Traefik & Kubernetes

The Kubernetes Gateway API, The Experimental Way.

Configuration Examples

Configuring Kubernetes Gateway provider and Deploying/Exposing Services

Gateway API

  1. ---
  2. kind: GatewayClass
  3. apiVersion: networking.x-k8s.io/v1alpha1
  4. metadata:
  5.   name: my-gateway-class
  6. spec:
  7.   controller: traefik.io/gateway-controller
  9. ---
  10. kind: Gateway
  11. apiVersion: networking.x-k8s.io/v1alpha1
  12. metadata:
  13.   name: my-gateway
  14. spec:
  15.   gatewayClassName: my-gateway-class
  16.   listeners:
  17.     - protocol: HTTPS
  18.       port: 443
  19.       tls:
  20.         certificateRef:
  21.           group: "core"
  22.           kind: "Secret"
  23.           name: "mysecret"
  24.       routes:
  25.         kind: HTTPRoute
  26.         selector:
  27.           matchLabels:
  28.             app: foo
  29. ---
  30. kind: HTTPRoute
  31. apiVersion: networking.x-k8s.io/v1alpha1
  32. metadata:
  33.   name: http-app-1
  34.   namespace: default
  35.   labels:
  36.     app: foo
  37. spec:
  38.   hostnames:
  39.     - "whoami"
  40.   rules:
  41.     - matches:
  42.         - path:
  43.             type: Exact
  44.             value: /foo
  45.       forwardTo:
  46.         - serviceName: whoami
  47.           port: 80
  48.           weight: 1

Whoami Service

  1. ---
  2. kind: Deployment
  3. apiVersion: apps/v1
  4. metadata:
  5.   name: whoami
  7. spec:
  8.   replicas: 2
  9.   selector:
  10.     matchLabels:
  11.       app: whoami
  12.   template:
  13.     metadata:
  14.       labels:
  15.         app: whoami
  16.     spec:
  17.       containers:
  18.         - name: whoami
  19.           image: traefik/whoami
  21. ---
  22. apiVersion: v1
  23. kind: Service
  24. metadata:
  25.   name: whoami
  27. spec:
  28.   ports:
  29.     - protocol: TCP
  30.       port: 80
  31.   selector:
  32.     app: whoami

Traefik Service

  1. ---
  2. apiVersion: v1
  3. kind: ServiceAccount
  4. metadata:
  5.   name: traefik-controller
  7. ---
  8. kind: Deployment
  9. apiVersion: apps/v1
  10. metadata:
  11.   name: traefik
  13. spec:
  14.   replicas: 1
  15.   selector:
  16.     matchLabels:
  17.       app: traefik-lb
  18.   template:
  19.     metadata:
  20.       labels:
  21.         app: traefik-lb
  22.     spec:
  23.       serviceAccountName: traefik-controller
  24.       containers:
  25.         - name: traefik
  26.           image: traefik/traefik:latest
  27.           imagePullPolicy: IfNotPresent
  28.           args:
  29.             - --entrypoints.web.address=:80
  30.             - --entrypoints.websecure.address=:443
  31.             - --experimental.kubernetesgateway
  32.             - --providers.kubernetesgateway
  33.           ports:
  34.             - name: web
  35.               containerPort: 80
  36.             - name: websecure
  37.               containerPort: 443
  39. ---
  40. apiVersion: v1
  41. kind: Service
  42. metadata:
  43.   name: traefik
  44. spec:
  45.   selector:
  46.     app: traefik-lb
  47.   ports:
  48.     - protocol: TCP
  49.       port: 80
  50.       targetPort: web
  51.       name: web
  52.     - protocol: TCP
  53.       port: 443
  54.       targetPort: websecure
  55.       name: websecure
  56.   type: LoadBalancer

RBAC

  1. ---
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRole
  4. metadata:
  5.   name: gateway-role
  6. rules:
  7.   - apiGroups:
  8.       - ""
  9.     resources:
  10.       - services
  11.       - endpoints
  12.       - secrets
  13.     verbs:
  14.       - get
  15.       - list
  16.       - watch
  17.   - apiGroups:
  18.       - networking.x-k8s.io
  19.     resources:
  20.       - gatewayclasses
  21.       - gateways
  22.       - httproutes
  23.       - tcproutes
  24.       - tlsroutes
  25.     verbs:
  26.       - get
  27.       - list
  28.       - watch
  29.   - apiGroups:
  30.       - networking.x-k8s.io
  31.     resources:
  32.       - gatewayclasses/status
  33.       - gateways/status
  34.       - httproutes/status
  35.       - tcproutes/status
  36.       - tlsroutes/status
  37.     verbs:
  38.       - update
  40. ---
  41. kind: ClusterRoleBinding
  42. apiVersion: rbac.authorization.k8s.io/v1beta1
  43. metadata:
  44.   name: gateway-controller
  46. roleRef:
  47.   apiGroup: rbac.authorization.k8s.io
  48.   kind: ClusterRole
  49.   name: gateway-role
  50. subjects:
  51.   - kind: ServiceAccount
  52.     name: traefik-controller
  53.     namespace: default

Routing Configuration

Custom Resource Definition (CRD)

  • You can find an exhaustive list, of the custom resources and their attributes in the reference page or in the Kubernetes Sigs Gateway API repository.
  • Validate that the prerequisites are fulfilled before using the Traefik Kubernetes Gateway Provider.

You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:

KindPurposeConcept Behind
GatewayClassDefines a set of Gateways that share a common configuration and behaviourGatewayClass
GatewayDescribes how traffic can be translated to Services within the clusterGateway
HTTPRouteHTTP rules for mapping requests from a Gateway to Kubernetes ServicesRoute
TCPRouteAllows mapping TCP requests from a Gateway to Kubernetes ServicesRoute
TLSRouteAllows mapping TLS requests from a Gateway to Kubernetes ServicesRoute

Kind: GatewayClass

GatewayClass is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated. More details on the GatewayClass official documentation.

The GatewayClass should be declared by the infrastructure provider, otherwise please register the GatewayClass definition in the Kubernetes cluster before creating GatewayClass objects.

Declaring GatewayClass

  1. kind: GatewayClass
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: my-gateway-class
  5. spec:
  6.   # Controller is a domain/path string that indicates
  7.   # the controller that is managing Gateways of this class.
  8.   controller: traefik.io/gateway-controller

Kind: Gateway

A Gateway is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the Gateway official documentation.

Register the Gateway definition in the Kubernetes cluster before creating Gateway objects.

Depending on the Listener Protocol, different modes and Route types are supported.

Listener ProtocolTLS ModeRoute Type Supported
TCPNot applicableTCPRoute
TLSPassthroughTLSRoute
TLSTerminateTCPRoute
HTTPNot applicableHTTPRoute
HTTPSTerminateHTTPRoute

Declaring Gateway

HTTP Listener

  1. kind: Gateway
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: my-http-gateway
  5.   namespace: default
  6. spec:
  7.   gatewayClassName: my-gateway-class        # [1]
  8.   listeners:                                # [2]
  9.     - protocol: HTTP                        # [3] 
  10.       port: 80                              # [4]
  11.       routes:                               # [8]
  12.         kind: HTTPRoute                     # [9]
  13.         selector:                           # [10]
  14.           matchLabels:                      # [11]
  15.             app: foo

HTTPS Listener

  1. kind: Gateway
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: my-https-gateway
  5.   namespace: default
  6. spec:
  7.   gatewayClassName: my-gateway-class        # [1]
  8.   listeners:                                # [2]
  9.     - protocol: HTTPS                       # [3] 
  10.       port: 443                             # [4]
  11.       tls:                                  # [6]
  12.         certificateRef:                     # [7]
  13.           group: "core"
  14.           kind: "Secret"
  15.           name: "mysecret"
  16.       routes:                               # [8]
  17.         kind: HTTPRoute                     # [9]
  18.         selector:                           # [10]
  19.           matchLabels:                      # [11]
  20.             app: foo

TCP Listener

  1. kind: Gateway
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: my-tcp-gateway
  5.   namespace: default
  6. spec:
  7.   gatewayClassName: my-gateway-class        # [1]
  8.   listeners:                                # [2]
  9.     - protocol: TCP                         # [3] 
  10.       port: 8000                            # [4]
  11.       routes:                               # [8]
  12.         kind: TCPRoute                      # [9]
  13.         selector:                           # [10]
  14.           matchLabels:                      # [11]
  15.             app: footcp

TLS Listener

  1. kind: Gateway
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: my-tls-gateway
  5.   namespace: default
  6. spec:
  7.   gatewayClassName: my-gateway-class        # [1]
  8.   listeners:                                # [2]
  9.     - protocol: TLS                         # [3] 
  10.       port: 443                             # [4]
  11.       hostname: foo.com                     # [5]
  12.       tls:                                  # [6]
  13.         certificateRef:                     # [7]
  14.           group: "core"
  15.           kind: "Secret"
  16.           name: "mysecret"
  17.       routes:                               # [8]
  18.         kind: TLSRoute                      # [9]
  19.         selector:                           # [10]
  20.           matchLabels:                      # [11]
  21.             app: footcp
RefAttributeDescription
[1]gatewayClassNameGatewayClassName used for this Gateway. This is the name of a GatewayClass resource.
[2]listenersLogical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified.
[3]protocolThe network protocol this listener expects to receive (only HTTP and HTTPS are implemented).
[4]portThe network port.
[5]hostnameHostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, “”, or *, all hostnames are matched.
[6]tlsTLS configuration for the Listener. This field is required if the Protocol field is “HTTPS” or “TLS” and ignored otherwise.
[7]certificateRefThe reference to Kubernetes object that contains a TLS certificate and private key.
[8]routesA schema for associating routes with the Listener using selectors.
[9]kindThe kind of the referent.
[10]selectorRoutes in namespaces selected by the selector may be used by this Gateway routes to associate with the Gateway.
[11]matchLabelsA set of route labels used for selecting routes to associate with the Gateway.

Kind: HTTPRoute

HTTPRoute defines HTTP rules for mapping requests from a Gateway to Kubernetes Services.

Register the HTTPRoute definition in the Kubernetes cluster before creating HTTPRoute objects.

Declaring HTTPRoute

  1. kind: HTTPRoute
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: http-app-1
  5.   namespace: default
  6.   labels:                                   # [1]
  7.     app: foo
  8. spec:
  9.   hostnames:                                # [2]
  10.     - "whoami"
  11.   rules:                                    # [3]
  12.     - matches:                              # [4]
  13.         - path:                             # [5]
  14.             type: Exact                     # [6]
  15.             value: /bar                     # [7]
  16.         - headers:                          # [8]
  17.             type: Exact                     # [9]
  18.             values:                         # [10]
  19.               foo: bar
  20.       forwardTo:                            # [11]
  21.         - serviceName: whoami               # [12]
  22.           weight: 1                         # [13]
  23.           port: 80                          # [14]
  24.         - backendRef:                       # [15]
  25.             group: traefik.containo.us      # [16]
  26.             kind: TraefikService            # [17]
  27.             name: api@internal              # [18]
  28.           port: 80
  29.           weight: 1
RefAttributeDescription
[1]labelsLabels to match with the Gateway labelselector.
[2]hostnamesA set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request.
[3]rulesA list of HTTP matchers, filters and actions.
[4]matchesConditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied.
[5]pathAn HTTP request path matcher. If this field is not specified, a default prefix match on the “/“ path is provided.
[6]typeType of match against the path Value (supported types: Exact, Prefix).
[7]valueThe value of the HTTP path to match against.
[8]headersConditions to select a HTTP route by matching HTTP request headers.
[9]typeType of match for the HTTP request header match against the values (supported types: Exact).
[10]valuesA map of HTTP Headers to be matched. It MUST contain at least one entry.
[11]forwardToThe upstream target(s) where the request should be sent.
[12]serviceNameThe name of the referent service.
[13]weightThe proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
[14]portThe port of the referent service.
[15]backendRefThe BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only TraefikService is supported.
[16]groupGroup is the group of the referent. Only traefik.containo.us value is supported.
[17]kindKind is kind of the referent. Only TraefikService value is supported.
[18]nameName is the name of the referent.

Kind: TCPRoute

TCPRoute allows mapping TCP requests from a Gateway to Kubernetes Services

Register the TCPRoute definition in the Kubernetes cluster before creating TCPRoute objects.

Declaring TCPRoute

  1. kind: TCPRoute
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: tcp-app-1
  5.   namespace: default
  6.   labels:                                   # [1]
  7.     app: tcp-app-1
  8. spec:
  9.   rules:                                    # [2]
  10.     - forwardTo:                            # [3]
  11.         - serviceName: whoamitcp            # [4]
  12.           weight: 1                         # [5]
  13.           port: 8080                        # [6]
  14.         - backendRef:                       # [7]
  15.             group: traefik.containo.us      # [8]
  16.             kind: TraefikService            # [9]
  17.             name: api@internal              # [10]
RefAttributeDescription
[1]labelsLabels to match with the Gateway labelselector.
[2]rulesRules are a list of TCP matchers and actions.
[3]forwardToThe upstream target(s) where the request should be sent.
[4]serviceNameThe name of the referent service.
[5]weightThe proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
[6]portThe port of the referent service.
[7]backendRefThe BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only TraefikService is supported.
[8]groupGroup is the group of the referent. Only traefik.containo.us value is supported.
[9]kindKind is kind of the referent. Only TraefikService value is supported.
[10]nameName is the name of the referent.

Kind: TLSRoute

TLSRoute allows mapping TLS requests from a Gateway to Kubernetes Services

Register the TLSRoute definition in the Kubernetes cluster before creating TLSRoute objects.

Declaring TCPRoute

  1. kind: TLSRoute
  2. apiVersion: networking.x-k8s.io/v1alpha1
  3. metadata:
  4.   name: tls-app-1
  5.   namespace: default
  6.   labels:                                   # [1]
  7.     app: tls-app-1
  8. spec:
  9.   rules:                                    # [2]
  10.     - forwardTo:                            # [3]
  11.         - serviceName: whoamitcp            # [4]
  12.           weight: 1                         # [5]
  13.           port: 8080                        # [6]
  14.         - backendRef:                       # [7]
  15.             group: traefik.containo.us      # [8]
  16.             kind: TraefikService            # [9]
  17.             name: api@internal              # [10]
RefAttributeDescription
[1]labelsLabels to match with the Gateway labelselector.
[2]rulesRules are a list of TCP matchers and actions.
[3]forwardToThe upstream target(s) where the request should be sent.
[4]serviceNameThe name of the referent service.
[5]weightThe proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
[6]portThe port of the referent service.
[7]backendRefThe BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only TraefikService is supported.
[8]groupGroup is the group of the referent. Only traefik.containo.us value is supported.
[9]kindKind is kind of the referent. Only TraefikService value is supported.
[10]nameName is the name of the referent.