Traefik & Ingresses with NGINX Annotations

This provider is a Kubernetes Ingress controller that manages access to cluster services by supporting the Ingress specification. It also supports many of the ingress-nginx annotations on Ingresses, enabling teams to migrate from NGINX Ingress Controller to Traefik with minimal configuration changes.

NGINX Ingress Controller Retirement

The Kubernetes NGINX Ingress Controller project has announced its retirement in March 2026 and will no longer receive updates or security patches. Traefik provides a migration path by supporting NGINX annotations, allowing you to transition your workloads without rewriting all your Ingress configurations.

For more information about the NGINX Ingress Controller retirement, see the official Kubernetes blog announcement.

Ingress Discovery

This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.

Best Practices:

• Use IngressClass to specify which Ingresses should be handled by this provider
• Configure watchNamespace to limit discovery to specific namespaces
• Use watchNamespaceSelector to target Ingresses based on namespace labels

Configuration Example

You can enable the Kubernetes Ingress NGINX provider as detailed below:

File (YAML)

providers:
  kubernetesIngressNGINX:
    endpoint: "https://kubernetes.default.svc"
    token: "mytoken"
    certAuthFilePath: "/path/to/ca.crt"
    throttleDuration: "2s"

    # Namespace discovery
    watchNamespace: "default"
    # OR use namespace selector (mutually exclusive with watchNamespace)
    # watchNamespaceSelector: "environment=production"

    # IngressClass configuration
    ingressClass: "nginx"
    controllerClass: "k8s.io/ingress-nginx"
    watchIngressWithoutClass: false
    ingressClassByName: false

    # Status updates
    publishService: "kube-system/traefik"
    publishStatusAddress: "203.0.113.42"

    # Default backend
    defaultBackendService: "default/default-backend"

    # Security
    disableSvcExternalName: false

File (TOML)

[providers.kubernetesIngressNGINX]
  endpoint = "https://kubernetes.default.svc"
  token = "mytoken"
  certAuthFilePath = "/path/to/ca.crt"
  throttleDuration = "2s"

  # Namespace discovery
  watchNamespace = "default"
  # OR use namespace selector (mutually exclusive with watchNamespace)
  # watchNamespaceSelector = "environment=production"

  # IngressClass configuration
  ingressClass = "nginx"
  controllerClass = "k8s.io/ingress-nginx"
  watchIngressWithoutClass = false
  ingressClassByName = false

  # Status updates
  publishService = "kube-system/traefik"
  publishStatusAddress = "203.0.113.42"

  # Default backend
  defaultBackendService = "default/default-backend"

  # Security
  disableSvcExternalName = false

CLI

--providers.kubernetesingressnginx=true
--providers.kubernetesingressnginx.endpoint=https://kubernetes.default.svc
--providers.kubernetesingressnginx.token=mytoken
--providers.kubernetesingressnginx.certauthfilepath=/path/to/ca.crt
--providers.kubernetesingressnginx.throttleduration=2s
--providers.kubernetesingressnginx.watchnamespace=default
--providers.kubernetesingressnginx.ingressclass=nginx
--providers.kubernetesingressnginx.controllerclass=k8s.io/ingress-nginx
--providers.kubernetesingressnginx.watchingresswithoutclass=false
--providers.kubernetesingressnginx.ingressclassbyname=false
--providers.kubernetesingressnginx.publishservice=kube-system/traefik
--providers.kubernetesingressnginx.publishstatusaddress=203.0.113.42
--providers.kubernetesingressnginx.defaultbackendservice=default/default-backend
--providers.kubernetesingressnginx.disablesvcexternalname=false

Helm Chart Values

providers:
  kubernetesIngressNginx:
    # -- Enable Kubernetes Ingress NGINX provider
    enabled: true

    # -- Kubernetes server endpoint (required for external cluster client)
    endpoint: "https://kubernetes.default.svc"

    # -- Kubernetes bearer token (not needed for in-cluster client)
    token: "mytoken"

    # -- Kubernetes certificate authority file path (not needed for in-cluster client)
    certAuthFilePath: "/path/to/ca.crt"

    # -- Ingress refresh throttle duration
    throttleDuration: "2s"

    # Namespace discovery
    # -- Namespace the controller watches for updates to Kubernetes objects
    # When using rbac.namespaced, it will watch helm release namespace and namespaces listed in this array
    namespaces:
      - default
    # OR use namespace selector (mutually exclusive with namespaces)
    # namespaceSelector: "environment=production"

    # IngressClass configuration
    # -- Name of the ingress class this controller satisfies
    ingressClass: "nginx"
    # -- Ingress Class Controller value this controller satisfies
    controllerClass: "k8s.io/ingress-nginx"
    # -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
    watchIngressWithoutClass: false
    # -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
    ingressClassByName: false

    # Status updates
    # -- Service fronting the Ingress controller
    publishService:
      enabled: true
      pathOverride: "kube-system/traefik"
    # -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects
    publishStatusAddress: "203.0.113.42"

    # Default backend
    # -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'
    defaultBackendService: "default/default-backend"

    # Security
    # -- Disable support for Services of type ExternalName
    disableSvcExternalName: false

This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration, creating the corresponding routers, services, middlewares, and other components needed to route traffic to your cluster services.

Configuration Options

Field	Description	Default	Required
providers.providers ThrottleDuration	Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event. If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded. This option cannot be set per provider, but the throttling algorithm applies to each of them independently.	2s	No
providers. kubernetesIngressNGINX. endpoint	Server endpoint URL. More information here.	""	No
providers. kubernetesIngressNGINX. token	Bearer token used for the Kubernetes client configuration.	""	No
providers. kubernetesIngressNGINX. certAuthFilePath	Path to the certificate authority file. Used for the Kubernetes client configuration.	""	No
providers. kubernetesIngressNGINX. throttleDuration	Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration. If empty, every event is caught.	0s	No
providers. kubernetesIngressNGINX. watchNamespace	Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.	""	No
providers. kubernetesIngressNGINX. watchNamespaceSelector	Selector selects namespaces the controller watches for updates to Kubernetes objects.	""	No
providers. kubernetesIngressNGINX. ingressClass	Name of the ingress class this controller satisfies.	""	No
providers. kubernetesIngressNGINX. controllerClass	Ingress Class Controller value this controller satisfies.	""	No
providers. kubernetesIngressNGINX. watchIngressWithoutClass	Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.	false	No
providers. kubernetesIngressNGINX. ingressClassByName	Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class.	false	No
providers. kubernetesIngressNGINX. publishService	Service fronting the Ingress controller. Takes the form namespace/name.	""	No
providers. kubernetesIngressNGINX. publishStatusAddress	Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.	""	No
providers. kubernetesIngressNGINX. defaultBackendService	Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.	""	No
providers. kubernetesIngressNGINX. disableSvcExternalName	Disable support for Services of type ExternalName.	false	No

endpoint

The Kubernetes server endpoint URL.

When deployed into Kubernetes, Traefik reads the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT or KUBECONFIG to construct the endpoint.

The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Both are mounted automatically when deployed inside Kubernetes.

The endpoint may be specified to override the environment variable values inside a cluster.

When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.

In this case, the endpoint is required. Specifically, it may be set to the URL used by kubectl proxy to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.

File (YAML)

providers:
  kubernetesIngressNGINX:
    endpoint: "http://localhost:8080"
    # ...

File (TOML)

[providers.kubernetesIngressNGINX]
  endpoint = "http://localhost:8080"
  # ...

CLI

--providers.kubernetesingressnginx.endpoint=http://localhost:8080

Routing Configuration

See the dedicated section in routing.

---

Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

• Watch our API Gateway Demo Video
• Request 24/7/365 OSS Support

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.