--- title: "Traefik Kubernetes Gateway" description: "The Kubernetes Gateway API can be used as a provider for routing and load balancing in Traefik Proxy. View examples in the technical documentation." --- # Traefik & Kubernetes The Kubernetes Gateway API, The Experimental Way. {: .subtitle } ## Configuration Examples ??? example "Configuring Kubernetes Gateway provider and Deploying/Exposing Services" ```yaml tab="Gateway API" --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml" ``` ```yaml tab="Whoami Service" --8<-- "content/reference/dynamic-configuration/kubernetes-whoami-svc.yml" ``` ```yaml tab="Traefik Service" --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml" ``` ```yaml tab="RBAC" --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml" ``` ## Routing Configuration ### Custom Resource Definition (CRD) * You can find an exhaustive list, of the custom resources and their attributes in [the reference page](../../reference/dynamic-configuration/kubernetes-gateway.md) or in the Kubernetes Sigs `Gateway API` [repository](https://github.com/kubernetes-sigs/gateway-api). * Validate that [the prerequisites](../../providers/kubernetes-gateway.md#requirements) are fulfilled before using the Traefik Kubernetes Gateway Provider. You can find an excerpt of the supported Kubernetes Gateway API resources in the table below: | Kind | Purpose | Concept Behind | |------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------------------------| | [GatewayClass](#kind-gatewayclass) | Defines a set of Gateways that share a common configuration and behaviour | [GatewayClass](https://gateway-api.sigs.k8s.io/api-types/gatewayclass) | | [Gateway](#kind-gateway) | Describes how traffic can be translated to Services within the cluster | [Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway) | | [HTTPRoute](#kind-httproute) | HTTP rules for mapping requests from a Gateway to Kubernetes Services | [Route](https://gateway-api.sigs.k8s.io/api-types/httproute) | | [TCPRoute](#kind-tcproute) | Allows mapping TCP requests from a Gateway to Kubernetes Services | [Route](https://gateway-api.sigs.k8s.io/guides/tcp/) | | [TLSRoute](#kind-tlsroute) | Allows mapping TLS requests from a Gateway to Kubernetes Services | [Route](https://gateway-api.sigs.k8s.io/guides/tls/) | ### Kind: `GatewayClass` `GatewayClass` is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated. More details on the GatewayClass [official documentation](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/). The `GatewayClass` should be declared by the infrastructure provider, otherwise please register the `GatewayClass` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before creating `GatewayClass` objects. !!! info "Declaring GatewayClass" ```yaml apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: my-gateway-class spec: # Controller is a domain/path string that indicates # the controller that is managing Gateways of this class. controllerName: traefik.io/gateway-controller ``` ### Kind: `Gateway` A `Gateway` is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, some load balancing infrastructure is provisioned or configured by the GatewayClass controller. More details on the Gateway [official documentation](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/gateway/). Register the `Gateway` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before creating `Gateway` objects. Depending on the Listener Protocol, different modes and Route types are supported. | Listener Protocol | TLS Mode | Route Type Supported | |-------------------|----------------|--------------------------------------------------------| | TCP | Not applicable | [TCPRoute](#kind-tcproute) | | TLS | Passthrough | [TLSRoute](#kind-tlsroute), [TCPRoute](#kind-tcproute) | | TLS | Terminate | [TLSRoute](#kind-tlsroute), [TCPRoute](#kind-tcproute) | | HTTP | Not applicable | [HTTPRoute](#kind-httproute) | | HTTPS | Terminate | [HTTPRoute](#kind-httproute) | !!! info "Declaring Gateway" ```yaml tab="HTTP Listener" apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-http-gateway namespace: default spec: gatewayClassName: my-gateway-class # [1] listeners: # [2] - name: http # [3] protocol: HTTP # [4] port: 80 # [5] allowedRoutes: # [9] kinds: - kind: HTTPRoute # [10] namespaces: from: Selector # [11] selector: # [12] matchLabels: app: foo ``` ```yaml tab="HTTPS Listener" apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-https-gateway namespace: default spec: gatewayClassName: my-gateway-class # [1] listeners: # [2] - name: https # [3] protocol: HTTPS # [4] port: 443 # [5] tls: # [7] certificateRefs: # [8] - kind: "Secret" name: "mysecret" allowedRoutes: # [9] kinds: - kind: HTTPSRoute # [10] namespaces: from: Selector # [11] selector: # [12] matchLabels: app: foo ``` ```yaml tab="TCP Listener" apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-tcp-gateway namespace: default spec: gatewayClassName: my-gateway-class # [1] listeners: # [2] - name: tcp # [3] protocol: TCP # [4] port: 8000 # [5] allowedRoutes: # [9] kinds: - kind: TCPRoute # [10] namespaces: from: Selector # [11] selector: # [12] matchLabels: app: footcp ``` ```yaml tab="TLS Listener" apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-tls-gateway namespace: default spec: gatewayClassName: my-gateway-class # [1] listeners: # [2] - name: tls # [3] protocol: TLS # [4] port: 443 # [5] hostname: foo.com # [6] tls: # [7] certificateRefs: # [8] - kind: "Secret" name: "mysecret" allowedRoutes: # [9] kinds: - kind: TLSRoute # [10] namespaces: from: Selector # [11] selector: # [12] matchLabels: app: footcp ``` | Ref | Attribute | Description | |------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------| | [1] | `gatewayClassName` | GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. | | [2] | `listeners` | Logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. | | [3] | `name` | Name of the Listener. | | [4] | `protocol` | The network protocol this listener expects to receive (only HTTP and HTTPS are implemented). | | [5] | `port` | The network port. | | [6] | `hostname` | Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, “”, or *, all hostnames are matched. | | [7] | `tls` | TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS" or "TLS" and ignored otherwise. | | [8] | `certificateRefs` | The references to Kubernetes objects that contains TLS certificates and private keys (only one reference to a Kubernetes Secret is supported). | | [9] | `allowedRoutes` | Defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. | | [10] | `kind` | The kind of the Route. | | [11] | `from` | From indicates in which namespaces the Routes will be selected for this Gateway. Possible values are `All`, `Same` and `Selector` (Defaults to `Same`). | | [12] | `selector` | Selector must be specified when From is set to `Selector`. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. | ### Kind: `HTTPRoute` `HTTPRoute` defines HTTP rules for mapping requests from a `Gateway` to Kubernetes Services. Register the `HTTPRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before creating `HTTPRoute` objects. !!! info "Declaring HTTPRoute" ```yaml apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: http-app namespace: default spec: parentRefs: # [1] - name: my-tcp-gateway # [2] namespace: default # [3] sectionName: tcp # [4] hostnames: # [5] - whoami rules: # [6] - matches: # [7] - path: # [8] type: Exact # [9] value: /bar # [10] - headers: # [11] name: foo # [12] value: bar # [13] - backendRefs: # [14] - name: whoamitcp # [15] weight: 1 # [16] port: 8080 # [17] - name: api@internal group: traefik.io # [18] kind: TraefikService # [19] - filters: # [20] - type: ExtensionRef # [21] extensionRef: # [22] group: traefik.io # [23] kind: Middleware # [24] name: my-middleware # [25] - type: RequestRedirect # [26] requestRedirect: # [27] scheme: https # [28] statusCode: 301 # [29] ``` | Ref | Attribute | Description | |------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [1] | `parentRefs` | References the resources (usually Gateways) that a Route wants to be attached to. | | [2] | `name` | Name of the referent. | | [3] | `namespace` | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. | | [4] | `sectionName` | Name of a section within the target resource (the Listener name). | | [5] | `hostnames` | A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. | | [6] | `rules` | A list of HTTP matchers, filters and actions. | | [7] | `matches` | Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. | | [8] | `path` | An HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. | | [9] | `type` | Type of match against the path Value (supported types: `Exact`, `Prefix`). | | [10] | `value` | The value of the HTTP path to match against. | | [11] | `headers` | Conditions to select a HTTP route by matching HTTP request headers. | | [12] | `name` | Name of the HTTP header to be matched. | | [13] | `value` | Value of HTTP Header to be matched. | | [14] | `backendRefs` | Defines the backend(s) where matching requests should be sent. | | [15] | `name` | The name of the referent service. | | [16] | `weight` | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). | | [17] | `port` | The port of the referent service. | | [18] | `group` | Group is the group of the referent. Only `traefik.io` and `gateway.networking.k8s.io` values are supported. | | [19] | `kind` | Kind is kind of the referent. Only `TraefikService` and `Service` values are supported. | | [20] | `filters` | Defines the filters (middlewares) applied to the route. | | [21] | `type` | Defines the type of filter; ExtensionRef is used for configuring custom HTTP filters. | | [22] | `extensionRef` | Configuration of the custom HTTP filter. | | [23] | `group` | Group of the kubernetes object to reference. | | [24] | `kind` | Kind of the kubernetes object to reference. | | [25] | `name` | Name of the kubernetes object to reference. | | [26] | `type` | Defines the type of filter; RequestRedirect redirects a request to another location. | | [27] | `requestRedirect` | Configuration of redirect filter. | | [28] | `scheme` | Scheme is the scheme to be used in the value of the Location header in the response. | | [29] | `statusCode` | StatusCode is the HTTP status code to be used in response. | ### Kind: `TCPRoute` `TCPRoute` allows mapping TCP requests from a `Gateway` to Kubernetes Services. Register the `TCPRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before creating `TCPRoute` objects. !!! info "Declaring TCPRoute" ```yaml apiVersion: gateway.networking.k8s.io/v1 kind: TCPRoute metadata: name: tcp-app namespace: default spec: parentRefs: # [1] - name: my-tcp-gateway # [2] namespace: default # [3] sectionName: tcp # [4] rules: # [5] - backendRefs: # [6] - name: whoamitcp # [7] weight: 1 # [8] port: 8080 # [9] - name: api@internal group: traefik.io # [10] kind: TraefikService # [11] ``` | Ref | Attribute | Description | |------|---------------|-----------------------------------------------------------------------------------------------------------------| | [1] | `parentRefs` | References the resources (usually Gateways) that a Route wants to be attached to. | | [2] | `name` | Name of the referent. | | [3] | `namespace` | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. | | [4] | `sectionName` | Name of a section within the target resource (the Listener name). | | [5] | `rules` | Rules are a list of TCP matchers and actions. | | [6] | `backendRefs` | Defines the backend(s) where matching requests should be sent. | | [7] | `name` | The name of the referent service. | | [8] | `weight` | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). | | [9] | `port` | The port of the referent service. | | [10] | `group` | Group is the group of the referent. Only `traefik.io` and `gateway.networking.k8s.io` values are supported. | | [11] | `kind` | Kind is kind of the referent. Only `TraefikService` and `Service` values are supported. | ### Kind: `TLSRoute` `TLSRoute` allows mapping TLS requests from a `Gateway` to Kubernetes Services. Register the `TLSRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before creating `TLSRoute` objects. !!! info "Declaring TLSRoute" ```yaml apiVersion: gateway.networking.k8s.io/v1 kind: TLSRoute metadata: name: tls-app namespace: default spec: parentRefs: # [1] - name: my-tls-gateway # [2] namespace: default # [3] sectionName: tcp # [4] hostnames: # [5] - whoami rules: # [6] - backendRefs: # [7] - name: whoamitcp # [8] weight: 1 # [9] port: 8080 # [10] - name: api@internal group: traefik.io # [11] kind: TraefikService # [12] ``` | Ref | Attribute | Description | |------|---------------|---------------------------------------------------------------------------------------------------------------------| | [1] | `parentRefs` | References the resources (usually Gateways) that a Route wants to be attached to. | | [2] | `name` | Name of the referent. | | [3] | `namespace` | Namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. | | [4] | `sectionName` | Name of a section within the target resource (the Listener name). | | [5] | `hostnames` | Defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. | | [6] | `rules` | Rules are a list of TCP matchers and actions. | | [7] | `backendRefs` | Defines the backend(s) where matching requests should be sent. | | [8] | `name` | The name of the referent service. | | [9] | `weight` | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs). | | [10] | `port` | The port of the referent service. | | [11] | `group` | Group is the group of the referent. Only `traefik.io` and `gateway.networking.k8s.io` values are supported. | | [12] | `kind` | Kind is kind of the referent. Only `TraefikService` and `Service` values are supported. | {!traefik-for-business-applications.md!}