2022-04-15 13:44:08 +00:00
---
title: "Kubernetes Ingress Routing Configuration"
description: "Understand the routing configuration for the Kubernetes Ingress Controller and Traefik Proxy. Read the technical documentation."
---
2020-01-14 14:48:06 +00:00
# Traefik & Kubernetes
The Kubernetes Ingress Controller.
{: .subtitle }
## Routing Configuration
The provider then watches for incoming ingresses events, such as the example below,
and derives the corresponding dynamic configuration from it,
which in turn will create the resulting routers, services, handlers, etc.
2020-03-09 12:48:06 +00:00
## Configuration Example
2020-01-14 14:48:06 +00:00
2020-03-09 12:48:06 +00:00
??? example "Configuring Kubernetes Ingress Controller"
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
```yaml tab="RBAC"
---
2021-10-21 07:44:12 +00:00
apiVersion: rbac.authorization.k8s.io/v1
2020-03-09 12:48:06 +00:00
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
2020-09-15 16:34:04 +00:00
- networking.k8s.io
2020-03-09 12:48:06 +00:00
resources:
- ingresses
2020-09-15 16:34:04 +00:00
- ingressclasses
2020-03-09 12:48:06 +00:00
verbs:
- get
- list
- watch
- apiGroups:
- extensions
2022-09-02 10:18:08 +00:00
- networking.k8s.io
2020-03-09 12:48:06 +00:00
resources:
- ingresses/status
verbs:
- update
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
---
2021-10-21 07:44:12 +00:00
apiVersion: rbac.authorization.k8s.io/v1
2020-03-09 12:48:06 +00:00
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
```
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
```yaml tab="Ingress"
2021-10-21 07:44:12 +00:00
apiVersion: networking.k8s.io/v1
2020-01-14 14:48:06 +00:00
kind: Ingress
metadata:
2020-03-09 12:48:06 +00:00
name: myingress
2020-01-14 14:48:06 +00:00
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
spec:
rules:
2020-03-13 21:50:05 +00:00
- host: example.com
2020-03-09 12:48:06 +00:00
http:
paths:
- path: /bar
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-03-09 12:48:06 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: whoami
port:
number: 80
2020-03-09 12:48:06 +00:00
- path: /foo
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-03-09 12:48:06 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: whoami
port:
number: 80
2020-01-14 14:48:06 +00:00
```
2021-10-21 07:44:12 +00:00
2020-03-09 12:48:06 +00:00
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
---
apiVersion: apps/v1
2021-10-21 07:44:12 +00:00
kind: Deployment
2020-03-09 12:48:06 +00:00
metadata:
name: traefik
labels:
app: traefik
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
2022-12-05 15:58:04 +00:00
image: traefik:v3.0
2020-03-09 12:48:06 +00:00
args:
2024-04-22 15:24:04 +00:00
- --entryPoints.web.address=:80
2020-03-09 12:48:06 +00:00
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
---
apiVersion: v1
2020-01-14 14:48:06 +00:00
kind: Service
2020-03-09 12:48:06 +00:00
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
```
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
```yaml tab="Whoami"
apiVersion: apps/v1
2021-10-21 07:44:12 +00:00
kind: Deployment
2020-03-09 12:48:06 +00:00
metadata:
name: whoami
labels:
2020-09-16 13:46:04 +00:00
app: traefiklabs
2020-03-09 12:48:06 +00:00
name: whoami
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
spec:
replicas: 2
selector:
matchLabels:
2020-09-16 13:46:04 +00:00
app: traefiklabs
2020-03-09 12:48:06 +00:00
task: whoami
template:
metadata:
labels:
2020-09-16 13:46:04 +00:00
app: traefiklabs
2020-03-09 12:48:06 +00:00
task: whoami
spec:
containers:
2020-09-16 13:46:04 +00:00
- name: whoami
image: traefik/whoami
2020-03-09 12:48:06 +00:00
ports:
- containerPort: 80
2021-06-18 22:08:08 +00:00
2020-03-09 12:48:06 +00:00
---
2020-01-14 14:48:06 +00:00
apiVersion: v1
2020-03-09 12:48:06 +00:00
kind: Service
2020-01-14 14:48:06 +00:00
metadata:
2020-03-09 12:48:06 +00:00
name: whoami
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
spec:
ports:
2020-03-09 12:48:06 +00:00
- name: http
port: 80
selector:
2020-09-16 13:46:04 +00:00
app: traefiklabs
2020-03-09 12:48:06 +00:00
task: whoami
2020-01-14 14:48:06 +00:00
```
2020-03-09 12:48:06 +00:00
## Annotations
2021-10-26 08:30:13 +00:00
!!! warning "Referencing resources in annotations"
In an annotation, when referencing a resource defined by another provider,
the [provider namespace syntax ](../../providers/overview.md#provider-namespace ) must be used.
2020-01-14 14:48:06 +00:00
#### On Ingress
??? info "`traefik.ingress.kubernetes.io/router.entrypoints`"
See [entry points ](../routers/index.md#entrypoints ) for more information.
```yaml
traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2
```
??? info "`traefik.ingress.kubernetes.io/router.middlewares`"
See [middlewares ](../routers/index.md#middlewares ) and [middlewares overview ](../../middlewares/overview.md ) for more information.
```yaml
2021-10-26 08:30:13 +00:00
traefik.ingress.kubernetes.io/router.middlewares: auth@file,default-prefix@kubernetescrd
2020-01-14 14:48:06 +00:00
```
??? info "`traefik.ingress.kubernetes.io/router.priority`"
See [priority ](../routers/index.md#priority ) for more information.
```yaml
traefik.ingress.kubernetes.io/router.priority: "42"
```
??? info "`traefik.ingress.kubernetes.io/router.pathmatcher`"
2021-10-21 07:44:12 +00:00
Overrides the default router rule type used for a path.
2020-01-14 14:48:06 +00:00
Only path-related matcher name can be specified: `Path` , `PathPrefix` .
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
Default `PathPrefix`
```yaml
traefik.ingress.kubernetes.io/router.pathmatcher: Path
```
??? info "`traefik.ingress.kubernetes.io/router.tls`"
See [tls ](../routers/index.md#tls ) for more information.
```yaml
traefik.ingress.kubernetes.io/router.tls: "true"
```
??? info "`traefik.ingress.kubernetes.io/router.tls.certresolver`"
See [certResolver ](../routers/index.md#certresolver ) for more information.
```yaml
traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver
```
??? info "`traefik.ingress.kubernetes.io/router.tls.domains.n.main`"
See [domains ](../routers/index.md#domains ) for more information.
```yaml
2020-03-13 21:50:05 +00:00
traefik.ingress.kubernetes.io/router.tls.domains.0.main: example.org
2020-01-14 14:48:06 +00:00
```
??? info "`traefik.ingress.kubernetes.io/router.tls.domains.n.sans`"
See [domains ](../routers/index.md#domains ) for more information.
```yaml
2020-03-13 21:50:05 +00:00
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: test.example.org,dev.example.org
2020-01-14 14:48:06 +00:00
```
??? info "`traefik.ingress.kubernetes.io/router.tls.options`"
See [options ](../routers/index.md#options ) for more information.
```yaml
2021-10-26 08:30:13 +00:00
traefik.ingress.kubernetes.io/router.tls.options: foobar@file
2020-01-14 14:48:06 +00:00
```
#### On Service
2023-03-20 15:46:05 +00:00
??? info "`traefik.ingress.kubernetes.io/service.nativelb`"
Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the pods.
Please note that, by default, Traefik reuses the established connections to the backends for performance purposes. This can prevent the requests load balancing between the replicas from behaving as one would expect when the option is set.
By default, NativeLB is false.
```yaml
traefik.ingress.kubernetes.io/service.nativelb: "true"
```
2020-01-14 14:48:06 +00:00
??? info "`traefik.ingress.kubernetes.io/service.serversscheme`"
Overrides the default scheme.
```yaml
traefik.ingress.kubernetes.io/service.serversscheme: h2c
```
2021-04-20 15:19:29 +00:00
??? info "`traefik.ingress.kubernetes.io/service.serverstransport`"
See [ServersTransport ](../services/index.md#serverstransport ) for more information.
```yaml
2021-05-28 15:37:11 +00:00
traefik.ingress.kubernetes.io/service.serverstransport: foobar@file
2021-04-20 15:19:29 +00:00
```
2020-01-14 14:48:06 +00:00
??? info "`traefik.ingress.kubernetes.io/service.passhostheader`"
See [pass Host header ](../services/index.md#pass-host-header ) for more information.
```yaml
traefik.ingress.kubernetes.io/service.passhostheader: "true"
```
2020-07-01 10:58:05 +00:00
??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie`"
2020-01-14 14:48:06 +00:00
See [sticky sessions ](../services/index.md#sticky-sessions ) for more information.
```yaml
2020-07-01 10:58:05 +00:00
traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
2020-01-14 14:48:06 +00:00
```
2020-03-24 13:02:58 +00:00
??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.name`"
2020-01-14 14:48:06 +00:00
See [sticky sessions ](../services/index.md#sticky-sessions ) for more information.
```yaml
2020-03-24 13:02:58 +00:00
traefik.ingress.kubernetes.io/service.sticky.cookie.name: foobar
2020-01-14 14:48:06 +00:00
```
2020-03-24 13:02:58 +00:00
??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.secure`"
2020-01-14 14:48:06 +00:00
See [sticky sessions ](../services/index.md#sticky-sessions ) for more information.
```yaml
2020-03-24 13:02:58 +00:00
traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"
2020-01-14 14:48:06 +00:00
```
2020-03-24 13:02:58 +00:00
??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.samesite`"
2020-01-14 14:48:06 +00:00
See [sticky sessions ](../services/index.md#sticky-sessions ) for more information.
```yaml
2020-03-24 13:02:58 +00:00
traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: "none"
```
??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.httponly`"
See [sticky sessions ](../services/index.md#sticky-sessions ) for more information.
```yaml
traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
2020-01-14 14:48:06 +00:00
```
2024-01-18 08:30:06 +00:00
??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.maxage`"
See [sticky sessions ](../services/index.md#sticky-sessions ) for more information.
```yaml
traefik.ingress.kubernetes.io/service.sticky.cookie.maxage: 42
```
2020-07-28 15:50:04 +00:00
## Path Types on Kubernetes 1.18+
2021-06-18 22:08:08 +00:00
2020-07-28 15:50:04 +00:00
If the Kubernetes cluster version is 1.18+,
the new `pathType` property can be leveraged to define the rules matchers:
2020-01-14 14:48:06 +00:00
2020-07-28 15:50:04 +00:00
- `Exact` : This path type forces the rule matcher to `Path`
- `Prefix` : This path type forces the rule matcher to `PathPrefix`
Please see [this documentation ](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types ) for more information.
!!! warning "Multiple Matches"
In the case of multiple matches, Traefik will not ensure the priority of a Path matcher over a PathPrefix matcher,
as stated in [this documentation ](https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches ).
## TLS
2020-10-20 12:16:04 +00:00
### Enabling TLS via HTTP Options on Entrypoint
2020-01-14 14:48:06 +00:00
2020-10-20 12:16:04 +00:00
TLS can be enabled through the [HTTP options ](../entrypoints.md#tls ) of an Entrypoint:
2020-01-14 14:48:06 +00:00
2020-10-20 12:16:04 +00:00
```bash tab="CLI"
# Static configuration
2024-04-22 15:24:04 +00:00
--entryPoints.websecure.address=:443
--entryPoints.websecure.http.tls
2020-10-20 12:16:04 +00:00
```
2020-01-14 14:48:06 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="File (YAML)"
# Static configuration
entryPoints:
websecure:
address: ':443'
http:
tls: {}
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
# Static configuration
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
```
2020-10-20 12:16:04 +00:00
This way, any Ingress attached to this Entrypoint will have TLS termination by default.
??? example "Configuring Kubernetes Ingress Controller with TLS on Entrypoint"
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="RBAC"
---
2021-10-21 07:44:12 +00:00
apiVersion: rbac.authorization.k8s.io/v1
2020-10-20 12:16:04 +00:00
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
2022-09-02 10:18:08 +00:00
- networking.k8s.io
2020-10-20 12:16:04 +00:00
resources:
- ingresses/status
verbs:
- update
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
2021-10-21 07:44:12 +00:00
apiVersion: rbac.authorization.k8s.io/v1
2020-10-20 12:16:04 +00:00
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
```
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="Ingress"
2021-10-21 07:44:12 +00:00
apiVersion: networking.k8s.io/v1
2020-10-20 12:16:04 +00:00
kind: Ingress
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-10-20 12:16:04 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: whoami
port:
number: 80
2020-10-20 12:16:04 +00:00
- path: /foo
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-10-20 12:16:04 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: whoami
port:
number: 80
2020-10-20 12:16:04 +00:00
```
2021-10-21 07:44:12 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
apiVersion: apps/v1
2021-10-21 07:44:12 +00:00
kind: Deployment
2020-10-20 12:16:04 +00:00
metadata:
name: traefik
labels:
app: traefik
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
2022-12-05 15:58:04 +00:00
image: traefik:v3.0
2020-10-20 12:16:04 +00:00
args:
2024-04-22 15:24:04 +00:00
- --entryPoints.websecure.address=:443
- --entryPoints.websecure.http.tls
2020-10-20 12:16:04 +00:00
- --providers.kubernetesingress
ports:
- name: websecure
containerPort: 443
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 443
name: websecure
targetPort: 443
```
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="Whoami"
apiVersion: apps/v1
2021-10-21 07:44:12 +00:00
kind: Deployment
2020-10-20 12:16:04 +00:00
metadata:
name: whoami
labels:
app: traefiklabs
name: whoami
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoami
template:
metadata:
labels:
app: traefiklabs
task: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
apiVersion: v1
kind: Service
metadata:
name: whoami
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: whoami
```
### Enabling TLS via Annotations
To enable TLS on the underlying router created from an Ingress, one should configure it through annotations:
2020-10-27 11:46:04 +00:00
2020-10-20 12:16:04 +00:00
```yaml
traefik.ingress.kubernetes.io/router.tls: "true"
```
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
For more options, please refer to the available [annotations ](#on-ingress ).
??? example "Configuring Kubernetes Ingress Controller with TLS"
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="RBAC"
---
2021-10-21 07:44:12 +00:00
apiVersion: rbac.authorization.k8s.io/v1
2020-10-20 12:16:04 +00:00
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
2022-09-02 10:18:08 +00:00
- networking.k8s.io
2020-10-20 12:16:04 +00:00
resources:
- ingresses/status
verbs:
- update
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
2021-10-21 07:44:12 +00:00
apiVersion: rbac.authorization.k8s.io/v1
2020-10-20 12:16:04 +00:00
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
```
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="Ingress"
2021-10-21 07:44:12 +00:00
apiVersion: networking.k8s.io/v1
2020-10-20 12:16:04 +00:00
kind: Ingress
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: true
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-10-20 12:16:04 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: whoami
port:
number: 80
2020-10-20 12:16:04 +00:00
- path: /foo
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-10-20 12:16:04 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: whoami
port:
number: 80
2020-10-20 12:16:04 +00:00
```
2021-10-21 07:44:12 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
apiVersion: apps/v1
2021-10-21 07:44:12 +00:00
kind: Deployment
2020-10-20 12:16:04 +00:00
metadata:
name: traefik
labels:
app: traefik
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
2022-12-05 15:58:04 +00:00
image: traefik:v3.0
2020-10-20 12:16:04 +00:00
args:
2024-04-22 15:24:04 +00:00
- --entryPoints.websecure.address=:443
2020-10-20 12:16:04 +00:00
- --providers.kubernetesingress
ports:
- name: websecure
containerPort: 443
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 443
name: websecure
targetPort: 443
```
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
```yaml tab="Whoami"
apiVersion: apps/v1
2021-10-21 07:44:12 +00:00
kind: Deployment
2020-10-20 12:16:04 +00:00
metadata:
name: whoami
labels:
app: traefiklabs
name: whoami
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoami
template:
metadata:
labels:
app: traefiklabs
task: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
---
apiVersion: v1
kind: Service
metadata:
name: whoami
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: whoami
```
2020-01-14 14:48:06 +00:00
2020-07-28 15:50:04 +00:00
### Certificates Management
2020-01-14 14:48:06 +00:00
??? example "Using a secret"
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
```yaml tab="Ingress"
2021-10-21 07:44:12 +00:00
apiVersion: networking.k8s.io/v1
2020-01-14 14:48:06 +00:00
kind: Ingress
metadata:
name: foo
namespace: production
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
spec:
rules:
2020-03-13 21:50:05 +00:00
- host: example.net
2020-01-14 14:48:06 +00:00
http:
paths:
- path: /bar
2021-10-21 07:44:12 +00:00
pathType: Exact
2020-01-14 14:48:06 +00:00
backend:
2021-10-21 07:44:12 +00:00
service:
name: service1
port:
number: 80
2020-10-20 12:16:04 +00:00
# Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS.
# Doesn't enable TLS for that ingress (hence for the underlying router).
# Please see the TLS annotations on ingress made for that purpose.
2020-01-14 14:48:06 +00:00
tls:
- secretName: supersecret
```
2021-03-15 10:16:04 +00:00
2020-01-14 14:48:06 +00:00
```yaml tab="Secret"
apiVersion: v1
kind: Secret
metadata:
name: supersecret
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
```
TLS certificates can be managed in Secrets objects.
!!! info
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
Only TLS certificates provided by users can be stored in Kubernetes Secrets.
[Let's Encrypt ](../../https/acme.md ) certificates cannot be managed in Kubernetes Secrets yet.
2020-10-20 12:16:04 +00:00
### Communication Between Traefik and Pods
2023-03-20 15:46:05 +00:00
!!! info "Routing directly to [Kubernetes services ](https://kubernetes.io/docs/concepts/services-networking/service/ "Link to Kubernetes service docs" )"
2023-01-09 15:07:09 +00:00
2023-03-20 15:46:05 +00:00
To route directly to the Kubernetes service,
one can use the `traefik.ingress.kubernetes.io/service.nativelb` annotation on the Kubernetes service.
It controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
2023-01-09 15:07:09 +00:00
2023-03-20 15:46:05 +00:00
One alternative is to use an `ExternalName` service to forward requests to the Kubernetes service through DNS.
2024-06-24 09:22:03 +00:00
To do so, one must [allow external name services ](../providers/kubernetes-ingress/#allowexternalnameservices "Link to docs about allowing external name services" ).
2023-01-09 15:07:09 +00:00
2020-10-20 12:16:04 +00:00
Traefik automatically requests endpoint information based on the service provided in the ingress spec.
Although Traefik will connect directly to the endpoints (pods),
it still checks the service port to see if TLS communication is required.
2023-01-09 15:07:09 +00:00
There are 3 ways to configure Traefik to use HTTPS to communicate with pods:
2020-10-20 12:16:04 +00:00
1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod).
2023-01-09 15:07:09 +00:00
1. If the service port defined in the ingress spec has a name that starts with `https` (such as `https-api` , `https-web` or just `https` ).
2021-04-06 15:18:03 +00:00
1. If the service spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https` .
2020-10-20 12:16:04 +00:00
If either of those configuration options exist, then the backend communication protocol is assumed to be TLS,
and will connect via TLS automatically.
!!! info
2021-06-18 22:08:08 +00:00
2020-10-20 12:16:04 +00:00
Please note that by enabling TLS communication between traefik and your pods,
you will have to have trusted certificates that have the proper trust chain and IP subject name.
If this is not an option, you may need to skip TLS certificate verification.
See the [insecureSkipVerify ](../../routing/overview.md#insecureskipverify ) setting for more details.
2020-01-14 14:48:06 +00:00
## Global Default Backend Ingresses
Ingresses can be created that look like the following:
2021-03-15 10:16:04 +00:00
```yaml tab="Ingress"
2021-10-21 07:44:12 +00:00
apiVersion: networking.k8s.io/v1
2020-01-14 14:48:06 +00:00
kind: Ingress
metadata:
name: cheese
spec:
2021-03-15 10:16:04 +00:00
defaultBackend:
2021-10-21 07:44:12 +00:00
service:
name: stilton
port:
number: 80
2021-03-15 10:16:04 +00:00
```
2020-01-14 14:48:06 +00:00
This ingress follows the Global Default Backend property of ingresses.
This will allow users to create a "default router" that will match all unmatched requests.
!!! info
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
Due to Traefik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment,
to avoid this global ingress from satisfying requests that could match other ingresses.
2021-06-18 22:08:08 +00:00
2020-01-14 14:48:06 +00:00
To do this, use the `traefik.ingress.kubernetes.io/router.priority` annotation (as seen in [Annotations on Ingress ](#on-ingress )) on your ingresses accordingly.
2022-09-09 15:17:53 +00:00
2023-09-13 16:38:05 +00:00
{!traefik-for-business-applications.md!}