Traefik & Knative¶
The Traefik Knative provider integrates with Knative Serving to provide advanced traffic management and routing capabilities for serverless applications.
Knative is a Kubernetes-based platform that enables serverless workloads with features like scale-to-zero, automatic scaling, and revision management.
The provider watches Knative Ingress
resources and automatically configures Traefik routing rules,
enabling seamless integration between Traefik's networking capabilities and Knative's serverless platform.
Requirements¶
Traefik follows the Kubernetes support policy, and supports at least the latest three minor versions of Kubernetes. General functionality cannot be guaranteed for older versions.
-
Install/update the Knative CRDs.
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-crds.yaml
-
Install the Knative Serving core components.
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-core.yaml
-
Update the config-network configuration to use the Traefik ingress class.
kubectl patch configmap/config-network \ -n knative-serving \ --type merge \ -p '{"data":{"ingress.class":"traefik.ingress.networking.knative.dev"}}'
-
Add a custom domain to your Knative configuration (Optional).
kubectl patch configmap config-domain \ -n knative-serving \ --type='merge' \ -p='{"data":{"example.com":""}}'
-
Install/update the Traefik RBAC.
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
Configuration Example¶
As this provider is an experimental feature, it needs to be enabled in the experimental and in the provider sections of the configuration. You can enable the Knative provider as detailed below:
experimental:
knative: true
providers:
knative: {}
[experimental.knative]
[providers.knative]
--experimental.knative=true
--providers.knative=true
The Knative provider uses the Knative API to retrieve its routing configuration. The provider then watches for incoming Knative events and derives the corresponding dynamic configuration from it.
Configuration Options¶
Field | Description | Default | Required |
---|---|---|---|
providers.providersThrottleDuration |
Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event. If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded. This option cannot be set per provider, but the throttling algorithm applies to each of them independently. |
2s | No |
providers.knative.endpoint | Server endpoint URL. More information here. |
||
providers.knative.token | Bearer token used for the Kubernetes client configuration. | ||
providers.knative.certauthfilepath | Path to the certificate authority file. Used for the Kubernetes client configuration. |
||
providers.knative.namespaces | Array of namespaces to watch. If left empty, watch all namespaces. |
||
providers.knative.labelselector | Allow filtering Knative Ingress objects using label selectors. | ||
providers.knative.throttleduration | Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration. If empty, every event is caught. |
0 | |
providers.knative.privateentrypoints | Entrypoint names used to expose the Ingress privately. If empty local Ingresses are skipped. | ||
providers.knative.privateservice | Kubernetes service used to expose the networking controller privately. | ||
providers.knative.privateservice.name | Name of the private Kubernetes service. | ||
providers.knative.privateservice.namespace | Namespace of the private Kubernetes service. | ||
providers.knative.publicentrypoints | Entrypoint names used to expose the Ingress publicly. If empty an Ingress is exposed on all entrypoints. | ||
providers.knative.publicservice | Kubernetes service used to expose the networking controller publicly. | ||
providers.knative.publicservice.name | Name of the public Kubernetes service. | ||
providers.knative.publicservice.namespace | Namespace of the public Kubernetes service. |
endpoint
¶
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables KUBERNETES_SERVICE_HOST
and KUBERNETES_SERVICE_PORT
or KUBECONFIG
to construct the endpoint.
The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token
and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Knative API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by kubectl proxy
to connect to a Knative cluster using the granted authentication and authorization of the associated kubeconfig.
providers:
knative:
endpoint: "http://localhost:8080"
# ...
[providers.knative]
endpoint = "http://localhost:8080"
# ...
--providers.knative.endpoint=http://localhost:8080
Routing Configuration¶
See the dedicated section in routing.
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.