Quick Start

A Use Case of Traefik Proxy and Kubernetes

This guide is an introduction to using Traefik Proxy in a Kubernetes environment.
The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.
It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.

Permissions and Accesses

Traefik uses the Kubernetes API to discover running services.

To use the Kubernetes API, Traefik needs some permissions. This permission mechanism is based on roles defined by the cluster administrator.
The role is then bound to an account used by an application, in this case, Traefik Proxy.

The first step is to create the role. The ClusterRole resource enumerates the resources and actions available for the role. In a file called 00-role.yml, put the following ClusterRole:

00-role.yml

  1. kind: ClusterRole
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4. name: traefik-role
  5. rules:
  6. - apiGroups:
  7. - ""
  8. resources:
  9. - services
  10. - secrets
  11. - nodes
  12. verbs:
  13. - get
  14. - list
  15. - watch
  16. - apiGroups:
  17. - discovery.k8s.io
  18. resources:
  19. - endpointslices
  20. verbs:
  21. - list
  22. - watch
  23. - apiGroups:
  24. - extensions
  25. - networking.k8s.io
  26. resources:
  27. - ingresses
  28. - ingressclasses
  29. verbs:
  30. - get
  31. - list
  32. - watch
  33. - apiGroups:
  34. - extensions
  35. - networking.k8s.io
  36. resources:
  37. - ingresses/status
  38. verbs:
  39. - update
  40. - apiGroups:
  41. - traefik.io
  42. resources:
  43. - middlewares
  44. - middlewaretcps
  45. - ingressroutes
  46. - traefikservices
  47. - ingressroutetcps
  48. - ingressrouteudps
  49. - tlsoptions
  50. - tlsstores
  51. - serverstransports
  52. - serverstransporttcps
  53. verbs:
  54. - get
  55. - list
  56. - watch

You can find the reference for this file there.

The next step is to create a dedicated service account for Traefik. In a file called 00-account.yml, put the following ServiceAccount resource:

00-account.yml

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4. name: traefik-account

And then, bind the role on the account to apply the permissions and rules on the latter. In a file called 01-role-binding.yml, put the following ClusterRoleBinding resource:

01-role-binding.yml

  1. kind: ClusterRoleBinding
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4. name: traefik-role-binding
  5. roleRef:
  6. apiGroup: rbac.authorization.k8s.io
  7. kind: ClusterRole
  8. name: traefik-role
  9. subjects:
  10. - kind: ServiceAccount
  11. name: traefik-account
  12. namespace: default # This tutorial uses the "default" K8s namespace.

roleRef is the Kubernetes reference to the role created in 00-role.yml.

subjects is the list of accounts reference.

In this guide, it only contains the account created in 00-account.yml

Deployment and Exposition

This section can be managed with the help of the Traefik Helm chart.

The ingress controller is a software that runs in the same way as any other application on a cluster.
To start Traefik on the Kubernetes cluster, a Deployment resource must exist to describe how to configure and scale containers horizontally to support larger workloads.

Start by creating a file called 02-traefik.yml and paste the following Deployment resource:

02-traefik.yml

  1. kind: Deployment
  2. apiVersion: apps/v1
  3. metadata:
  4. name: traefik-deployment
  5. labels:
  6. app: traefik
  7. spec:
  8. replicas: 1
  9. selector:
  10. matchLabels:
  11. app: traefik
  12. template:
  13. metadata:
  14. labels:
  15. app: traefik
  16. spec:
  17. serviceAccountName: traefik-account
  18. containers:
  19. - name: traefik
  20. image: traefik:v3.3
  21. args:
  22. - --api.insecure
  23. - --providers.kubernetesingress
  24. ports:
  25. - name: web
  26. containerPort: 80
  27. - name: dashboard
  28. containerPort: 8080

The deployment contains an important attribute for customizing Traefik: args.
These arguments are the static configuration for Traefik.
From here, it is possible to enable the dashboard, configure entry points, select dynamic configuration providers, and more.

In this deployment, the static configuration enables the Traefik dashboard, and uses Kubernetes native Ingress resources as router definitions to route incoming requests.

When there is no entry point in the static configuration

Traefik creates a default one called web using the port 80 routing HTTP requests.

When enabling the api.insecure mode, Traefik exposes the dashboard on the port 8080.

A deployment manages scaling and then can create lots of containers, called Pods. Each Pod is configured following the spec field in the deployment.
Given that, a Deployment can run multiple Traefik Proxy Pods, a piece is required to forward the traffic to any of the instance: namely a Service.
Create a file called 02-traefik-services.yml and insert the two Service resources:

02-traefik-services.yml

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: traefik-dashboard-service
  5. spec:
  6. type: LoadBalancer
  7. ports:
  8. - port: 8080
  9. targetPort: dashboard
  10. selector:
  11. app: traefik
  12. ---
  13. apiVersion: v1
  14. kind: Service
  15. metadata:
  16. name: traefik-web-service
  17. spec:
  18. type: LoadBalancer
  19. ports:
  20. - targetPort: web
  21. port: 80
  22. selector:
  23. app: traefik

It is possible to expose a service in different ways.

Depending on your working environment and use case, the spec.type might change.
It is strongly recommended to understand the available service types before proceeding to the next step.

It is now time to apply those files on your cluster to start Traefik.

  1. kubectl apply -f 00-role.yml \
  2. -f 00-account.yml \
  3. -f 01-role-binding.yml \
  4. -f 02-traefik.yml \
  5. -f 02-traefik-services.yml

Proxying applications

The only part still missing is the business application behind the reverse proxy.
For this guide, we use the example application traefik/whoami, but the principles are applicable to any other application.

The whoami application is an HTTP server running on port 80 which answers host-related information to the incoming requests.
As usual, start by creating a file called 03-whoami.yml and paste the following Deployment resource:

03-whoami.yml

  1. kind: Deployment
  2. apiVersion: apps/v1
  3. metadata:
  4. name: whoami
  5. labels:
  6. app: whoami
  7. spec:
  8. replicas: 1
  9. selector:
  10. matchLabels:
  11. app: whoami
  12. template:
  13. metadata:
  14. labels:
  15. app: whoami
  16. spec:
  17. containers:
  18. - name: whoami
  19. image: traefik/whoami
  20. ports:
  21. - name: web
  22. containerPort: 80

And continue by creating the following Service resource in a file called 03-whoami-services.yml:

03-whoami-services.yml

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: whoami
  5. spec:
  6. ports:
  7. - name: web
  8. port: 80
  9. targetPort: web
  10. selector:
  11. app: whoami

Thanks to the Kubernetes API, Traefik is notified when an Ingress resource is created, updated, or deleted.
This makes the process dynamic.
The ingresses are, in a way, the dynamic configuration for Traefik.

Tip

Find more information on ingress controller, and Ingress in the official Kubernetes documentation.

Create a file called 04-whoami-ingress.yml and insert the Ingress resource:

04-whoami-ingress.yml

  1. apiVersion: networking.k8s.io/v1
  2. kind: Ingress
  3. metadata:
  4. name: whoami-ingress
  5. spec:
  6. rules:
  7. - http:
  8. paths:
  9. - path: /
  10. pathType: Prefix
  11. backend:
  12. service:
  13. name: whoami
  14. port:
  15. name: web

This Ingress configures Traefik to redirect any incoming requests starting with / to the whoami:80 service.

At this point, all the configurations are ready. It is time to apply those new files:

  1. kubectl apply -f 03-whoami.yml \
  2. -f 03-whoami-services.yml \
  3. -f 04-whoami-ingress.yml

Now you should be able to access the whoami application and the Traefik dashboard. Load the dashboard on a web browser: http://localhost:8080.

And now access the whoami application:

  1. curl -v http://localhost/

Going further


Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There’s no rip and replace and all configurations remain intact. See it in action via this short video.