mirror of
https://github.com/containous/traefik.git
synced 2025-11-26 16:24:02 +03:00
18 KiB
18 KiB
title, description
| title | description |
|---|---|
| Traefik Kubernetes Ingress NGINX Documentation | Understand the requirements, routing configuration, and how to set up the Kubernetes Ingress NGINX provider. Read the technical documentation. |
Traefik & Ingresses with NGINX Annotations
This provider is a Kubernetes Ingress controller that manages access to cluster services by supporting the Ingress specification. It also supports many of the ingress-nginx annotations on Ingresses, enabling teams to migrate from NGINX Ingress Controller to Traefik with minimal configuration changes.
!!! warning "NGINX Ingress Controller Retirement"
The Kubernetes NGINX Ingress Controller project has announced its retirement in **March 2026** and will no longer receive updates or security patches.
Traefik provides a migration path by supporting NGINX annotations, allowing you to transition your workloads without rewriting all your Ingress configurations.
For more information about the NGINX Ingress Controller retirement, see the [official Kubernetes blog announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement).
Ingress Discovery
This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.
Best Practices:
- Use IngressClass to specify which Ingresses should be handled by this provider
- Configure
watchNamespaceto limit discovery to specific namespaces - Use
watchNamespaceSelectorto target Ingresses based on namespace labels
Configuration Example
You can enable the Kubernetes Ingress NGINX provider as detailed below:
providers:
kubernetesIngressNGINX:
endpoint: "https://kubernetes.default.svc"
token: "mytoken"
certAuthFilePath: "/path/to/ca.crt"
throttleDuration: "2s"
# Namespace discovery
watchNamespace: "default"
# OR use namespace selector (mutually exclusive with watchNamespace)
# watchNamespaceSelector: "environment=production"
# IngressClass configuration
ingressClass: "nginx"
controllerClass: "k8s.io/ingress-nginx"
watchIngressWithoutClass: false
ingressClassByName: false
# Status updates
publishService: "kube-system/traefik"
publishStatusAddress: "203.0.113.42"
# Default backend
defaultBackendService: "default/default-backend"
# Security
disableSvcExternalName: false
[providers.kubernetesIngressNGINX]
endpoint = "https://kubernetes.default.svc"
token = "mytoken"
certAuthFilePath = "/path/to/ca.crt"
throttleDuration = "2s"
# Namespace discovery
watchNamespace = "default"
# OR use namespace selector (mutually exclusive with watchNamespace)
# watchNamespaceSelector = "environment=production"
# IngressClass configuration
ingressClass = "nginx"
controllerClass = "k8s.io/ingress-nginx"
watchIngressWithoutClass = false
ingressClassByName = false
# Status updates
publishService = "kube-system/traefik"
publishStatusAddress = "203.0.113.42"
# Default backend
defaultBackendService = "default/default-backend"
# Security
disableSvcExternalName = false
--providers.kubernetesingressnginx=true
--providers.kubernetesingressnginx.endpoint=https://kubernetes.default.svc
--providers.kubernetesingressnginx.token=mytoken
--providers.kubernetesingressnginx.certauthfilepath=/path/to/ca.crt
--providers.kubernetesingressnginx.throttleduration=2s
--providers.kubernetesingressnginx.watchnamespace=default
--providers.kubernetesingressnginx.ingressclass=nginx
--providers.kubernetesingressnginx.controllerclass=k8s.io/ingress-nginx
--providers.kubernetesingressnginx.watchingresswithoutclass=false
--providers.kubernetesingressnginx.ingressclassbyname=false
--providers.kubernetesingressnginx.publishservice=kube-system/traefik
--providers.kubernetesingressnginx.publishstatusaddress=203.0.113.42
--providers.kubernetesingressnginx.defaultbackendservice=default/default-backend
--providers.kubernetesingressnginx.disablesvcexternalname=false
providers:
kubernetesIngressNginx:
# -- Enable Kubernetes Ingress NGINX provider
enabled: true
# -- Kubernetes server endpoint (required for external cluster client)
endpoint: "https://kubernetes.default.svc"
# -- Kubernetes bearer token (not needed for in-cluster client)
token: "mytoken"
# -- Kubernetes certificate authority file path (not needed for in-cluster client)
certAuthFilePath: "/path/to/ca.crt"
# -- Ingress refresh throttle duration
throttleDuration: "2s"
# Namespace discovery
# -- Namespace the controller watches for updates to Kubernetes objects
# When using rbac.namespaced, it will watch helm release namespace and namespaces listed in this array
namespaces:
- default
# OR use namespace selector (mutually exclusive with namespaces)
# namespaceSelector: "environment=production"
# IngressClass configuration
# -- Name of the ingress class this controller satisfies
ingressClass: "nginx"
# -- Ingress Class Controller value this controller satisfies
controllerClass: "k8s.io/ingress-nginx"
# -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
watchIngressWithoutClass: false
# -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
ingressClassByName: false
# Status updates
# -- Service fronting the Ingress controller
publishService:
enabled: true
pathOverride: "kube-system/traefik"
# -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects
publishStatusAddress: "203.0.113.42"
# Default backend
# -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'
defaultBackendService: "default/default-backend"
# Security
# -- Disable support for Services of type ExternalName
disableSvcExternalName: false
This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration, creating the corresponding routers, services, middlewares, and other components needed to route traffic to your cluster services.
Configuration Options
| Field | Description | Default | Required |
|---|---|---|---|
providers.providersThrottleDuration |
Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event. If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded. This option cannot be set per provider, but the throttling algorithm applies to each of them independently. |
2s | No |
providers.kubernetesIngressNGINX.endpoint |
Server endpoint URL. More information here. |
"" | No |
providers.kubernetesIngressNGINX.token |
Bearer token used for the Kubernetes client configuration. | "" | No |
providers.kubernetesIngressNGINX.certAuthFilePath |
Path to the certificate authority file. Used for the Kubernetes client configuration. |
"" | No |
providers.kubernetesIngressNGINX.throttleDuration |
Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration. If empty, every event is caught. |
0s | No |
providers.kubernetesIngressNGINX.watchNamespace |
Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | "" | No |
providers.kubernetesIngressNGINX.watchNamespaceSelector |
Selector selects namespaces the controller watches for updates to Kubernetes objects. | "" | No |
providers.kubernetesIngressNGINX.ingressClass |
Name of the ingress class this controller satisfies. | "" | No |
providers.kubernetesIngressNGINX.controllerClass |
Ingress Class Controller value this controller satisfies. | "" | No |
providers.kubernetesIngressNGINX.watchIngressWithoutClass |
Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false | No |
providers.kubernetesIngressNGINX.ingressClassByName |
Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false | No |
providers.kubernetesIngressNGINX.publishService |
Service fronting the Ingress controller. Takes the form namespace/name. |
"" | No |
providers.kubernetesIngressNGINX.publishStatusAddress |
Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | "" | No |
providers.kubernetesIngressNGINX.defaultBackendService |
Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | "" | No |
providers.kubernetesIngressNGINX.disableSvcExternalName |
Disable support for Services of type ExternalName. | false | No |
endpoint
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables KUBERNETES_SERVICE_HOST
and KUBERNETES_SERVICE_PORT or KUBECONFIG to construct the endpoint.
The access token is looked up in /var/run/secrets/kubernetes.io/serviceaccount/token
and the SSL CA certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.crt.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by kubectl proxy to connect to a Kubernetes
cluster using the granted authentication and authorization of the associated kubeconfig.
providers:
kubernetesIngressNGINX:
endpoint: "http://localhost:8080"
# ...
[providers.kubernetesIngressNGINX]
endpoint = "http://localhost:8080"
# ...
--providers.kubernetesingressnginx.endpoint=http://localhost:8080
Routing Configuration
See the dedicated section in routing.
{!traefik-for-business-applications.md!}