Configuring Traefik for Cross-Namespace Ingress

When installing Traefik either with Kubernetes or K3s, detection of Ingress object types in other namespaces than what Traefik is running in will not be possible. Since Traefik typically runs under the kube-system namespace, this will be a problem as I don’t want any of my production deployments to be running in a namespace intended to hold essential elements to the Kubernetes cluster.

In my scenario, I inherited Traefik by installing K3s on my homelab and plan to deploy Traefik to a production cluster for my pipeline project in the future.

The Simple Fix

All that Traefik requires is the providers.kubernetesCRD.allowCrossNamepsace setting to be forced to true. This had been set to false by default in a previous version.

Inherited or not, Traefik can be deployed by using Helm charts (which is the case under K3s). Under Helm, a configuration override can be placed by using the HelmChartConfig object. Once deploying this object, the installed deployment will restart with configuration merged between the default and that defined within the new HelmChartConfig object.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    providers:
      kubernetesCRD:
        allowCrossNamespace: true

Or if it’s needed in a HCL / Terraform context ..

resource "kubernetes_manifest" "traefik" {
  manifest = {
    "apiVersion" = "helm.cattle.io/v1"
    "kind"       = "HelmChartConfig"
    "metadata" = {
      "name"      = "traefik"
      "namespace" = "kube-system"
    }
    "spec" = {
      "valuesContent" = file("${path.module}/traefik-config.yml")
    }
  }
}

# traefik-config.yml
providers:
  kubernetesCRD:
    allowCrossNamespace: true