TraefikService

A TraefikService is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a Weighted Round Robin load balancing or a Mirroring between your Kubernetes Services.

Services configure how to reach the actual endpoints that will eventually handle incoming requests. In Traefik, the target service can be either a standard Kubernetes service—which exposes a pod—or a TraefikService. The latter allows you to combine advanced load-balancing options like:

Weighted Round Robin load balancing.
Mirroring.

Weighted Round Robin¶

The WRR is able to load balance the requests between multiple services based on weights. The WRR TraefikService allows you to load balance the traffic between Kubernetes Services and other instances of TraefikService (another WRR service -, or a mirroring service).

Configuration Example¶

IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: test-name
  namespace: apps

spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    # Set a WRR TraefikService
    - name: wrr1
      namespace: apps
      kind: TraefikService
  tls:
    # Add a TLS certificate from a Kubernetes Secret
    secretName: supersecret

TraefikService WRR Level#1

apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: apps

spec:
  weighted:
    services:
        # Kubernetes Service
      - name: svc1
        namespace: apps
        port: 80
        weight: 1
        # Second level WRR service
      - name: wrr2
        namespace: apps
        kind: TraefikService
        weight: 1
        # Mirroring service
        # The service is described in the Mirroring example
      - name: mirror1
        namespace: apps
        kind: TraefikService
        weight: 1

TraefikService WRR Level#2

apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
  name: wrr2
  namespace: apps

spec:
  weighted:
    services:
      # Kubernetes Service
      - name: svc2
        namespace: apps
        port: 80
        weight: 1
      # Kubernetes Service
      - name: svc3
        namespace: apps
        port: 80
        weight: 1

Kubernetes Services

apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: apps

spec:
  ports:
  - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: apps

spec:
  ports:
  - name: http
    port: 80
  selector:
    app: traefiklabs
    task: app2
---
apiVersion: v1
kind: Service
metadata:
  name: svc3
  namespace: apps

spec:
  ports:
  - name: http
    port: 80
  selector:
    app: traefiklabs
    task: app3

Secret

apiVersion: v1
kind: Secret
metadata:
  name: supersecret
  namespace: apps

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Configuration Options¶

Field	Description	Default	Required
`services`	List of any combination of TraefikService and Kubernetes service. .		No
`services[m].` `kind`	Kind of the service targeted. Two values allowed: - Service: Kubernetes Service - TraefikService: Traefik Service.	""	No
`services[m].` `name`	Service name. The character `@` is not authorized.	""	Yes
`services[m].` `namespace`	Service namespace.	""	No
`services[m].` `port`	Service port (number or port name). Evaluated only if the kind is Service.	""	No
`services[m].` `responseForwarding.` `flushInterval`	Interval, in milliseconds, in between flushes to the client while copying the response body. A negative value means to flush immediately after each write to the client. This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately. Evaluated only if the kind is Service.	100ms	No
`services[m].` `scheme`	Scheme to use for the request to the upstream Kubernetes Service. Evaluated only if the kind is Service.	"http" "https" if `port` is 443 or contains the string https.	No
`services[m].` `serversTransport`	Name of ServersTransport resource to use to configure the transport between Traefik and your servers. Evaluated only if the kind is Service.	""	No
`services[m].` `passHostHeader`	Forward client Host header to server. Evaluated only if the kind is Service.	true	No
`services[m].` `healthCheck.scheme`	Server URL scheme for the health check endpoint. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	""	No
`services[m].` `healthCheck.mode`	Health check mode. If defined to grpc, will use the gRPC health check protocol to probe the server. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	"http"	No
`services[m].` `healthCheck.path`	Server URL path for the health check endpoint. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	""	No
`services[m].` `healthCheck.interval`	Frequency of the health check calls. Evaluated only if the kind is Service. Only for Kubernetes service of type [ExternalName]`ExternalName`.	"100ms"	No
`services[m].` `healthCheck.method`	HTTP method for the health check endpoint. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	"GET"	No
`services[m].` `healthCheck.status`	Expected HTTP status code of the response to the health check request. Only for Kubernetes service of type ExternalName. If not set, expect a status between 200 and 399. Evaluated only if the kind is Service.		No
`services[m].` `healthCheck.port`	URL port for the health check endpoint. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.		No
`services[m].` `healthCheck.timeout`	Maximum duration to wait before considering the server unhealthy. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	"5s"	No
`services[m].` `healthCheck.hostname`	Value in the Host header of the health check request. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	""	No
`services[m].` `healthCheck.` `followRedirect`	Follow the redirections during the healtchcheck. Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.	true	No
`services[m].` `healthCheck.headers`	Map of header to send to the health check endpoint Evaluated only if the kind is Service. Only for Kubernetes service of type `ExternalName`.		No
`services[m].` `sticky.` `cookie.name`	Name of the cookie used for the stickiness. Evaluated only if the kind is Service.	Abbreviation of a sha1 (ex: `_1d52e`).	No
`services[m].` `sticky.` `cookie.httpOnly`	Allow the cookie can be accessed by client-side APIs, such as JavaScript. Evaluated only if the kind is Service.	false	No
`services[m].` `sticky.` `cookie.secure`	Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS). Evaluated only if the kind is Service.	false	No
`services[m].` `sticky.` `cookie.sameSite`	SameSite policy. Allowed values: -`none` -`lax` `strict` Evaluated only if the kind is Service.	""	No
`services[m].` `sticky.` `cookie.maxAge`	Number of seconds until the cookie expires. Negative number, the cookie expires immediately. 0, the cookie never expires. Evaluated only if the kind is Service.	0	No
`services[m].` `strategy`	Load balancing strategy between the servers. RoundRobin is the only supported value yet. Evaluated only if the kind is Service.	"RoundRobin"	No
`services[m].` `weight`	Service weight. To use only to refer to WRR TraefikService	""	No
`services[m].` `nativeLB`	Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik. Evaluated only if the kind is Service.	false	No
`services[m].` `nodePortLB`	Use the nodePort IP address when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. Evaluated only if the kind is Service.	false	No
`sticky.` `cookie.name`	Name of the cookie used for the stickiness at the WRR service level. When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response. On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set. If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server). More information about WRR stickiness here	Abbreviation of a sha1 (ex: `_1d52e`).	No
`sticky.` `cookie.httpOnly`	Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript. More information about WRR stickiness here	false	No
`sticky.` `cookie.secure`	Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS). More information about WRR stickiness here	false	No
`sticky.` `cookie.sameSite`	SameSite policy for the cookie used for the stickiness at the WRR service level. Allowed values: -`none` -`lax` `strict` More information about WRR stickiness here	""	No
`sticky.` `cookie.maxAge`	Number of seconds until the cookie used for the stickiness at the WRR service level expires. Negative number, the cookie expires immediately. 0, the cookie never expires.	0	No

Stickiness on multiple levels¶

When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.

Sticky sessions, for stickiness to work all the way, must be specified at each load-balancing level.

For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.

IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: apps

spec:
  entryPoints:
  - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: apps
      kind: TraefikService

TraefikService WRR with 2 level of stickiness

apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: apps

spec:
  weighted:
    services:
    - name: whoami1
      kind: Service
      port: 80
      weight: 1
      # Stickiness level2 (on the Kubernetes service)
      sticky:
        cookie:
        name: lvl2
    - name: whoami2
      kind: Service
      weight: 1
      port: 80
      # Stickiness level2 (on the Kubernetes service)
      sticky:
        cookie:
        name: lvl2
  # Stickiness level2 (on the WRR service)
  sticky:
    cookie:
    name: lvl1

In the example above, to keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:

# Assuming `10.42.0.6` is the IP address of one of the replicas (a pod then) of the `whoami1` service.
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo

Mirroring¶

The mirroring is able to mirror requests sent to a service to other services.

A mirroring service allows you to send the trafiic to many services together:

The main service receives 100% of the traffic,
The mirror services receive a percentage of the traffic.

For example, to upgrade the version of your application. You can set the service that targets current version as the main service, and the service of the new version a mirror service. Thus you can start testing the behavior of the new version keeping the current version reachable.

The mirroring TraefikService allows you to reference Kubernetes Services and other instances of TraefikService (another WRR service -, or a mirroring service).

Please note that by default the whole request is buffered in memory while it is being mirrored. See the maxBodySize option in the example below for how to modify this behavior.

Configuration Example¶

IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: mirror1
      namespace: default
      kind: TraefikService

Mirroring from a Kubernetes Service

# Mirroring from a k8s Service
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: svc1                      # svc1 receives 100% of the traffic
    port: 80
    mirrors:
      - name: svc2                  # svc2 receives a copy of 20% of this traffic
        port: 80
        percent: 20
      - name: svc3                  # svc3 receives a copy of 15% of this traffic
        kind: TraefikService
        percent: 15

Mirroring from a TraefikService (WRR)

# Mirroring from a Traefik Service
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: wrr1                      # wrr1 receives 100% of the traffic
    kind: TraefikService
    mirrors:
      - name: svc2                  # svc2 receives a copy of 20% of this traffic
        port: 80
        percent: 20
      - name: svc3                  # svc3 receives a copy of 10% of this traffic
        kind: TraefikService
        percent: 10

Kubernetes Services

apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2

Configuration Options¶

Main and mirrored services

The main service properties are set as the option root level.

The mirrored services properties are set in the mirrors list.

Field	Description	Default	Required
`kind`	Kind of the main service. Two values allowed: - Service: Kubernetes Service - TraefikService: Traefik Service. More information here	""	No
`name`	Main service name. The character `@` is not authorized.	""	Yes
`namespace`	Main service namespace. More information here.	""	No
`port`	Main service port (number or port name). Evaluated only if the kind of the main service is Service.	""	No
`responseForwarding.` `flushInterval`	Interval, in milliseconds, in between flushes to the client while copying the response body. A negative value means to flush immediately after each write to the client. This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately. Evaluated only if the kind of the main service is Service.	100ms	No
`scheme`	Scheme to use for the request to the upstream Kubernetes Service. Evaluated only if the kind of the main service is Service.	"http" "https" if `port` is 443 or contains the string https.	No
`serversTransport`	Name of ServersTransport resource to use to configure the transport between Traefik and the main service's servers. Evaluated only if the kind of the main service is Service.	""	No
`passHostHeader`	Forward client Host header to main service's server. Evaluated only if the kind of the main service is Service.	true	No
`healthCheck.scheme`	Server URL scheme for the health check endpoint. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	""	No
`healthCheck.mode`	Health check mode. If defined to grpc, will use the gRPC health check protocol to probe the server. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	"http"	No
`healthCheck.path`	Server URL path for the health check endpoint. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	""	No
`healthCheck.interval`	Frequency of the health check calls. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	"100ms"	No
`healthCheck.method`	HTTP method for the health check endpoint. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	"GET"	No
`healthCheck.status`	Expected HTTP status code of the response to the health check request. Only for Kubernetes service of type ExternalName. If not set, expect a status between 200 and 399. Evaluated only if the kind of the main service is Service.		No
`healthCheck.port`	URL port for the health check endpoint. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.		No
`healthCheck.timeout`	Maximum duration to wait before considering the server unhealthy. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	"5s"	No
`healthCheck.hostname`	Value in the Host header of the health check request. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	""	No
`healthCheck.` `followRedirect`	Follow the redirections during the healtchcheck. Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.	true	No
`healthCheck.headers`	Map of header to send to the health check endpoint Evaluated only if the kind of the main service is Service. Only for Kubernetes service of type ExternalName.		No
`sticky.` `cookie.name`	Name of the cookie used for the stickiness on the main service. Evaluated only if the kind of the main service is Service.	Abbreviation of a sha1 (ex: `_1d52e`).	No
`sticky.` `cookie.httpOnly`	Allow the cookie can be accessed by client-side APIs, such as JavaScript. Evaluated only if the kind of the main service is Service.	false	No
`sticky.` `cookie.secure`	Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS). Evaluated only if the kind of the main service is Service.	false	No
`sticky.` `cookie.sameSite`	SameSite policy. Allowed values: -`none` -`lax` `strict` Evaluated only if the kind of the main service is Service.	""	No
`sticky.` `cookie.maxAge`	Number of seconds until the cookie expires. Negative number, the cookie expires immediately. 0, the cookie never expires. Evaluated only if the kind of the main service is Service.	0	No
`strategy`	Load balancing strategy between the main service's servers. RoundRobin is the only supported value yet. Evaluated only if the kind of the main service is Service.	"RoundRobin"	No
`weight`	Service weight. To use only to refer to WRR TraefikService	""	No
`nativeLB`	Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik. Evaluated only if the kind of the main service is Service.	false	No
`nodePortLB`	Use the nodePort IP address when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. Evaluated only if the kind of the main service is Service.	false	No
`maxBodySize`	Maximum size allowed for the body of the request. If the body is larger, the request is not mirrored. -1 means unlimited size.	-1	No
`mirrors`	List of mirrored services to target. It can be any combination of TraefikService and Kubernetes service. More information here.		No
`mirrors[m].` `kind`	Kind of the mirrored service targeted. Two values allowed: - Service: Kubernetes Service - TraefikService: Traefik Service. More information here	""	No
`mirrors[m].` `name`	Mirrored service name. The character `@` is not authorized.	""	Yes
`mirrors[m].` `namespace`	Mirrored service namespace. More information here.	""	No
`mirrors[m].` `port`	Mirrored service port (number or port name). Evaluated only if the kind of the mirrored service is Service.	""	No
`mirrors[m].` `percent`	Part of the traffic to mirror in percent (from 0 to 100)	0	No
`mirrors[m].` `responseForwarding.` `flushInterval`	Interval, in milliseconds, in between flushes to the client while copying the response body. A negative value means to flush immediately after each write to the client. This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately. Evaluated only if the kind of the mirrored service is Service.	100ms	No
`mirrors[m].` `scheme`	Scheme to use for the request to the mirrored service. Evaluated only if the kind of the mirrored service is Service.	"http" "https" if `port` is 443 or contains the string https.	No
`mirrors[m].` `serversTransport`	Name of ServersTransport resource to use to configure the transport between Traefik and the mirrored service servers. Evaluated only if the kind of the mirrored service is Service.	""	No
`mirrors[m].` `passHostHeader`	Forward client Host header to the mirrored service servers. Evaluated only if the kind of the mirrored service is Service.	true	No
`mirrors[m].` `healthCheck.scheme`	Server URL scheme for the health check endpoint. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	""	No
`mirrors[m].` `healthCheck.mode`	Health check mode. If defined to grpc, will use the gRPC health check protocol to probe the server. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	"http"	No
`mirrors[m].` `healthCheck.path`	Server URL path for the health check endpoint. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	""	No
`mirrors[m].` `healthCheck.interval`	Frequency of the health check calls. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	"100ms"	No
`mirrors[m].` `healthCheck.method`	HTTP method for the health check endpoint. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	"GET"	No
`mirrors[m].` `healthCheck.status`	Expected HTTP status code of the response to the health check request. Only for Kubernetes service of type ExternalName. If not set, expect a status between 200 and 399. Evaluated only if the kind of the mirrored service is Service.		No
`mirrors[m].` `healthCheck.port`	URL port for the health check endpoint. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.		No
`mirrors[m].` `healthCheck.timeout`	Maximum duration to wait before considering the server unhealthy. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	"5s"	No
`mirrors[m].` `healthCheck.hostname`	Value in the Host header of the health check request. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	""	No
`mirrors[m].` `healthCheck.` `followRedirect`	Follow the redirections during the healtchcheck. Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.	true	No
`mirrors[m].` `healthCheck.headers`	Map of header to send to the health check endpoint Evaluated only if the kind of the mirrored service is Service. Only for Kubernetes service of type ExternalName.		No
`mirrors[m].` `sticky.` `cookie.name`	Name of the cookie used for the stickiness. When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response. On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set. If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server). Evaluated only if the kind of the mirrored service is Service.	""	No
`mirrors[m].` `sticky.` `cookie.httpOnly`	Allow the cookie can be accessed by client-side APIs, such as JavaScript. Evaluated only if the kind of the mirrored service is Service.	false	No
`mirrors[m].` `sticky.` `cookie.secure`	Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS). Evaluated only if the kind of the mirrored service is Service.	false	No
`mirrors[m].` `sticky.` `cookie.sameSite`	SameSite policy. Allowed values: -`none` -`lax` `strict` Evaluated only if the kind of the mirrored service is Service.	""	No
`mirrors[m].` `sticky.` `cookie.maxAge`	Number of seconds until the cookie expires. Negative number, the cookie expires immediately. 0, the cookie never expires. Evaluated only if the kind of the mirrored service is Service.	0	No
`mirrors[m].` `strategy`	Load balancing strategy between the servers. RoundRobin is the only supported value yet. Evaluated only if the kind of the mirrored service is Service.	"RoundRobin"	No
`mirrors[m].` `weight`	Service weight. To use only to refer to WRR TraefikService	""	No
`mirrors[m].` `nativeLB`	Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik. Evaluated only if the kind of the mirrored service is Service.	false	No
`mirrors[m].` `nodePortLB`	Use the nodePort IP address when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. Evaluated only if the kind of the mirrored service is Service.	false	No
`mirrorBody`	Defines whether the request body should be mirrored.	true	No