0 0 Share PDF

Traefik Enterprise Edition Solution Brief for Docker Enterprise and Kubernetes

Traefik Enterprise Edition on Docker Enterprise Edition with Kubernetes

Traefik Enterprise Edition (TraefikEE) is a production-grade, distributed, and highly-available routing solution built on top of Traefik.

Containous aims at simplifying the life of today’s DevOps and Site Reliability Engineers (SREs) with an easy-to-install, robust and secure edge router. Our cloud-native solution enables users to address all the routing (simple to very complex), load balancing, tracing and observability, and governance needs they may have with a small footprint. Containous is a cloud-agnostic and legacy friendly routing solution. TraefikEE is an enterprise-grade ingress controller built upon the acclaimed open source edge router 'Traefik'. It benefits from one of the most vibrant and supportive communities and caters to all the 'wiring' needs of your microservices projects, whether you are starting from scratch (greenfield) or transitioning away from a different infrastructure.

Traefik Architecture

To learn more about TraefikEE concepts, see Concepts of the documentation.


The 'Traefik Enterprise Edition Solution Brief for Docker Enterprise and Kubernetes' solution guide has been tested in the following environment:

External Ingress Access


TraefikEE takes advantage of the NodePorts Kubernetes object.

To reach TraefikEE from an external network, you must configure either:

  • DNS record(s) to at least one Docker EE worker node
  • An external load-balancer distributing requests to your Docker EE worker nodes
  • If you prefer to test the example without a DNS, you can simple use the IP address of one of the nodes in your cluster in place of public.cluster.dns.org in the example configurations.


We strongly recommend you to expose the IANA HTTP (80) and HTTPS (443) ports on the Docker EE worker nodes.

However, the default installation of UCP is already using the port 443 of the worker nodes, as explained in the Docker's UCP documentation

Based on your future needs, you have to choose one of the following scenarios:

  • If you plan to use Let's Encrypt with TraefikEE:
  • If you don't need Let's Encrypt, or cannot change UCP ports:
    • Consider using 2 available ports on the Docker EE worker nodes: Let's say 9080 and 9443
    • Configure your external Load-Balancer to do the port forwarding 80 <-> 9080 and 443 <-> 9443
    • Port 443 is mandatory if you plan to use Let's Encrypt with TLS challenge

Default Storage Class

As specified in the Kubernetes requirements for TraefikEE, check that your DockerEE Kubernetes installation has a default storage class:

kubectl get storageclass

You should get an output similar to this one, where one of the elements is defined as (default):

NAME                 PROVISIONER    AGE
standard (default)   xxxxxxxxxx     1d

If you do not have any default storage class defined, please check the following Docker Entperise guides for storage most appropriate for your environment:

You might also want to check the official Kubernetes documentation:

Once you have a default storage class defined, you can go to the next step.


Installation is a Kubernetes Customised One Line Installation, specifying the HTTP/HTTPS ports (chosen earlier in the "Ports" section) in the YAML values file:

  http: 9080
  https: 9443

Then execute the following installation command:

traefikeectl install \
  --kubernetes \
  --dashboard \
  --licensekey="${TRAEFIKEE_LICENSE_KEY}" \
  --kubernetes.helmvaluespath=./custom-values.yaml \

note "traefikeectl install options" You can learn more about the command-line options used on the traefikeectl install Reference Guide


When the installation is complete:

  • Check your cluster nodes and logs using traefikeectl:

    traefikeectl list-nodes --clustername=traefikee-kube
    traefikeectl logs --clustername=traefikee-kube
  • Deploy a customized routing configuration to create the entrypoints. Please note that TraefikEE uses the 80 and 443 port internally, hence these values for the entrypoints:

    traefikeectl deploy --clustername=traefikee-kube \
        --kubernetes \
        --entryPoints='Name:http Address::80' \
        --entryPoints='Name:https Address::443 TLS' \

Deploy Application

You can start deploying applications in Kubernetes with Ingress Rules:

  • Start by creating the following YAML file describing the Kubernetes Objects for an application, with public.cluster.dns.org being the public DNS to reach the cluster (you can also use the IP address of a node instead of public.cluster.dns.org):
kind: Deployment
apiVersion: extensions/v1beta1
  name: whoami
  namespace: traefikee
    app: traefikee
  replicas: 2
        app: whoami
      - name: whoami
        image: containous/whoami
        imagePullPolicy: Always

apiVersion: v1
kind: Service
  name: whoami
  namespace: traefikee
    app: whoami
  type: ClusterIP
  - port: 80
    name: whoami
    app: whoami

apiVersion: extensions/v1beta1
kind: Ingress
  name: whoami
  namespace: traefikee
    app: whoami
    kubernetes.io/ingress.class: 'traefik'
  - host: public.cluster.dns.org
      - path: /whoami
          serviceName: whoami
          servicePort: 80
  • Deploy your application with the following command:

    kubectl apply -f ./whoami-kube.yaml
  • Check the application deployment status, expecting the 3 objects to be in staus Ready:

    kubectl get deployment,svc,ingress \
        --namespace=traefikee \
  • Verify that the requests are routed by TraefikEE to the "whoami" application:

    curl http://public.cluster.dns.org:9080/whoami
  • Cleanup the "whoami" application if everything is alright:

    kubectl delete -f ./whoami-kube.yaml