In the world of Kubernetes, managing traffic and securing APIs are critical tasks for any DevOps professional. This guide is the first in a three-part series designed to streamline your journey into modern application architecture:
Part 1: Deploying Traefik as an Ingress Controller
Part 2: Configuring KrakenD as an API Gateway.
Part 3: Building services that leverage Traefik and KrakenD for seamless traffic management and API integration.
In this first part, we will focus on deploying Traefik, a powerful Ingress Controller that simplifies external traffic management within Kubernetes environments. Whether you’re experimenting with Kubernetes or managing production workloads, this guide will equip you with the knowledge to integrate Traefik effectively.
Why Traefik and KrakenD?
Traefik
Traefik is a modern, cloud-native reverse proxy and load balancer. Its dynamic configuration and seamless integration with Kubernetes make it ideal for handling HTTP and HTTPS traffic in microservices environments. Additionally, extensive features like middleware, TLS management, and monitoring reduce operational overhead. This makes Traefik a go-to solution for both small-scale and enterprise deployments.
KrakenD
KrakenD is an open-source API Gateway designed for high performance and flexibility. It handles complex operations such as request routing, aggregation, and transformation, allowing developers to expose APIs in a structured and efficient manner. With KrakenD, you can aggregate multiple microservices into a single endpoint, reducing latency and simplifying client interactions.
This series will ultimately demonstrate how to combine these tools to create robust, scalable architectures for modern applications.
All files mentioned in this guide are available in the GitHub repository: traefik-krakend-k8s-setup under the folder 1. traefik
.
Prerequisites
To follow along, ensure you have the following:
- A Kubernetes Cluster: This can be a local setup using Minikube or Kind, or a managed cluster like AWS EKS, Google GKE, or Azure AKS.
-
kubectl
CLI: Installed and configured to interact with your cluster. -
Helm
CLI: Installed for managing Kubernetes packages.
Architecture Overview
This guide will cover:
- Deploying Traefik to manage external traffic.
Step 1: Setting Up Traefik
Installing Traefik CRDs
To enable advanced features, start by installing Traefik’s Custom Resource Definitions (CRDs):
helm repo add traefik https://traefik.github.io/charts
helm repo update
kubectl apply --server-side -k https://github.com/traefik/traefik-helm-chart/traefik/crds/
Creating Namespaces
Namespaces help organize Kubernetes resources. Create namespaces for Traefik, your applications, and KrakenD:
00-init-namespace.yaml:
apiVersion: v1
kind: Namespace
metadata:
name: traefik
---
apiVersion: v1
kind: Namespace
metadata:
name: my-application
---
apiVersion: v1
kind: Namespace
metadata:
name: krakend
Apply the namespaces:
kubectl apply -f 00-init-namespace.yaml
Configuring TLS
TLS is crucial for securing data, authenticating servers, and establishing trust with users. Certificates are necessary to enable encryption and verify server identity. Here, we use a self-signed certificate for internal or testing purposes.
Enable HTTPS by generating a self-signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout wildcard.mydns.local.key -out wildcard.mydns.local.crt -subj "/CN=*.mydns.local" -addext "subjectAltName=DNS:*.mydns.local,DNS:mydns.local"
Store the certificate in Kubernetes:
kubectl create secret tls traefik-tls-secret --key ./wildcard.mydns.local.key --cert ./wildcard.mydns.local.crt -n traefik
Define a default TLS store:
In Traefik, certificates are grouped together in certificates stores.
Note that, any store definition other than the default one (named default) will be ignored, and there is therefore only one globally available TLS store.
00-just-tls.yaml:
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: traefik
spec:
defaultCertificate:
secretName: traefik-tls-secret
Apply the TLS store configuration:
kubectl apply -f 00-just-tls.yaml
Granting Permissions
ClusterRole defines the set of permissions needed for Traefik to manage Kubernetes resources.
ServiceAccount provides an identity for Traefik within the cluster.
ClusterRoleBinding then associates this ClusterRole with the ServiceAccount, allowing Traefik to perform actions like reading endpoints or updating ingresses across all namespaces.
Create a ClusterRole for Traefik to interact with Kubernetes resources:
00-traefik-clusterrole.yaml:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
verbs:
- get
- list
- watch
Note: This role grants all the permissions Traefik typically needs. If you’re not using certain features (for example, custom Traefik CRDs or managing Ingress status), feel free to remove those permissions. Just ensure you don’t remove anything you rely on, or Traefik may lose necessary functionality.
Apply the ClusterRole:
kubectl apply -f 00-traefik-clusterrole.yaml
Create a ServiceAccount and bind it to the ClusterRole:
01-traefik-serviceaccount.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
namespace: traefik
02-traefik-clusterrole-binding.yaml:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: traefik
Apply these configurations:
kubectl apply -f 01-traefik-serviceaccount.yaml
kubectl apply -f 02-traefik-clusterrole-binding.yaml
Deploying Traefik
To deploy Traefik in Kubernetes, create a Deployment that specifies Traefik’s container image, resource requirements, and other necessary configurations. This Deployment will manage the Traefik pods, ensuring they run with the desired settings and scale as needed.
Create a Deployment for Traefik:
04-traefik-deployment.yaml:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
namespace: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v3.2
args:
- --accesslog
- --providers.kubernetescrd
- --providers.kubernetesingress
- --log.level=DEBUG
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure.http.tls=true
ports:
- name: websecure
containerPort: 443
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 200m
memory: 100Mi
limits:
cpu: 200m
memory: 100Mi
Note: The
securityContext
settings follow best practices for container security. Review your organization’s policies and ensure these align with specific requirements.
Apply the Deployment:
kubectl apply -f 04-traefik-deployment.yaml
Exposing Traefik
Create a LoadBalancer service to expose Traefik externally. This service will provide an external IP, making Traefik accessible for incoming traffic from outside the Kubernetes cluster.
05-traefik-web-service.yaml:
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
namespace: traefik
spec:
type: LoadBalancer
ports:
- name: websecure
port: 443
targetPort: 443
selector:
app: traefik
Apply the service configuration:
kubectl apply -f 05-traefik-web-service.yaml
With this, your Traefik deployment is ready to manage external traffic efficiently.
What’s Next?
In Part 2, we will deploy KrakenD and configure it as a high-performance API Gateway to manage backend services. This will set the stage for building robust applications in Part 3, where Traefik and KrakenD will work together seamlessly to handle traffic and API integration.
Share Your Experience
If you found this guide helpful, share your experience or ask questions in the comments. We’d love to hear about your Kubernetes journey and how tools like Traefik and KrakenD fit into your workflow. Stay tuned for more DevOps insights and tutorials!