Migration: Steps needed between the versions

v3.0 to v3.1

Kubernetes Provider RBACs

Starting with v3.1, the Kubernetes Providers now use the EndpointSlices API (Kubernetes >=v1.21) to discover service endpoint addresses. It also brings NodePort load-balancing which requires Nodes resources lookup.

Therefore, in the corresponding RBACs (see KubernetesIngress, KubernetesCRD, and KubernetesGateway provider RBACs):

  • the endpoints right has to be removed and the following endpointslices right has to be added:
  1.   ... 
  2.   - apiGroups:
  3.       - discovery.k8s.io
  4.     resources:
  5.       - endpointslices
  6.     verbs:
  7.       - list
  8.       - watch
  9.   ...
  • the nodes right has to be added:
  1.   ...
  2.   - apiGroups:
  3.       - ""
  4.     resources:
  5.       - nodes
  6.     verbs:
  7.       - get
  8.       - list
  9.       - watch
  10.   ...

Gateway API: KubernetesGateway Provider

In v3.1, the KubernetesGateway Provider is no longer an experimental feature. It can be enabled without the associated experimental.kubernetesgateway option, which is now deprecated.

An example of the experimental kubernetesgateway option

File (YAML)

  1. experimental:
  2.   kubernetesgateway: true

File (TOML)

  1. [experimental]
  2.     kubernetesgateway=true

CLI

  1. --experimental.kubernetesgateway=true
Remediation

The kubernetesgateway option should be removed from the experimental section of the static configuration. To configure kubernetesgateway, please check out the KubernetesGateway Provider documentation.

v3.1.0 to v3.1.1

IngressClass Lookup

The Kubernetes Ingress provider option disableIngressClassLookup has been deprecated in v3.1.1, and will be removed in the next major version. Please use the disableClusterScopeResources option instead to avoid cluster scope resources discovery (IngressClass, Nodes).

v3.1 to v3.2

Kubernetes CRD Provider

Starting with v3.2, the CRDs has been updated on TraefikService (PR #11032), on RateLimit & InFlightReq middlewares (PR #9747) and on Compress middleware (PR #10943).

This update adds only new optional fields. CRDs can be updated with this command:

  1. kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

Kubernetes Gateway Provider Standard Channel

Starting with v3.2, the Kubernetes Gateway Provider now supports GRPCRoute.

Therefore, in the corresponding RBACs (see KubernetesGateway provider RBACs), the grcroutes and grpcroutes/status rights have to be added.

  1.   ...
  2.   - apiGroups:
  3.       - gateway.networking.k8s.io
  4.     resources:
  5.       - grpcroutes
  6.     verbs:
  7.       - get
  8.       - list
  9.       - watch
  10.   - apiGroups:
  11.       - gateway.networking.k8s.io
  12.     resources:
  13.       - grpcroutes/status
  14.     verbs:
  15.       - update
  16.   ...

Kubernetes Gateway Provider Experimental Channel

Breaking changes

Because of a breaking change introduced in Kubernetes Gateway v1.2.0-rc1, Traefik v3.2 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.

Starting with v3.2, the Kubernetes Gateway Provider now supports BackendTLSPolicy.

Therefore, in the corresponding RBACs (see KubernetesGateway provider RBACs), the configmaps, backendtlspolicies and backendtlspolicies/status rights have to be added.

  1.   ...
  2.   - apiGroups:
  3.       - ""
  4.     resources:
  5.       - configmaps
  6.     verbs:
  7.       - get
  8.       - list
  9.       - watch
  10.   - apiGroups:
  11.       - gateway.networking.k8s.io
  12.     resources:
  13.       - backendtlspolicies
  14.     verbs:
  15.       - get
  16.       - list
  17.       - watch
  18.   - apiGroups:
  19.       - gateway.networking.k8s.io
  20.     resources:
  21.       - backendtlspolicies/status
  22.     verbs:
  23.       - update
  24.   ...