Traefik & Kubernetes¶
The Kubernetes Gateway API, The Experimental Way. {: .subtitle }
Configuration Examples¶
Configuring Kubernetes Gateway provider and Deploying/Exposing Services
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
name: my-gateway-class
spec:
controllerName: traefik.io/gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: my-gateway
spec:
gatewayClassName: my-gateway-class
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
certificateRefs:
- kind: Secret
name: mysecret
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: http-app
namespace: default
spec:
parentRefs:
- name: my-gateway
hostnames:
- whoami
rules:
- matches:
- path:
type: Exact
value: /foo
backendRefs:
- name: whoami
port: 80
weight: 1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
selector:
app: whoami
ports:
- protocol: TCP
port: 80
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik-lb
template:
metadata:
labels:
app: traefik-lb
spec:
serviceAccountName: traefik-controller
containers:
- name: traefik
image: traefik:v2.11
args:
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- --experimental.kubernetesgateway
- --providers.kubernetesgateway
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik-lb
ports:
- protocol: TCP
port: 80
targetPort: web
name: web
- protocol: TCP
port: 443
targetPort: websecure
name: websecure
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gateway-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- tcproutes
- tlsroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gateway-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gateway-role
subjects:
- kind: ServiceAccount
name: traefik-controller
namespace: default
Routing Configuration¶
Custom Resource Definition (CRD)¶
- You can find an exhaustive list, of the custom resources and their attributes in
the reference page or in the Kubernetes
Sigs
Gateway API
repository. - Validate that the prerequisites are fulfilled before using the Traefik Kubernetes Gateway Provider.
You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:
Kind | Purpose | Concept Behind |
---|---|---|
GatewayClass | Defines a set of Gateways that share a common configuration and behaviour | GatewayClass |
Gateway | Describes how traffic can be translated to Services within the cluster | Gateway |
HTTPRoute | HTTP rules for mapping requests from a Gateway to Kubernetes Services | Route |
TCPRoute | Allows mapping TCP requests from a Gateway to Kubernetes Services | Route |
TLSRoute | Allows mapping TLS requests from a Gateway to Kubernetes Services | Route |
Kind: GatewayClass
¶
GatewayClass
is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of
Gateways that can be instantiated. More details on the
GatewayClass official documentation.
The GatewayClass
should be declared by the infrastructure provider, otherwise please register the GatewayClass
definition in the Kubernetes cluster before
creating GatewayClass
objects.
Declaring GatewayClass
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
name: my-gateway-class
spec:
# Controller is a domain/path string that indicates
# the controller that is managing Gateways of this class.
controllerName: traefik.io/gateway-controller
Kind: Gateway
¶
A Gateway
is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load
balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the
Gateway official documentation.
Register the Gateway
definition in the
Kubernetes cluster before creating Gateway
objects.
Depending on the Listener Protocol, different modes and Route types are supported.
Listener Protocol | TLS Mode | Route Type Supported |
---|---|---|
TCP | Not applicable | TCPRoute |
TLS | Passthrough | TLSRoute, TCPRoute |
TLS | Terminate | TLSRoute, TCPRoute |
HTTP | Not applicable | HTTPRoute |
HTTPS | Terminate | HTTPRoute |
Declaring Gateway
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: my-http-gateway
namespace: default
spec:
gatewayClassName: my-gateway-class # [1]
listeners: # [2]
- name: http # [3]
protocol: HTTP # [4]
port: 80 # [5]
allowedRoutes: # [9]
kinds:
- kind: HTTPRoute # [10]
namespaces:
from: Selector # [11]
selector: # [12]
matchLabels:
app: foo
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: my-https-gateway
namespace: default
spec:
gatewayClassName: my-gateway-class # [1]
listeners: # [2]
- name: https # [3]
protocol: HTTPS # [4]
port: 443 # [5]
tls: # [7]
certificateRefs: # [8]
- kind: "Secret"
name: "mysecret"
allowedRoutes: # [9]
kinds:
- kind: HTTPSRoute # [10]
namespaces:
from: Selector # [11]
selector: # [12]
matchLabels:
app: foo
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: my-tcp-gateway
namespace: default
spec:
gatewayClassName: my-gateway-class # [1]
listeners: # [2]
- name: tcp # [3]
protocol: TCP # [4]
port: 8000 # [5]
allowedRoutes: # [9]
kinds:
- kind: TCPRoute # [10]
namespaces:
from: Selector # [11]
selector: # [12]
matchLabels:
app: footcp
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: my-tls-gateway
namespace: default
spec:
gatewayClassName: my-gateway-class # [1]
listeners: # [2]
- name: tls # [3]
protocol: TLS # [4]
port: 443 # [5]
hostname: foo.com # [6]
tls: # [7]
certificateRefs: # [8]
- kind: "Secret"
name: "mysecret"
allowedRoutes: # [9]
kinds:
- kind: TLSRoute # [10]
namespaces:
from: Selector # [11]
selector: # [12]
matchLabels:
app: footcp
Ref | Attribute | Description |
---|---|---|
[1] | gatewayClassName |
GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. |
[2] | listeners |
Logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. |
[3] | name |
Name of the Listener. |
[4] | protocol |
The network protocol this listener expects to receive (only HTTP and HTTPS are implemented). |
[5] | port |
The network port. |
[6] | hostname |
Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, “”, or *, all hostnames are matched. |
[7] | tls |
TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS" or "TLS" and ignored otherwise. |
[8] | certificateRefs |
The references to Kubernetes objects that contains TLS certificates and private keys (only one reference to a Kubernetes Secret is supported). |
[9] | allowedRoutes |
Defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. |
[10] | kind |
The kind of the Route. |
[11] | from |
From indicates in which namespaces the Routes will be selected for this Gateway. Possible values are All , Same and Selector (Defaults to Same ). |
[12] | selector |
Selector must be specified when From is set to Selector . In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. |
Kind: HTTPRoute
¶
HTTPRoute
defines HTTP rules for mapping requests from a Gateway
to Kubernetes Services.
Register the HTTPRoute
definition in the
Kubernetes cluster before creating HTTPRoute
objects.
Declaring HTTPRoute
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: http-app
namespace: default
spec:
parentRefs: # [1]
- name: my-tcp-gateway # [2]
namespace: default # [3]
sectionName: tcp # [4]
hostnames: # [5]
- whoami
rules: # [6]
- matches: # [7]
- path: # [8]
type: Exact # [9]
value: /bar # [10]
- headers: # [11]
name: foo # [12]
value: bar # [13]
backendRefs: # [14]
- name: whoamitcp # [15]
weight: 1 # [16]
port: 8080 # [17]
- name: api@internal
group: traefik.io # [18]
kind: TraefikService # [19]
Ref | Attribute | Description |
---|---|---|
[1] | parentRefs |
References the resources (usually Gateways) that a Route wants to be attached to. |
[2] | name |
Name of the referent. |
[3] | namespace |
Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. |
[4] | sectionName |
Name of a section within the target resource (the Listener name). |
[5] | hostnames |
A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. |
[6] | rules |
A list of HTTP matchers, filters and actions. |
[7] | matches |
Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. |
[8] | path |
An HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. |
[9] | type |
Type of match against the path Value (supported types: Exact , PathPrefix ). |
[10] | value |
The value of the HTTP path to match against. |
[11] | headers |
Conditions to select a HTTP route by matching HTTP request headers. |
[12] | type |
Type of match for the HTTP request header match against the values (supported types: Exact ). |
[13] | value |
A map of HTTP Headers to be matched. It MUST contain at least one entry. |
[14] | backendRefs |
Defines the backend(s) where matching requests should be sent. |
[15] | name |
The name of the referent service. |
[16] | weight |
The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). |
[17] | port |
The port of the referent service. |
[18] | group |
Group is the group of the referent. Only traefik.io , traefik.containo.us and gateway.networking.k8s.io values are supported. |
[19] | kind |
Kind is kind of the referent. Only TraefikService and Service values are supported. |
Kind: TCPRoute
¶
TCPRoute
allows mapping TCP requests from a Gateway
to Kubernetes Services.
Register the TCPRoute
definition in the
Kubernetes cluster before creating TCPRoute
objects.
Declaring TCPRoute
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tcp-app
namespace: default
spec:
parentRefs: # [1]
- name: my-tcp-gateway # [2]
namespace: default # [3]
sectionName: tcp # [4]
rules: # [5]
- backendRefs: # [6]
- name: whoamitcp # [7]
weight: 1 # [8]
port: 8080 # [9]
- name: api@internal
group: traefik.containo.us # [10]
kind: TraefikService # [11]
Ref | Attribute | Description |
---|---|---|
[1] | parentRefs |
References the resources (usually Gateways) that a Route wants to be attached to. |
[2] | name |
Name of the referent. |
[3] | namespace |
Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. |
[4] | sectionName |
Name of a section within the target resource (the Listener name). |
[5] | rules |
Rules are a list of TCP matchers and actions. |
[6] | backendRefs |
Defines the backend(s) where matching requests should be sent. |
[7] | name |
The name of the referent service. |
[8] | weight |
The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). |
[9] | port |
The port of the referent service. |
[10] | group |
Group is the group of the referent. Only traefik.io , traefik.containo.us and gateway.networking.k8s.io values are supported. |
[11] | kind |
Kind is kind of the referent. Only TraefikService and Service values are supported. |
Kind: TLSRoute
¶
TLSRoute
allows mapping TLS requests from a Gateway
to Kubernetes Services.
Register the TLSRoute
definition in the
Kubernetes cluster before creating TLSRoute
objects.
Declaring TLSRoute
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: tls-app
namespace: default
spec:
parentRefs: # [1]
- name: my-tls-gateway # [2]
namespace: default # [3]
sectionName: tcp # [4]
hostnames: # [5]
- whoami
rules: # [6]
- backendRefs: # [7]
- name: whoamitcp # [8]
weight: 1 # [9]
port: 8080 # [10]
- name: api@internal
group: traefik.containo.us # [11]
kind: TraefikService # [12]
Ref | Attribute | Description |
---|---|---|
[1] | parentRefs |
References the resources (usually Gateways) that a Route wants to be attached to. |
[2] | name |
Name of the referent. |
[3] | namespace |
Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. |
[4] | sectionName |
Name of a section within the target resource (the Listener name). |
[5] | hostnames |
Defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. |
[6] | rules |
Rules are a list of TCP matchers and actions. |
[7] | backendRefs |
Defines the backend(s) where matching requests should be sent. |
[8] | name |
The name of the referent service. |
[9] | weight |
The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). |
[10] | port |
The port of the referent service. |
[11] | group |
Group is the group of the referent. Only traefik.io , traefik.containo.us and gateway.networking.k8s.io values are supported. |
[12] | kind |
Kind is kind of the referent. Only TraefikService and Service values are supported. |
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.