Traefik & Kubernetes

    Configuring Kubernetes Gateway provider and Deploying/Exposing Services

    Gateway API

    Whoami Service

    1. ---
    2. kind: Deployment
    3. apiVersion: apps/v1
    4. metadata:
    5.   name: whoami
    7. spec:
    8.   replicas: 2
    9.   selector:
    10.     matchLabels:
    11.       app: whoami
    12.   template:
    13.     metadata:
    14.       labels:
    15.         app: whoami
    16.     spec:
    17.       containers:
    18.         - name: whoami
    19.           image: traefik/whoami
    21. ---
    22. apiVersion: v1
    23. kind: Service
    24. metadata:
    25.   name: whoami
    27. spec:
    28.   ports:
    29.     - protocol: TCP
    30.       port: 80
    31.   selector:
    32.     app: whoami

    Traefik Service

    1. ---
    2. apiVersion: v1
    3. kind: ServiceAccount
    4. metadata:
    5.   name: traefik-controller
    7. ---
    8. kind: Deployment
    9. apiVersion: apps/v1
    10. metadata:
    11.   name: traefik
    13. spec:
    14.   replicas: 1
    15.   selector:
    16.     matchLabels:
    17.       app: traefik-lb
    18.   template:
    19.     metadata:
    20.       labels:
    21.         app: traefik-lb
    22.     spec:
    23.       serviceAccountName: traefik-controller
    24.       containers:
    25.         - name: traefik
    26.           image: traefik/traefik:latest
    27.           imagePullPolicy: IfNotPresent
    28.           args:
    29.             - --entrypoints.web.address=:80
    30.             - --entrypoints.websecure.address=:443
    31.             - --experimental.kubernetesgateway
    32.             - --providers.kubernetesgateway
    33.           ports:
    34.             - name: web
    35.               containerPort: 80
    36.             - name: websecure
    37.               containerPort: 443
    39. ---
    40. apiVersion: v1
    41. kind: Service
    42. metadata:
    43.   name: traefik
    44. spec:
    45.   selector:
    46.     app: traefik-lb
    47.   ports:
    48.       port: 80
    49.       targetPort: web
    50.       name: web
    51.     - protocol: TCP
    52.       port: 443
    53.       targetPort: websecure
    54.       name: websecure
    55.   type: LoadBalancer

    RBAC

    1. ---
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: ClusterRole
    4. metadata:
    5.   name: gateway-role
    6. rules:
    7.   - apiGroups:
    8.       - ""
    9.     resources:
    10.       - services
    11.       - endpoints
    12.       - secrets
    13.     verbs:
    14.       - get
    15.       - list
    16.       - watch
    17.   - apiGroups:
    18.       - networking.x-k8s.io
    19.     resources:
    20.       - gatewayclasses
    21.       - gateways
    22.       - httproutes
    23.       - tcproutes
    25.     verbs:
    26.       - get
    27.       - list
    28.       - watch
    29.   - apiGroups:
    30.       - networking.x-k8s.io
    31.     resources:
    32.       - gatewayclasses/status
    33.       - gateways/status
    34.       - httproutes/status
    35.       - tcproutes/status
    36.       - tlsroutes/status
    37.     verbs:
    38.       - update
    40. ---
    41. kind: ClusterRoleBinding
    42. apiVersion: rbac.authorization.k8s.io/v1beta1
    43. metadata:
    44.   name: gateway-controller
    46. roleRef:
    47.   apiGroup: rbac.authorization.k8s.io
    48.   kind: ClusterRole
    49.   name: gateway-role
    50. subjects:
    51.   - kind: ServiceAccount
    52.     name: traefik-controller
    53.     namespace: default

    Routing Configuration

    • You can find an exhaustive list, of the custom resources and their attributes in or in the Kubernetes Sigs Gateway API repository.
    • Validate that are fulfilled before using the Traefik Kubernetes Gateway Provider.

    You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:

    Kind: GatewayClass

    GatewayClass is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated. More details on the GatewayClass .

    The GatewayClass should be declared by the infrastructure provider, otherwise please register the GatewayClass definition in the Kubernetes cluster before creating GatewayClass objects.

    A Gateway is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the Gateway .

    Register the Gateway definition in the Kubernetes cluster before creating Gateway objects.

    Depending on the Listener Protocol, different modes and Route types are supported.

    Listener ProtocolTLS ModeRoute Type Supported
    TCPNot applicable
    TLSPassthroughTLSRoute
    TLSTerminate
    HTTPNot applicableHTTPRoute
    HTTPSTerminate

    Declaring Gateway

    HTTP Listener

    1. kind: Gateway
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. metadata:
    4.   name: my-http-gateway
    5.   namespace: default
    6. spec:
    7.   gatewayClassName: my-gateway-class        # [1]
    8.   listeners:                                # [2]
    9.     - protocol: HTTP                        # [3] 
    10.       port: 80                              # [4]
    11.       routes:                               # [8]
    12.         kind: HTTPRoute                     # [9]
    13.         selector:                           # [10]
    14.           matchLabels:                      # [11]
    15.             app: foo

    HTTPS Listener

    1. kind: Gateway
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. metadata:
    4.   name: my-https-gateway
    5.   namespace: default
    6. spec:
    7.   gatewayClassName: my-gateway-class        # [1]
    8.   listeners:                                # [2]
    9.     - protocol: HTTPS                       # [3] 
    10.       tls:                                  # [6]
    11.         certificateRef:                     # [7]
    12.           group: "core"
    13.           kind: "Secret"
    14.           name: "mysecret"
    15.       routes:                               # [8]
    16.         kind: HTTPRoute                     # [9]
    17.         selector:                           # [10]
    18.           matchLabels:                      # [11]
    19.             app: foo

    TCP Listener

    1. kind: Gateway
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. metadata:
    4.   name: my-tcp-gateway
    5.   namespace: default
    6. spec:
    7.   gatewayClassName: my-gateway-class        # [1]
    8.   listeners:                                # [2]
    9.     - protocol: TCP                         # [3] 
    10.       port: 8000                            # [4]
    11.       routes:                               # [8]
    12.         kind: TCPRoute                      # [9]
    13.         selector:                           # [10]
    14.           matchLabels:                      # [11]
    15.             app: footcp

    TLS Listener

    Kind: HTTPRoute

    Register the HTTPRoute in the Kubernetes cluster before creating HTTPRoute objects.

    Declaring HTTPRoute

    1. kind: HTTPRoute
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. metadata:
    4.   name: http-app-1
    5.   namespace: default
    6.   labels:                                   # [1]
    7.     app: foo
    8. spec:
    9.   hostnames:                                # [2]
    10.     - "whoami"
    12.     - matches:                              # [4]
    13.         - path:                             # [5]
    14.             type: Exact                     # [6]
    15.             value: /bar                     # [7]
    16.         - headers:                          # [8]
    17.             type: Exact                     # [9]
    18.             values:                         # [10]
    19.               foo: bar
    20.       forwardTo:                            # [11]
    21.         - serviceName: whoami               # [12]
    22.           weight: 1                         # [13]
    23.           port: 80                          # [14]
    24.         - backendRef:                       # [15]
    25.             group: traefik.containo.us      # [16]
    26.             kind: TraefikService            # [17]
    27.             name: api@internal              # [18]
    28.           port: 80
    29.           weight: 1
    RefAttributeDescription
    [1]labelsLabels to match with the Gateway labelselector.
    [2]hostnamesA set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request.
    [3]rulesA list of HTTP matchers, filters and actions.
    [4]matchesConditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied.
    [5]pathAn HTTP request path matcher. If this field is not specified, a default prefix match on the “/“ path is provided.
    [6]typeType of match against the path Value (supported types: Exact, Prefix).
    [7]valueThe value of the HTTP path to match against.
    [8]headersConditions to select a HTTP route by matching HTTP request headers.
    [9]typeType of match for the HTTP request header match against the values (supported types: Exact).
    [10]valuesA map of HTTP Headers to be matched. It MUST contain at least one entry.
    [11]forwardToThe upstream target(s) where the request should be sent.
    [12]serviceNameThe name of the referent service.
    [13]weightThe proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
    [14]portThe port of the referent service.
    [15]backendRefThe BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only TraefikService is supported.
    [16]groupGroup is the group of the referent. Only traefik.containo.us value is supported.
    [17]kindKind is kind of the referent. Only TraefikService value is supported.
    [18]nameName is the name of the referent.

    TCPRoute allows mapping TCP requests from a Gateway to Kubernetes Services

    Register the TCPRoute definition in the Kubernetes cluster before creating TCPRoute objects.

    Declaring TCPRoute

    1. kind: TCPRoute
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. metadata:
    4.   name: tcp-app-1
    5.   namespace: default
    6.   labels:                                   # [1]
    7.     app: tcp-app-1
    8. spec:
    9.   rules:                                    # [2]
    10.     - forwardTo:                            # [3]
    11.         - serviceName: whoamitcp            # [4]
    12.           weight: 1                         # [5]
    13.           port: 8080                        # [6]
    14.         - backendRef:                       # [7]
    15.             group: traefik.containo.us      # [8]
    16.             kind: TraefikService            # [9]
    17.             name: api@internal              # [10]

    Kind: TLSRoute

    TLSRoute allows mapping TLS requests from a Gateway to Kubernetes Services

    Register the TLSRoute definition in the Kubernetes cluster before creating TLSRoute objects.

    Declaring TCPRoute

    1. kind: TLSRoute
    2. apiVersion: networking.x-k8s.io/v1alpha1
    3. metadata:
    4.   name: tls-app-1
    5.   namespace: default
    6.   labels:                                   # [1]
    7.     app: tls-app-1
    8. spec:
    9.   rules:                                    # [2]
    10.     - forwardTo:                            # [3]
    11.         - serviceName: whoamitcp            # [4]
    12.           weight: 1                         # [5]
    13.           port: 8080                        # [6]
    14.         - backendRef:                       # [7]
    15.             group: traefik.containo.us      # [8]
    16.             kind: TraefikService            # [9]
    RefAttributeDescription
    [1]labelsLabels to match with the Gateway labelselector.
    [2]rulesRules are a list of TCP matchers and actions.
    [3]forwardToThe upstream target(s) where the request should be sent.
    [4]serviceNameThe name of the referent service.
    [5]weightThe proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
    [6]portThe port of the referent service.
    [7]backendRefThe BackendRef is a reference to a backend (API object within a known namespace) to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. Only TraefikService is supported.
    [8]groupGroup is the group of the referent. Only traefik.containo.us value is supported.
    [9]kindKind is kind of the referent. Only TraefikService value is supported.
    [10]Name is the name of the referent.