Traefik & Kubernetes

Configuring Kubernetes Gateway provider and Deploying/Exposing Services

Gateway API

Whoami Service

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  selector:
    app: whoami
  ports:
    - protocol: TCP
      port: 80

Traefik Service

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-lb
  template:
    metadata:
      labels:
        app: traefik-lb
    spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
          image: traefik:v2.9
          args:
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
            - --experimental.kubernetesgateway
            - --providers.kubernetesgateway
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443
---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: LoadBalancer
  selector:
    app: traefik-lb
  ports:
      port: 80
      targetPort: web
      name: web
    - protocol: TCP
      port: 443
      targetPort: websecure
      name: websecure

RBAC

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gateway-role
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      - gatewayclasses
      - httproutes
      - tcproutes
      - tlsroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      - gatewayclasses/status
      - gateways/status
      - httproutes/status
      - tcproutes/status
      - tlsroutes/status
    verbs:
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gateway-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gateway-role
subjects:
  - kind: ServiceAccount
    name: traefik-controller
    namespace: default

Routing Configuration

You can find an exhaustive list, of the custom resources and their attributes in or in the Kubernetes Sigs Gateway API repository.
Validate that are fulfilled before using the Traefik Kubernetes Gateway Provider.

You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:

Kind: `GatewayClass`

GatewayClass is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated. More details on the GatewayClass .

The GatewayClass should be declared by the infrastructure provider, otherwise please register the GatewayClass definition in the Kubernetes cluster before creating GatewayClass objects.

A Gateway is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the Gateway official documentation.

Depending on the Listener Protocol, different modes and Route types are supported.

Listener Protocol	TLS Mode	Route Type Supported
TCP	Not applicable	TCPRoute
TLS	Passthrough	, TCPRoute
TLS	Terminate	, TCPRoute
HTTP	Not applicable
HTTPS	Terminate	HTTPRoute

Declaring Gateway

HTTP Listener

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: my-http-gateway
  namespace: default
spec:
  gatewayClassName: my-gateway-class        # [1]
  listeners:                                # [2]
    - name: http                            # [3]
      protocol: HTTP                        # [4]
      port: 80                              # [5]
      allowedRoutes:                        # [9]
        kinds:
          - kind: HTTPRoute                 # [10]
        namespaces:
          from: Selector                    # [11]
          selector:                         # [12]
            matchLabels:
              app: foo

HTTPS Listener

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: my-https-gateway
  namespace: default
spec:
  gatewayClassName: my-gateway-class        # [1]
  listeners:                                # [2]
      protocol: HTTPS                       # [4]
      port: 443                             # [5]
      tls:                                  # [7]
        certificateRefs:                    # [8]
          - kind: "Secret"
            name: "mysecret"
      allowedRoutes:                        # [9]
        kinds:
          - kind: HTTPSRoute                # [10]
        namespaces:
          from: Selector                    # [11]
          selector:                         # [12]
            matchLabels:
              app: foo

TCP Listener

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: my-tcp-gateway
  namespace: default
spec:
  gatewayClassName: my-gateway-class        # [1]
  listeners:                                # [2]
    - name: tcp                             # [3]
      protocol: TCP                         # [4]
      port: 8000                            # [5]
      allowedRoutes:                        # [9]
        kinds:
          - kind: TCPRoute                  # [10]
        namespaces:
          from: Selector                    # [11]
          selector:                         # [12]
            matchLabels:
              app: footcp

TLS Listener

Kind: `HTTPRoute`

Declaring HTTPRoute

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: http-app
spec:
  parentRefs:                               # [1]
    - name: my-tcp-gateway                  # [2]
      namespace: default                    # [3]
      sectionName: tcp                      # [4]
  hostnames:                                # [5]
    - whoami
  rules:                                    # [6]
    - matches:                              # [7]
        - path:                             # [8]
            type: Exact                     # [9]
            value: /bar                     # [10]
        - headers:                          # [11]
            name: foo                       # [12]
            value: bar                      # [13]
    - backendRefs:                          # [14]
        - name: whoamitcp                   # [15]
          weight: 1                         # [16]
          port: 8080                        # [17]
        - name: [email protected]
          group: traefik.containo.us        # [18]
          kind: TraefikService              # [19]

Ref	Attribute	Description
[1]	`parentRefs`	References the resources (usually Gateways) that a Route wants to be attached to.
[2]	`name`	Name of the referent.
[3]	`namespace`	Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route.
[4]	`sectionName`	Name of a section within the target resource (the Listener name).
[5]	`hostnames`	A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request.
[6]	`rules`	A list of HTTP matchers, filters and actions.
[7]	`matches`	Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied.
[8]	`path`	An HTTP request path matcher. If this field is not specified, a default prefix match on the “/“ path is provided.
[9]	`type`	Type of match against the path Value (supported types: `Exact`, `Prefix`).
[10]	`value`	The value of the HTTP path to match against.
[11]	`headers`	Conditions to select a HTTP route by matching HTTP request headers.
[12]	`type`	Type of match for the HTTP request header match against the `values` (supported types: `Exact`).
[13]	`value`	A map of HTTP Headers to be matched. It MUST contain at least one entry.
[14]	`backendRefs`	Defines the backend(s) where matching requests should be sent.
[15]	`name`	The name of the referent service.
[16]	`weight`	The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
[17]	`port`	The port of the referent service.
[18]	`group`	Group is the group of the referent. Only `traefik.containo.us` and `gateway.networking.k8s.io` values are supported.
[19]	`kind`	Kind is kind of the referent. Only `TraefikService` and `Service` values are supported.

TCPRoute allows mapping TCP requests from a Gateway to Kubernetes Services.

Declaring TCPRoute

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: tcp-app
  namespace: default
spec:
  parentRefs:                               # [1]
    - name: my-tcp-gateway                  # [2]
      namespace: default                    # [3]
      sectionName: tcp                      # [4]
  rules:                                    # [5]
    - backendRefs:                          # [6]
        - name: whoamitcp                   # [7]
          weight: 1                         # [8]
          port: 8080                        # [9]
        - name: [email protected]
          group: traefik.containo.us        # [10]
          kind: TraefikService              # [11]

Kind: `TLSRoute`

TLSRoute allows mapping TLS requests from a Gateway to Kubernetes Services.

Declaring TLSRoute

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: tls-app
  namespace: default
spec:
  parentRefs:                               # [1]
    - name: my-tls-gateway                  # [2]
      namespace: default                    # [3]
      sectionName: tcp                      # [4]
  hostnames:                                # [5]
    - whoami
  rules:                                    # [6]
    - backendRefs:                          # [7]
        - name: whoamitcp                   # [8]
          weight: 1                         # [9]
          port: 8080                        # [10]
        - name: [email protected]
          kind: TraefikService              # [12]

Ref	Attribute	Description
[1]	`parentRefs`	References the resources (usually Gateways) that a Route wants to be attached to.
[2]	`name`	Name of the referent.
[3]	`namespace`	Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route.
[4]	`sectionName`	Name of a section within the target resource (the Listener name).
[5]	`hostnames`	Defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake.
[6]	`rules`	Rules are a list of TCP matchers and actions.
[7]	`backendRefs`	Defines the backend(s) where matching requests should be sent.
[8]	`name`	The name of the referent service.
[9]	`weight`	The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).
[10]	`port`	The port of the referent service.
[11]	`group`	Group is the group of the referent. Only `traefik.containo.us` and `gateway.networking.k8s.io` values are supported.
[12]	`kind`	Kind is kind of the referent. Only `TraefikService` and `Service` values are supported.

Kubernetes Gateway API

Traefik & Kubernetes

Routing Configuration

Kind: GatewayClass

Kind: HTTPRoute

Kind: TLSRoute

Kind: `GatewayClass`

Kind: `HTTPRoute`

Kind: `TLSRoute`