Traefik 1.7: Kubernetes Ingress Reloaded with TCP and CRD Support
K8s Guru
2 min read
Table of Contents
Introduction
September 12, 2018 welcomed Traefik 1.7, the release that transformed Traefik from “simple ingress” into a multi-protocol edge router. TCP support, CRDs, and enhanced ACME automation make it a compelling choice for production Kubernetes clusters.
Release Highlights
Native TCP Routing
- Route TLS and non-TLS TCP traffic alongside HTTP workloads.
- Enables database proxies, MQTT brokers, and custom protocols behind Traefik.
- SNI-based routing pairs neatly with wildcard certificates.
Kubernetes CRDs & Ingress Enhancements
- Introduces
IngressRouteandMiddlewareCRDs for richer routing logic than the standard Ingress API. - Header rewrites, canary weighting, and blue/green switches now declarative.
- Supports
TraefikServiceCRD for advanced load-balancing strategies (mirroring, weighted WRR).
Let’s Encrypt Wildcard + ACME v2
- Automates wildcard certificate issuance via DNS-01 challenges.
- Handles SAN rotation and renewal with zero downtime.
- DNS provider plugins (Route53, Cloudflare) updated for ACME v2 compatibility.
Implementation Tips
- Adopt CRDs Gradually: run Traefik with both
IngressRouteand traditional Ingress enabled; migrate namespaces one by one. - Automate Certificates: configure
certificatesResolverswith DNS credentials stored in Kubernetes secrets. - Observe Traffic: scrape
/metricsfor Prometheus to collect per-router latency and TLS handshake metrics. - Secure the Dashboard: lock behind
Middlewarebasic auth or disable the exposed UI entirely.
Example IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: web
spec:
entryPoints:
- websecure
routes:
- match: Host(`app.example.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: app
port: 80
middlewares:
- name: secure-headers
tls:
certResolver: letsencrypt
Ecosystem Fit
- Complements Istio 1.0 by serving as an external ingress gateway.
- Works with Cert-Manager 0.7 or native Traefik ACME for certificate automation.
- Plays nicely with FluxCD 1.6 GitOps pipelines managing CRDs.
Summary
| Aspect | Details |
|---|---|
| Release Date | September 12, 2018 |
| Key Gains | TCP routing, CRD-driven ingress, wildcard ACME |
| Why it Matters | Elevates Traefik to a full-featured edge router for Kubernetes and beyond |
Traefik 1.7 proves ingress controllers can blend simplicity with power. By embracing CRDs and multi-protocol routing, it gives platform teams flexible, declarative control of their cluster edges.