How to use Traefik as a Reverse Proxy in Kubernetes? 

Traefik kubernetes
Reading Time: 4 minutes

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (DockerSwarm modeKubernetesMarathonConsulEtcdRancherAmazon ECS, …) and configures itself automatically and dynamically. Pointing Traefik at your orchestrator should be the only configuration step you need.


Imagine that you have deployed a bunch of microservices with the help of an orchestrator (like Swarm or Kubernetes) or a service registry (like etcd or consul). Now you want users to access these microservices, and you need a reverse proxy.

Traditional reverse-proxies require that you configure each route that will connect paths and subdomains to each microservice. In an environment where you add, remove, kill, upgrade, or scale your services many times a day, the task of keeping the routes up to date becomes tedious.

This is when Traefik can help you! Run Traefik and let it do the work for you! 

Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world — without further intervention on your part.

Why you might need a reverse proxy?

A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. They provide a layer of security and reliability over our web servers increasing the performance of the requests served by our web servers. Most reverse proxies also have the ability to load balance the requests distributing the incoming traffic according to the defined load balancing algorithm/strategy.


  • Routing inbound traffic to the right container in multi-container environments.
  • Terminate SSL (using Let’s encrypt).
  • Allow for load balancing in multiple backend servers environments
  • Basic authentication.
  • IP whitelist/blacklist.

Configuration Overview

Configuration in Traefik are of two different things:

  • The fully dynamic routing configuration (referred to as the dynamic configuration)
  • The startup configuration (referred to as the static configuration)

Elements in the static configuration set up connections to providers and define the entrypoints Traefik will listen to. There are three different ways to define static configuration options in Traefik: configuration file, command-line arguments, and environment variables. So once you change the configuration you need to restart the traefik.

The dynamic configuration contains everything that defines how the requests are handled by your system. This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss. Traefik gets its dynamic configuration from providers: an orchestrator, a service registry, or a plain old configuration file.

Traefik In the context of Kubernetes Ingress -Service Discovery

Traefik is placed in the Kubernetes ecosystem because the traefik is a part of the ingress controller. Ingress managed Load Balancer is placed on the top which is not a part of the Kubernetes cluster. It might be an ELB if you run on AWS or it might be metal lb if you run on-premises.

Service type load balancer which is a Kubernetes object gives you an external id to connect to your Kubernetes cluster which connects to the ingress controller. To deploy our application in a port we need to create a service to connect the ingress controller and the pod so in that case, it will create endpoints in Kubernetes.

Thus, the network traffic is automatically routed to endpoints according to created routing rules.

Installation of Traefik in Kubernetes cluster using helm charts

Add helm repository:

helm repo add traefik


"traefik" has been added to your repositories

Once you have added the helm repository, perform a generic repository update for your helm repositories to fetch the latest upstream updates for the newly-added traefik chart repository.

helm repo update:

helm repo update

Install the Traefik chart, ensuring you are scoped to the desired namespace.

helm install stable/traefik --name traefik --set dashboard.enabled=true,serviceType=NodePort,dashboard.domain=dashboard.traefik,rbac.enabled=true  --namespace kube-system

Once Traefik is installed, validate that the resources were deployed correctly, e.g. the Traefik service was created, the Traefik pod is running, etc.

kubectl get pods  -n kube-system | grep traefik

If you want to customize the helm charts by enabling the SSL as well as the dashboard, you need to download the helm chart locally.

Edit the values.yaml file for enabling the ssl as below:

  enabled: true
  enabled: true
  staging: false
  # Save ACME certs to a persistent volume. WARNING: If you do not do this, you will re-request
  # certs every time a pod (re-)starts and you WILL be rate limited!
    enabled: true
    accessMode: ReadWriteOnce
    size: 1Gi
  enabled: true
  enabled: false

Features of Traefik

  • Continuously updates its configuration (No restarts!)
  • Supports multiple load balancing algorithms
  • Provides HTTPS to your microservices by leveraging Let’s Encrypt (wildcard certificates support)
  • Circuit breakers, retry
  • See the magic through its clean web UI
  • Websocket, HTTP/2, GRPC ready
  • Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
  • Keeps access logs (JSON, CLF)
  • Exposes a Rest API

Written by 

I am an DevOps engineer having experience working with the DevOps tool and technologies like Kubernetes, Docker, Ansible, AWS cloud, prometheus, grafana etc. Flexible towards new technologies and always willing to update skills and knowledge to increase productivity.