The previous lesson explained why Ingress has limitations—annotation chaos, vendor lock-in, no role separation. Gateway API solves these problems, but it introduces new abstractions: GatewayClass, Gateway, HTTPRoute, BackendTrafficPolicy. That's a lot to absorb before routing your first request.
What if you just want external traffic reaching your Task API in 5 minutes?
Traefik offers exactly that. It's a simpler ingress controller with its own CRDs (IngressRoute, Middleware) that are more intuitive than Ingress annotations. You'll understand traffic routing fundamentals faster with Traefik, which prepares you for Gateway API's more powerful—but more complex—model.
This lesson gets your Task API accessible from outside the cluster with rate limiting protection. Then you'll understand exactly what Gateway API improves upon.
Traefik publishes a Helm chart that handles all the complexity—Deployment, Service, ServiceAccount, RBAC, CRDs. You just run two commands.
Add the Traefik Helm repository:
Output:
Update repository information:
Output:
Install Traefik in its own namespace:
Output:
Verify the installation:
Output:
Check the Service created by Traefik:
Output:
On Docker Desktop, localhost appears as the external IP. On a cloud provider, you'd see a real public IP. Either way, Traefik now accepts traffic on ports 80 (HTTP) and 443 (HTTPS).
Before creating routes, understand how Traefik processes requests:
EntryPoints: Ports where Traefik accepts connections. The Helm chart creates web (port 80) and websecure (port 443) by default.
Routers: Rules that match incoming requests. When a request matches a Router's rule (e.g., Host('api.example.com') && PathPrefix('/tasks')), Traefik sends it to the associated Service.
Middlewares: Transformations applied before reaching the backend. Rate limiting, authentication, header manipulation, path stripping—all are Middlewares.
Services: Backend targets. In Kubernetes, these point to Kubernetes Services that forward to Pods.
This is similar to Gateway API's model (Gateway, HTTPRoute, BackendTrafficPolicy) but with different terminology and simpler CRDs.
Traefik's IngressRoute CRD replaces Kubernetes' Ingress resource with a cleaner syntax. No annotations required.
First, ensure your Task API is running. If you've been following along, you have it deployed:
Output:
Now create task-api-ingressroute.yaml that routes /api/v1/tasks to the Task API:
Output:
(This is the manifest—we'll apply it next)
Apply the IngressRoute:
Output:
Test the route:
Output:
Your Task API is now accessible from outside the cluster through Traefik. The request flow:
Compare this to the Ingress resource from Lesson 1. No annotations needed. The routing logic is in structured YAML fields, not string annotations.
Traefik's match rules use a simple expression language:
Examples:
Route only POST requests to /tasks:
Route based on API version header:
This expressive matching is something standard Ingress cannot do without controller-specific annotations.
Your AI agent's Task API could be expensive to run. Without rate limiting, a single user could exhaust your compute budget. Traefik Middlewares handle this.
Create ratelimit-middleware.yaml:
Output:
(This is the manifest—we'll apply it next)
Apply the Middleware:
Output:
Now attach the Middleware to your IngressRoute. Create task-api-ingressroute-ratelimited.yaml:
Apply the updated IngressRoute:
Output:
Test the rate limit by sending many requests quickly:
Output:
After approximately 20 requests (the burst limit), Traefik returns 429 Too Many Requests. The rate limiter is protecting your backend.
Sometimes your backend expects a different path than what external clients use. Middlewares can transform paths.
Remove a path prefix before forwarding. Create strip-prefix-middleware.yaml:
Output:
(Manifest only)
If a client requests /api/v1/tasks, Traefik forwards /tasks to the backend. Useful when your internal services don't expect version prefixes.
Add a path prefix before forwarding. Create add-prefix-middleware.yaml:
Output:
(Manifest only)
A request to /tasks becomes /internal/tasks when reaching the backend.
Add or modify HTTP headers. Create headers-middleware.yaml:
Output:
(Manifest only)
Apply multiple Middlewares in sequence:
Middlewares execute in order. Rate limiting happens before path stripping, which happens before header modification.
Traefik includes a web dashboard for monitoring routes, services, and middlewares. Enable it by upgrading the Helm release:
Output:
Access the dashboard via port-forward:
Output:
Open http://localhost:9000/dashboard/ in your browser. You'll see:
The dashboard updates in real-time. Create a new IngressRoute, and it appears within seconds. This visibility is valuable for debugging routing issues.
Both Traefik and Gateway API solve the same problem—routing external traffic to internal services. The choice depends on your situation.
For this book's learning path: We teach Traefik first because it's faster to understand. Once you've internalized traffic routing concepts with Traefik, Gateway API's abstractions will make more sense. Lessons 3-11 will then teach Gateway API as your production solution.
If you haven't already:
Verify you can see EntryPoints, Routers, Services, and Middlewares sections.
Create an IngressRoute that:
Test with curl http://localhost/api/v1/tasks.
Verify you see 429 responses after the burst limit.
Check the Traefik dashboard to see both Middlewares attached to your route.
You built a traffic-engineer skill in Lesson 0. Test and improve it based on what you learned.
Your skill should now include Traefik as an option:
When should your skill recommend Traefik?
When should your skill recommend Gateway API?
Consider adding these to your skill:
Your skill should generate the appropriate CRDs based on whether Traefik or Gateway API is chosen.