Skip to content

Data sharing

This document provides an overview about data sharing between the Traefik Hub’s SaaS control plane and a Kubernetes cluster hosting the Traefik Hub agent.


The Traefik Hub's SaaS (Software as a Service) control plane is hosted by Traefik Labs in the cloud, and the Traefik Hub agent acting as the data plane is hosted in a Kubernetes cluster. They communicate with each other to manage and control Traefik Hub's API Gateway and API Portal instances running in the cluster.

The Traefik Hub agent collects data related to API management (Traefik Hub CRDs), Ingress management (for example Traefik Proxy CRDs) and general Kubernetes components (Namespaces, Nodes, Services, etc.).

Depending on the configuration, the data shared between the control plane and the Kubernetes cluster could be less than all the possible items listed in this document.

Besides the data collected by the Traefik Hub agent, the Traefik Platform stores data related to the platform authorization, identity providers and such.

Shared data

Custom resource definitions (CRDs)

Traefik Hub CRDs are sent to the Traefik Hub Platform for synchronization purposes and validation:

Besides the CRDs, the Traefik Hub agent also sent its own configuration. As of now, it only consists of one field: DistributedRateLimitAvailable.

Custom resource definitions (CRDs)

If Traefik Proxy is used as Ingress Controller (default setting if the Traefik Hub agent is installed in Ingress Controller mode), the Traefik Hub agent has access to the following Traefik Proxy CRDs.

Name Permission Description
Middlewares Read/Write Tweaks the HTTP requests before they are sent to your service.
IngressRoute Read/Write HTTP Routing.
IngressClass Read/Write The annotation that identifies Ingress objects to be processed..
MiddlewareTCP Read Tweaks the TCP requests before they are sent to your service.
TraefikService Read Abstraction for HTTP loadbalancing/mirroring.
IngressRouteTCP Read TCP routing.
IngressRouteUDP Read UDP routing
TLSOptions Read Allows to configure some parameters of the TLS connection.
TLSStores Read Allows to configure the default TLS store.
ServersTransport Read Allows to configure the transport between Traefik and the backends.


The Traefik Hub agent has access to the following Kubernetes components:

Name Permission Description
Ingresses Read/Write This is used for service discovery. Also used to set ACP to Ingresses.
Secrets Read/Write This is used to store secrets like certificates.
Pods Read Used to get the list of agent Pods and fetch metrics from them.
Pod logs Read Collect log of the Pods (will be removed soon).
Namespaces Read This is used to get the Namespace system for the leader election.
Leases Read/Write Used to handle the leader election for the agent.
Endpoint slices Read This is used to list on which nodes the services exposed by APIs are.
Events Write This is used to write several events on resources managed by Traefik Hub, for example, when the OpenAPI spec is not found.
Services Read Used in service discovery and for routing.
Nodes Read This is used for license purposes.
Endpoints Read This is used for routing.


The following metrics are transmitted to the Traefik Hub platform.

These metrics are displayed in the control plane:

  • Request per seconds
  • Request error per seconds
  • Request error percent
  • Request client error per seconds
  • Request client error percent
  • Average response time
  • Requests number
  • Requests error number
  • Requests client error number
  • Response time sum
  • Response time count


These metrics below are used for internal purposes and will be soon integrated into the control plane:

  • API Request number
  • API Request bytes number
  • API Response Bytes number
  • Nodes count
  • API Gateways count
  • API count


Error logs generated by the Traefik Hub agent are transmitted to the Traefik Hub platform and stored for 24 hours to assist in resolving support requests quickly.


The Traefik Hub Platform stores data related to certificates obtained with Let's Encrypt on generated domains and custom domains. The certificates are encrypted in the database and renewed regularly.

Traefik Hub Dashboard

Overview about all data which is collected by the Traefik Hub UI.

Identity provider

The Traefik Hub Platform stores data related to IdPs.
This data is needed for authentication and permission management.


The following user data is stored:

  • First Name
  • Last Name
  • Company
  • Email
  • Group IDs
  • External ID
Internal IdP

All general user data plus:

  • Password hash

For each group, the Traefik Hub Platform only stores the name of the group.

  • URL
  • Realm
  • Username for realm access
  • Password for realm access (encrypted)
  • Org URL
  • Issuer URL
  • Token (encrypted)