service type is NodePort.
It allows services to be reachable when Traefik Hub APi Gateway runs externally from the Kubernetes cluster but within the same network of the nodes.
Evaluated only if the kind of the main service is Service.
falseNo
maxBodySizeMaximum size allowed for the body of the request.
If the body is larger, the request is not mirrored.
-1 means unlimited size.
-1No
mirrorsList of mirrored services to target.
It can be any combination of TraefikService and Kubernetes service.
More information here.
No
mirrors[m].
kind
Kind of the mirrored service targeted.
Two values allowed:
- Service: Kubernetes Service
- TraefikService: Traefik Service.
More information here
""No
mirrors[m].
name
Mirrored service name.
The character @ is not authorized.
""Yes
mirrors[m].
namespace
Mirrored service namespace.
More information here.
""No
mirrors[m].
port
Mirrored service port (number or port name).
Evaluated only if the kind of the mirrored service is Service.
""No
mirrors[m].
percent
Part of the traffic to mirror in percent (from 0 to 100)0No
mirrors[m].
responseForwarding.
flushInterval
Interval, in milliseconds, in between flushes to the client while copying the response body.
A negative value means to flush immediately after each write to the client.
This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.
Evaluated only if the kind of the mirrored service is Service.
100msNo
mirrors[m].
scheme
Scheme to use for the request to the mirrored service.
Evaluated only if the kind of the mirrored service is Service.
"http"
"https" if port is 443 or contains the string https.
No
mirrors[m].
serversTransport
Name of ServersTransport resource to use to configure the transport between Traefik and the mirrored service servers.
Evaluated only if the kind of the mirrored service is Service.
""No
mirrors[m].
passHostHeader
Forward client Host header to the mirrored service servers.
Evaluated only if the kind of the mirrored service is Service.
trueNo
mirrors[m].
healthCheck.scheme
Server URL scheme for the health check endpoint.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
""No
mirrors[m].
healthCheck.mode
Health check mode.
If defined to grpc, will use the gRPC health check protocol to probe the server.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
"http"No
mirrors[m].
healthCheck.path
Server URL path for the health check endpoint.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
""No
mirrors[m].
healthCheck.interval
Frequency of the health check calls.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
"100ms"No
mirrors[m].
healthCheck.method
HTTP method for the health check endpoint.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
"GET"No
mirrors[m].
healthCheck.status
Expected HTTP status code of the response to the health check request.
Only for Kubernetes service of type ExternalName.
If not set, expect a status between 200 and 399.
Evaluated only if the kind of the mirrored service is Service.
No
mirrors[m].
healthCheck.port
URL port for the health check endpoint.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
No
mirrors[m].
healthCheck.timeout
Maximum duration to wait before considering the server unhealthy.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
"5s"No
mirrors[m].
healthCheck.hostname
Value in the Host header of the health check request.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
""No
mirrors[m].
healthCheck.
followRedirect
Follow the redirections during the healtchcheck.
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
trueNo
mirrors[m].
healthCheck.headers
Map of header to send to the health check endpoint
Evaluated only if the kind of the mirrored service is Service.
Only for Kubernetes service of type ExternalName.
No
mirrors[m].
sticky.
cookie.name
Name of the cookie used for the stickiness.
When sticky sessions are enabled, a Set-Cookie header is set on the initial response to let the client know which server handles the first response.
On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.
If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
Evaluated only if the kind of the mirrored service is Service.
""No
mirrors[m].
sticky.
cookie.httpOnly
Allow the cookie can be accessed by client-side APIs, such as JavaScript.
Evaluated only if the kind of the mirrored service is Service.
falseNo
mirrors[m].
sticky.
cookie.secure
Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).
Evaluated only if the kind of the mirrored service is Service.
falseNo
mirrors[m].
sticky.
cookie.sameSite
SameSite policy.
Allowed values:
-none
-lax
strict
Evaluated only if the kind of the mirrored service is Service.
""No
mirrors[m].
sticky.
cookie.maxAge
Number of seconds until the cookie expires.
Negative number, the cookie expires immediately.
0, the cookie never expires.
Evaluated only if the kind of the mirrored service is Service.
0No
mirrors[m].
strategy
Load balancing strategy between the servers.
RoundRobin is the only supported value yet.
Evaluated only if the kind of the mirrored service is Service.
"RoundRobin"No
mirrors[m].
weight
Service weight.
To use only to refer to WRR TraefikService
""No
mirrors[m].
nativeLB
Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik Hub API Gateway.
Evaluated only if the kind of the mirrored service is Service.
falseNo
mirrors[m].
nodePortLB
Use the nodePort IP address when the service type is NodePort.
It allows services to be reachable when Traefik Hub APi Gateway runs externally from the Kubernetes cluster but within the same network of the nodes.
Evaluated only if the kind of the mirrored service is Service.
falseNo
mirrorBodyDefines whether the request body should be mirrored.trueNo

Services

The service to target can be either a Kubernetes service or a TraefikService

Kubernetes Service vs TraefikService

A Kubernetes service allows exposing a pod.

A TraefikService allows using any (valid) combinations of:

routes.services.kind

As the field name can reference different types of objects, use the field kind to avoid any ambiguity. The field kind allows the following values:

ExternalName Service

ExternalName Services are used to reference services that exist off platform, on other clusters, or locally.

Healthcheck

As the healthchech cannot be done using the usual Kubernetes livenessprobe and readinessprobe, the IngressRoute brings an option to check the ExternalName Service health.

Port Definition

Traefik Hub connect to a backend with a domain and a port. However, Kubernetes ExternalName Service can be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRoute service
  • on both sides, you'll be warned if the ports don't match, and the IngressRoute service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: apps
spec:
entryPoints:
- foo
routes:
- match: Host(`example.net`)
kind: Rule
services:
- name: external-svc
port: 80