BestHub
Sign in
Cloud Native 13 min read

Deploy Traefik as a DaemonSet on Kubernetes with RBAC, Ingress UI and HTTPS

This guide walks through installing Traefik on a Kubernetes cluster, covering its advantages over Nginx, required RBAC permissions, DaemonSet deployment, exposing the web UI via Ingress, configuring host entries, generating self‑signed TLS certificates, and enabling automatic circuit‑breaker policies.

Full-Stack DevOps & Kubernetes
Full-Stack DevOps & Kubernetes
Full-Stack DevOps & Kubernetes
Deploy Traefik as a DaemonSet on Kubernetes with RBAC, Ingress UI and HTTPS

Traefik Overview

Traefik is a lightweight HTTP reverse‑proxy and load balancer written in Go. It watches the Kubernetes API (or other service registries) and updates its routing configuration automatically without needing a restart. It supports multiple load‑balancing algorithms, Let’s Encrypt (including wildcard certificates), circuit breaking, retries, high‑availability cluster mode, a built‑in UI, and metrics integrations such as Prometheus, Datadog, StatsD and InfluxDB.

Key Features

Dynamic configuration without service restart

Multiple load‑balancing algorithms

Let’s Encrypt (wildcard) for automatic HTTPS

Circuit breaking and retry mechanisms

Cluster‑mode high availability

Built‑in dashboard UI

Support for WebSocket, HTTP/2 and gRPC

Metrics exporters for Prometheus, Datadog, StatsD, InfluxDB, etc.

JSON and CLF access logs

REST API

Distributed as a single binary or Docker image

RBAC Configuration (Kubernetes 1.6+)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
- apiGroups: [""]
  resources: ["services", "endpoints", "secrets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

Apply the RBAC rules:

kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml

Deploy Traefik as a DaemonSet

# traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
          hostPort: 8080
        securityContext:
          capabilities:
            drop: ["ALL"]
            add: ["NET_BIND_SERVICE"]
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - protocol: TCP
    port: 80
    name: web
  - protocol: TCP
    port: 8080
    name: admin

Apply the manifest and verify the pods:

kubectl apply -f traefik-ds.yaml
kubectl -n kube-system get pod -o wide

Because hostNetwork: true is set, ports 80 (HTTP) and 8080 (admin UI) are opened on every node.

Expose Traefik UI via Ingress

# traefik-web-ui.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik-ui.com
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80

Apply and check the ingress:

kubectl apply -f traefik-web-ui.yaml
kubectl get ingress -o wide --all-namespaces

Add a host entry on the client machine (example IP 172.23.216.49): 172.23.216.49 traefik-ui.com The dashboard is reachable at http://traefik-ui.com/dashboard/.

Sample Nginx Application

# nginx-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
spec:
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
---
# nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 4
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.15.5
        ports:
        - containerPort: 80
---
# nginx-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: k8s.nginx.com
    http:
      paths:
      - backend:
          serviceName: nginx-svc
          servicePort: 80

Deploy the resources and add a host entry (example IP 172.23.216.49): 172.23.216.49 k8s.nginx.com Access the application via http://k8s.nginx.com.

HTTPS Certificate Configuration

Generate a self‑signed certificate and store it as a TLS secret in the kube-system namespace:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=traefik-ui.com"
kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt

Update the UI Ingress to use the TLS secret:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
  - secretName: traefik-ui-tls-cert
  rules:
  - host: traefik-ui.com
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80

Automatic Circuit Breaking

Traefik can stop routing to a backend when error ratios, latency, or HTTP status codes exceed defined thresholds. Example policies:

NetworkErrorRatio() > 0.6 – break when error rate exceeds 60 %

LatencyAtQuantileMS(60.0) > 60 – break when 60 ms latency is exceeded

ResponseCodeRatio(500,600,0,600) > 0.5 – break when 5xx responses exceed 50 %

Apply a circuit‑breaker annotation to a Service:

apiVersion: v1
kind: Service
metadata:
  name: wensleydale
  annotations:
    traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.6"
    traefik.backend.circuitbreaker: "LatencyAtQuantileMS(60.0) > 2000"
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

KubernetesCircuitBreakerIngressHTTPSDaemonSetRBACTraefik
Full-Stack DevOps & Kubernetes
Written by

Full-Stack DevOps & Kubernetes

Focused on sharing DevOps, Kubernetes, Linux, Docker, Istio, microservices, Spring Cloud, Python, Go, databases, Nginx, Tomcat, cloud computing, and related technologies.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment