traefik/docs/backends/kubernetes.md
Julien Maitrehenry 24862402e5 Refactor doc pages
2017-08-28 23:02:04 +02:00

3.9 KiB

Kubernetes Ingress backend

Træfik can be configured to use Kubernetes Ingress as a backend configuration:

################################################################
# Kubernetes Ingress configuration backend
################################################################
# Enable Kubernetes Ingress configuration backend
#
# Optional
#
[kubernetes]

# Kubernetes server endpoint
#
# When deployed as a replication controller in Kubernetes, Traefik will use
# the environment variables KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT
# to construct the endpoint.
# Secure token will be found in /var/run/secrets/kubernetes.io/serviceaccount/token
# and SSL CA cert in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
#
# The endpoint may be given to override the environment variable values.
#
# When the environment variables are not found, Traefik will try to connect to
# the Kubernetes API server with an external-cluster client. In this case, the
# endpoint is required. Specifically, it may be set to the URL used by
# `kubectl proxy` to connect to a Kubernetes cluster from localhost.
#
# Optional for in-cluster configuration, required otherwise
# Default: empty
#
# endpoint = "http://localhost:8080"

# Bearer token used for the Kubernetes client configuration.
#
# Optional
# Default: empty
#
# token = "my token"

# Path to the certificate authority file used for the Kubernetes client
# configuration.
#
# Optional
# Default: empty
#
# certAuthFilePath = "/my/ca.crt"

# Array of namespaces to watch.
#
# Optional
# Default: all namespaces (empty array).
#
# namespaces = ["default", "production"]

# Ingress label selector to identify Ingress objects that should be processed.
# See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors for details.
#
# Optional
# Default: empty (process all Ingresses)
#
# labelselector = "A and not B"

Annotations can be used on containers to override default behaviour for the whole Ingress resource:

  • traefik.frontend.rule.type: PathPrefixStrip: override the default frontend rule type (Default: PathPrefix).
  • traefik.frontend.priority: 3: override the default frontend rule priority (Default: len(Path)).

Annotations can be used on the Kubernetes service to override default behaviour:

  • traefik.backend.loadbalancer.method=drr: override the default wrr load balancer algorithm
  • traefik.backend.loadbalancer.sticky=true: enable backend sticky sessions

You can find here an example ingress and replication controller.

Additionally, an annotation can be used on Kubernetes services to set the circuit breaker expression for a backend.

  • traefik.backend.circuitbreaker: <expression>: set the circuit breaker expression for the backend (Default: nil).

As known from nginx when used as Kubernetes Ingress Controller, a List of IP-Ranges which are allowed to access can be configured by using an ingress annotation:

  • ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"

An unset or empty list allows all Source-IPs to access. If one of the Net-Specifications are invalid, the whole list is invalid and allows all Source-IPs to access.

Authentication

Is possible to add additional authentication annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords inside the the key auth.

  • ingress.kubernetes.io/auth-type: basic
  • ingress.kubernetes.io/auth-secret: contains the usernames and passwords with access to the paths defined in the Ingress Rule.

The secret must be created in the same namespace as the Ingress rule.

Limitations:

  • Basic authentication only.
  • Realm not configurable; only traefik default.
  • Secret must contain only single file.