Group items tagged

a single, global ClusterRoleBinding.

RoleBindings per namespace enable to restrict granted permissions to the very namespaces only that Traefik is watching over, thereby following the least-privileges principle.

The scalability can be much better when using a Deployment

you will have a Single-Pod-per-Node model when using a DaemonSet,

start with the Daemonset

The Deployment has easier up and down scaling possibilities.

The DaemonSet automatically scales to all nodes that meets a specific selector and guarantees to fill nodes one at a time.

provide the TLS certificate via a Kubernetes secret in the same namespace as the ingress.

create secret generic

Name-based Routing

Path-based Routing

Traefik will merge multiple Ingress definitions for the same host/path pair into one definition.

specify priority for ingress routes

traefik.frontend.priority

When specifying an ExternalName, Traefik will forward requests to the given host accordingly and use HTTPS when the Service port matches 443.

By default Traefik will pass the incoming Host header to the upstream resource.

traefik.frontend.passHostHeader: "false"

type: ExternalName

By default, Traefik processes every Ingress objects it observes.

It is also possible to set the ingressClass option in Traefik to a particular value. Traefik will only process matching Ingress objects.

It is possible to split Ingress traffic in a fine-grained manner between multiple deployments using service weights.

annotations: traefik.ingress.kubernetes.io/service-weights: | my-app: 99% my-app-canary: 1%

Over time, the ratio may slowly shift towards the canary deployment until it is deemed to replace the previous main application, in steps such as 5%/95%, 10%/90%, 50%/50%, and finally 100%/0%.

Docker under the hood creates IPTable rules so containers can't reach other containers unless you'd want to

Træfik can listen to Docker events and reconfigure its own internal configuration when containers are created (or shut down).

Enable the Docker provider and listen for container events on the Docker unix socket we've mounted earlier.

Enable automatic request and configuration of SSL certificates using Let's Encrypt. These certificates will be stored in the acme.json file, which you can back-up yourself and store off-premises.

there isn't a single container that has any published ports to the host -- everything is routed through Docker networks.

Thanks to Docker labels, we can tell Træfik how to create its internal routing configuration.

container labels and service labels

With the traefik.enable label, we tell Træfik to include this container in its internal configuration.

Service labels allow managing many routes for the same container.

When both container labels and service labels are defined, container labels are just used as default values for missing service labels but no frontend/backend are going to be defined only with these labels.

Always specify the correct port where the container expects HTTP traffic using traefik.port label.

With the traefik.frontend.auth.basic label, it's possible for Træfik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.

double the $ symbols in order to escape the $ symbols as it tries to reference a variable.

stay consistent with names inside routers and middlewares.

providers.file

the service name is always in the form of [service name]@[provider

write different routing rules for a service and how to generate SSL certificates

traefik.http.services.home.loadbalancer.server.port=8123 indicates that the service port I want to expose is 8123.

Modifiers and matchers

Matcher rules determine if a particular request should be forwarded to a backend

if any rule matches

if all rules match

Use a *Prefix* matcher if your backend listens on a particular base path but also serves requests on sub-paths. For instance, PathPrefix: /products would match /products but also /products/shoes and /products/shirts. Since the path is forwarded as-is, your backend is expected to listen on /products

Use Path if your backend listens on the exact path only. For instance, Path: /products would match /products but not /products/shoes.

A backend is responsible to load-balance the traffic coming from one or more frontends to a set of http servers

wrr: Weighted Round Robin

drr: Dynamic Round Robin: increases weights on servers that perform better than others.

A circuit breaker can also be applied to a backend, preventing high loads on failing servers.

To proactively prevent backends from being overwhelmed with high load, a maximum connection limit can also be applied to each backend.

Sticky sessions are supported with both load balancers.

When sticky sessions are enabled, a cookie is set on the initial request.

The check is defined by a path appended to the backend URL and an interval (given in a format understood by time.ParseDuration) specifying how often the health check should be executed (the default being 30 seconds). Each backend must respond to the health check within 5 seconds.

The static configuration is the global configuration which is setting up connections to configuration backends and entrypoints.

We only need to enable watch option to make Træfik watch configuration backend changes and generate its configuration automatically.

a comma-separated key/value pair where both key and value must be literals.

namespacing of your backends happens on the basis of hosts in addition to paths

Modifiers will be applied in a pre-determined order regardless of their order in the rule configuration section.

customize priority

Custom headers can be configured through the frontends, to add headers to either requests or responses that match the frontend's rules.

Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.

Servers are simply defined using a url. You can also apply a custom weight to each server (this will be used by load-balancing).

Maximum connections can be configured by specifying an integer value for maxconn.amount and maxconn.extractorfunc which is a strategy used to determine how to categorize requests in order to evaluate the maximum connections.