Steps and Configuration for Deploying Traefik on Kubernetes


This article will cover the deployment of Traefik in a Kubernetes environment. Here, we will explain the steps to deploy Traefik and its corresponding configuration.

Creating Relevant Configuration Files

This example uses the official Traefik documentation examples for account.yaml, role.yaml, and role-binding.yaml.

Copy Successful
# account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
Copy Successful
# role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
Copy Successful
# role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: default
Copy Successful
# storage.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: traefik
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Retain
Copy Successful
# volume.yaml
# <path> is the path where the data is stored.
# Example: path: "/mnt/disks/data/traefik"
apiVersion: v1
kind: PersistentVolume
metadata:
name: traefik
labels:
app: traefik
spec:
storageClassName: traefik
capacity:
storage: 100Gi
accessModes:
- ReadWriteMany
hostPath:
path: <path>
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik
labels:
app: traefik
spec:
storageClassName: traefik
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Gi
Copy Successful
# Creating folder.
# <path> is the path where the data is stored.
mkdir -p <path>

This example will open Traefik's dashboard and use Let's Encrypt to apply SSL certificates.
For other configuration parameters, please refer to the Traefik official documentation.

Copy Successful
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- name: dashboard
targetPort: dashboard
port: 8080
selector:
app: traefik
Copy Successful
# ingress.yaml
# <domain> is the domain name.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver
spec:
rules:
- host: <domain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: traefik
port:
name: dashboard
Copy Successful
# deployment.yaml
# <email> is the email used for Let's Encrypt certificate application.
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
nodeSelector:
worker: cluster
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v3.0
args:
- --api=true
- --api.insecure=true
- --api.dashboard=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls
- --entrypoints.name.http3
- --certificatesresolvers.myresolver.acme.email=<email>
- --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
- --serverstransport.insecureskipverify=true
- --log.level=INFO
- --log.filepath=/log/traefik.log
- --accesslog=true
- --accessLog.filepath=/log/access.log
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
hostPort: 80
- name: websecure
containerPort: 443
hostPort: 443
- name: dashboard
containerPort: 8080
volumeMounts:
- mountPath: /acme
name: traefik
subPath: acme
- mountPath: /log
name: traefik
subPath: log
volumes:
- name: traefik
persistentVolumeClaim:
claimName: traefik
Copy Successful
kubectl apply -f account.yaml
Copy Successful
kubectl apply -f role.yaml
Copy Successful
kubectl apply -f role-binding.yaml
Copy Successful
kubectl apply -f storage.yaml
Copy Successful
kubectl apply -f volume.yaml
Copy Successful
kubectl apply -f service.yaml
Copy Successful
kubectl apply -f ingress.yaml
Copy Successful
kubectl apply -f deployment.yaml