Skip to content

Traefik & Knative

The Traefik Knative provider integrates with Knative Serving to provide advanced traffic management and routing capabilities for serverless applications.

Knative is a Kubernetes-based platform that enables serverless workloads with features like scale-to-zero, automatic scaling, and revision management.

The provider watches Knative Ingress resources and automatically configures Traefik routing rules, enabling seamless integration between Traefik's networking capabilities and Knative's serverless platform.

Requirements

Traefik follows the Kubernetes support policy, and supports at least the latest three minor versions of Kubernetes. General functionality cannot be guaranteed for older versions.

  1. Install/update the Knative CRDs.

    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-crds.yaml
  2. Install the Knative Serving core components.

    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-core.yaml
  3. Update the config-network configuration to use the Traefik ingress class.

       kubectl patch configmap/config-network \
       -n knative-serving \
       --type merge \
       -p '{"data":{"ingress.class":"traefik.ingress.networking.knative.dev"}}'
  4. Add a custom domain to your Knative configuration (Optional).

    kubectl patch configmap config-domain \
      -n knative-serving \
      --type='merge' \
      -p='{"data":{"example.com":""}}'
  5. Install/update the Traefik RBAC.

    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml

Configuration Example

As this provider is an experimental feature, it needs to be enabled in the experimental and in the provider sections of the configuration. You can enable the Knative provider as detailed below:

experimental:
  knative: true

providers:
  knative: {}
[experimental.knative]

[providers.knative]
--experimental.knative=true
--providers.knative=true

The Knative provider uses the Knative API to retrieve its routing configuration. The provider then watches for incoming Knative events and derives the corresponding dynamic configuration from it.

Configuration Options

Field Description Default Required
providers.providersThrottleDuration Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.
If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.
This option cannot be set per provider, but the throttling algorithm applies to each of them independently.
2s No
providers.knative.endpoint Server endpoint URL.
More information here.
providers.knative.token Bearer token used for the Kubernetes client configuration.
providers.knative.certauthfilepath Path to the certificate authority file.
Used for the Kubernetes client configuration.
providers.knative.namespaces Array of namespaces to watch.
If left empty, watch all namespaces.
providers.knative.labelselector Allow filtering Knative Ingress objects using label selectors.
providers.knative.throttleduration Minimum amount of time to wait between two Kubernetes events before producing a new configuration.
This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If empty, every event is caught.
0
providers.knative.privateentrypoints Entrypoint names used to expose the Ingress privately. If empty local Ingresses are skipped.
providers.knative.privateservice Kubernetes service used to expose the networking controller privately.
providers.knative.privateservice.name Name of the private Kubernetes service.
providers.knative.privateservice.namespace Namespace of the private Kubernetes service.
providers.knative.publicentrypoints Entrypoint names used to expose the Ingress publicly. If empty an Ingress is exposed on all entrypoints.
providers.knative.publicservice Kubernetes service used to expose the networking controller publicly.
providers.knative.publicservice.name Name of the public Kubernetes service.
providers.knative.publicservice.namespace Namespace of the public Kubernetes service.

endpoint

The Kubernetes server endpoint URL.

When deployed into Kubernetes, Traefik reads the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT or KUBECONFIG to construct the endpoint.

The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Both are mounted automatically when deployed inside Kubernetes.

The endpoint may be specified to override the environment variable values inside a cluster.

When the environment variables are not found, Traefik tries to connect to the Knative API server with an external-cluster client. In this case, the endpoint is required. Specifically, it may be set to the URL used by kubectl proxy to connect to a Knative cluster using the granted authentication and authorization of the associated kubeconfig.

providers:
  knative:
    endpoint: "http://localhost:8080"
    # ...
[providers.knative]
  endpoint = "http://localhost:8080"
  # ...
--providers.knative.endpoint=http://localhost:8080

Routing Configuration

See the dedicated section in routing.


Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.