2019-03-19 16:44:06 +01:00
# Traefik & Kubernetes
The Kubernetes Ingress Controller, The Custom Resource Way.
{: .subtitle }
2019-03-27 15:16:04 +01:00
<!--
TODO (Link "Kubernetes Ingress controller" to ./kubernetes-ingress.md)
-->
2019-03-19 16:44:06 +01:00
The Traefik Kubernetes provider used to be a Kubernetes Ingress controller in the strict sense of the term; that is to say,
it would manage access to a cluster services by supporting the [Ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/ ) specification.
However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
we ended up writing a [Custom Resource Definition ](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/ ) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
2019-04-17 11:48:05 +02:00
## Provider Configuration
### `endpoint`
_Optional, Default=empty_
2019-07-02 17:36:04 +02:00
```toml tab="File (TOML)"
[providers.kubernetesCRD]
endpoint = "http://localhost:8080"
# ...
```
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
endpoint = "http://localhost:8080"
# ...
```
```bash tab="CLI"
--providers.kubernetescrd.endpoint="http://localhost:8080"
```
2019-04-17 11:48:05 +02:00
The Kubernetes server endpoint as URL.
When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` .
Both are provided mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
### `token`
_Optional, Default=empty_
2019-07-02 17:36:04 +02:00
```toml tab="File (TOML)"
2019-07-01 11:30:05 +02:00
[providers.kubernetesCRD]
2019-04-17 11:48:05 +02:00
token = "mytoken"
# ...
```
2019-07-02 17:36:04 +02:00
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
token = "mytoken"
# ...
```
```bash tab="CLI"
2019-04-17 11:48:05 +02:00
--providers.kubernetescrd.token="mytoken"
```
2019-07-02 17:36:04 +02:00
Bearer token used for the Kubernetes client configuration.
2019-04-17 11:48:05 +02:00
### `certAuthFilePath`
_Optional, Default=empty_
2019-07-02 17:36:04 +02:00
```toml tab="File (TOML)"
2019-07-01 11:30:05 +02:00
[providers.kubernetesCRD]
2019-04-17 11:48:05 +02:00
certAuthFilePath = "/my/ca.crt"
# ...
```
2019-07-02 17:36:04 +02:00
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
certAuthFilePath: "/my/ca.crt"
# ...
```
```bash tab="CLI"
2019-04-17 11:48:05 +02:00
--providers.kubernetescrd.certauthfilepath="/my/ca.crt"
```
2019-07-02 17:36:04 +02:00
Path to the certificate authority file.
Used for the Kubernetes client configuration.
2019-04-17 11:48:05 +02:00
### `namespaces`
_Optional, Default: all namespaces (empty array)_
2019-07-02 17:36:04 +02:00
```toml tab="File (TOML)"
2019-07-01 11:30:05 +02:00
[providers.kubernetesCRD]
2019-04-17 11:48:05 +02:00
namespaces = ["default", "production"]
# ...
```
2019-07-02 17:36:04 +02:00
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
namespaces:
- "default"
- "production"
# ...
```
```bash tab="CLI"
2019-04-17 11:48:05 +02:00
--providers.kubernetescrd.namespaces="default,production"
```
2019-07-02 17:36:04 +02:00
Array of namespaces to watch.
2019-04-17 11:48:05 +02:00
### `labelselector`
_Optional,Default: empty (process all Ingresses)_
2019-07-02 17:36:04 +02:00
```toml tab="File (TOML)"
2019-07-01 11:30:05 +02:00
[providers.kubernetesCRD]
2019-04-17 11:48:05 +02:00
labelselector = "A and not B"
# ...
```
2019-07-02 17:36:04 +02:00
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
labelselector: "A and not B"
# ...
```
```bash tab="CLI"
2019-04-17 11:48:05 +02:00
--providers.kubernetescrd.labelselector="A and not B"
```
2019-07-02 17:36:04 +02:00
By default, Traefik processes all Ingress objects in the configured namespaces.
A label selector can be defined to filter on specific Ingress objects only.
2019-04-17 11:48:05 +02:00
2019-07-02 17:36:04 +02:00
See [label-selectors ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors ) for details.
2019-04-17 11:48:05 +02:00
2019-07-02 17:36:04 +02:00
### `ingressClass`
2019-04-17 11:48:05 +02:00
2019-07-02 17:36:04 +02:00
_Optional, Default: empty_
2019-04-17 11:48:05 +02:00
2019-07-02 17:36:04 +02:00
```toml tab="File (TOML)"
2019-07-01 11:30:05 +02:00
[providers.kubernetesCRD]
2019-04-17 11:48:05 +02:00
ingressClass = "traefik-internal"
# ...
```
2019-07-02 17:36:04 +02:00
```yaml tab="File (YAML)"
providers:
kubernetesCRD:
ingressClass: "traefik-internal"
# ...
```
```bash tab="CLI"
2019-04-17 11:48:05 +02:00
--providers.kubernetescrd.ingressclass="traefik-internal"
```
2019-07-02 17:36:04 +02:00
Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
2019-04-17 11:48:05 +02:00
## Resource Configuration
If you're in a hurry, maybe you'd rather go through the [dynamic ](../reference/dynamic-configuration/kubernetes-crd.md ) configuration reference.
### Traefik IngressRoute definition
2019-03-19 16:44:06 +01:00
```yaml
--8< -- " content / providers / crd_ingress_route . yml "
```
2019-06-11 15:12:04 +02:00
That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in:
2019-03-19 16:44:06 +01:00
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
2019-05-27 16:24:04 +08:00
name: ingressroutefoo
2019-03-19 16:44:06 +01:00
spec:
2019-04-15 11:14:05 +02:00
entryPoints:
2019-03-19 16:44:06 +01:00
- web
routes:
# Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule.
- match: Host(`foo.com` ) && PathPrefix(`/bar` )
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule".
kind: Rule
# Priority disambiguates rules of the same length, for route matching.
priority: 12
services:
- name: whoami
port: 80
2019-06-11 15:12:04 +02:00
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcpfoo.crd
spec:
entryPoints:
- footcp
routes:
# Match is the rule corresponding to an underlying router.
- match: HostSNI(`*` )
services:
- name: whoamitcp
port: 8080
2019-03-19 16:44:06 +01:00
```
2019-04-17 11:48:05 +02:00
### Middleware
2019-03-19 16:44:06 +01:00
Additionally, to allow for the use of middlewares in an `IngressRoute` , we defined the CRD below for the `Middleware` kind.
```yaml
--8< -- " content / providers / crd_middlewares . yml "
```
Once the `Middleware` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions, such as:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stripprefix
2019-06-26 14:14:05 +02:00
namespace: foo
2019-03-19 16:44:06 +01:00
spec:
2019-04-15 11:14:05 +02:00
stripPrefix:
2019-03-19 16:44:06 +01:00
prefixes:
- /stripit
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
2019-05-27 16:24:04 +08:00
name: ingressroutebar
2019-03-19 16:44:06 +01:00
spec:
2019-04-15 11:14:05 +02:00
entryPoints:
2019-03-19 16:44:06 +01:00
- web
routes:
- match: Host(`bar.com` ) && PathPrefix(`/stripit` )
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: stripprefix
2019-06-26 14:14:05 +02:00
namespace: foo
2019-03-19 16:44:06 +01:00
```
2019-06-26 14:14:05 +02:00
!!! important "Cross-provider namespace"
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
(in the reference to the middleware) with the [provider namespace ](../middlewares/overview.md#provider-namespace ),
when the definition of the middleware is from another provider.
In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
2019-04-29 19:36:07 +02:00
More information about available middlewares in the dedicated [middlewares section ](../middlewares/overview.md ).
2019-06-26 14:14:05 +02:00
### TLS Option
2019-06-21 17:18:05 +02:00
2019-06-26 14:14:05 +02:00
Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind.
2019-06-21 17:18:05 +02:00
More information about TLS Options is available in the dedicated [TLS Configuration Options ](../../https/tls/#tls-options ).
```yaml
--8< -- " content / providers / crd_tls_option . yml "
```
Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: mytlsoption
namespace: default
spec:
2019-07-12 17:50:04 +02:00
minVersion: VersionTLS12
2019-06-21 17:18:05 +02:00
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`bar.com` ) && PathPrefix(`/stripit` )
kind: Rule
services:
- name: whoami
port: 80
tls:
options:
name: mytlsoption
namespace: default
```
2019-06-26 14:14:05 +02:00
!!! important "References and namespaces"
2019-06-21 17:18:05 +02:00
If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
2019-06-26 14:14:05 +02:00
Additionally, when the definition of the TLS option is from another provider,
the cross-provider syntax (`middlewarename@provider` ) should be used to refer to the TLS option,
just as in the [middleware case ](../middlewares/overview.md#provider-namespace ).
Specifying a namespace attribute in this case would not make any sense, and will be ignored.
2019-04-17 11:48:05 +02:00
### TLS
2019-03-19 16:44:06 +01:00
To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute` :
```yaml
apiVersion: v1
kind: Secret
metadata:
name: supersecret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
2019-05-27 16:24:04 +08:00
name: ingressroutetls
2019-03-19 16:44:06 +01:00
spec:
entryPoints:
- web
routes:
- match: Host(`foo.com` ) && PathPrefix(`/bar` )
kind: Rule
services:
- name: whoami
port: 443
tls:
secretName: supersecret
```
2019-03-27 15:16:04 +01:00
## Further
Also see the [full example ](../user-guides/crd-acme/index.md ) with Let's Encrypt.