Key Takeaways
- ✓Traefik has 3.4 billion downloads and 58,000+ GitHub stars.
- ✓Ingress NGINX will be retired in March 2026 despite its historical status.
- ✓Complete installation in under 5 minutes with Helm for both solutions.
Configuring a Kubernetes Ingress Controller step by step is essential for any infrastructure engineer pursuing LFS458 Kubernetes Administration training. The Ingress Controller exposes your services to external traffic with HTTP/HTTPS routing, TLS termination, and load balancing. Traefik has accumulated 3.4 billion downloads, 58,000+ GitHub stars, and 900+ contributors, while Ingress NGINX remains the historical standard despite its retirement announced for March 2026.
TL;DR: Nginx for simplicity and maturity, Traefik for advanced features and dynamic configuration. Both install in under 5 minutes with Helm.
These skills are at the heart of the LFS458 Kubernetes Administration training.
What is an Ingress Controller and Why is This Training Important?
An Ingress Controller is a reverse proxy that implements the Kubernetes Ingress resource. It reads Ingress rules and automatically configures routing to your services.
Components of Ingress Architecture
| Component | Role | Example |
|---|---|---|
| Ingress Resource | Declarative routing rules | YAML manifest |
| Ingress Controller | Routing implementation | Nginx, Traefik, HAProxy |
| Service | Routing target | ClusterIP, NodePort |
| TLS Secret | HTTPS certificates | cert-manager |
Remember: The Ingress Resource defines the "what" (routes), the Ingress Controller implements the "how" (proxy).
System administrators pursuing LFS458 Kubernetes Administration training master these concepts for the CKA exam. According to the Linux Foundation, the CKA exam lasts 2 hours with a passing score of 66%.
For more tutorials, see our Kubernetes Tutorials and Practical Guides hub.
How to Install Ingress NGINX Controller?
Prerequisites
Verify your cluster:
kubectl cluster-info
kubectl get nodes
Installation with Helm
# Add official repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
# Install in a dedicated namespace
kubectl create namespace ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--set controller.replicaCount=2 \
--set controller.metrics.enabled=true \
--set controller.service.type=LoadBalancer
Verify Installation
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx
Expected output:
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-5c8d66c76d-xxxxx 1/1 Running 0 2m
ingress-nginx-controller-5c8d66c76d-yyyyy 1/1 Running 0 2m
Remember: Two replicas minimum in production for high availability. A single point of failure exposes all incoming traffic.
For essential kubectl commands, see our kubectl cheat sheet.
How to Configure a Basic Ingress with NGINX?
Deploy a Test Application
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-app
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: demo
template:
metadata:
labels:
app: demo
spec:
containers:
- name: nginx
image: nginx:1.27-alpine
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: demo-service
namespace: default
spec:
selector:
app: demo
ports:
- port: 80
targetPort: 80
Create the Ingress Resource
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-ingress
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: demo.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: demo-service
port:
number: 80
Apply and test:
kubectl apply -f demo-ingress.yaml
kubectl get ingress demo-ingress
# Local test
curl -H "Host: demo.example.com" http://<EXTERNAL-IP>/
For common errors, see our guide Resolve the 10 Most Common Kubernetes Deployment Errors.
How to Install Traefik Ingress Controller?
Traefik offers a modern alternative with dynamic configuration and integrated dashboard.
Installation with Helm
# Add Traefik repository
helm repo add traefik https://traefik.github.io/charts
helm repo update
# Create namespace
kubectl create namespace traefik
# Install Traefik
helm install traefik traefik/traefik \
--namespace traefik \
--set deployment.replicas=2 \
--set ingressRoute.dashboard.enabled=true \
--set metrics.prometheus.enabled=true
Verify Installation
kubectl get pods -n traefik
kubectl get svc -n traefik
Enable Traefik Dashboard
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.example.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
certResolver: letsencrypt
Remember: The Traefik dashboard must be secured in production. Never expose it without authentication.
How to Configure TLS?
Create a TLS Secret
# Generate a self-signed certificate for testing
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=demo.example.com"
# Create the Kubernetes secret
kubectl create secret tls demo-tls \
--key tls.key \
--cert tls.crt \
-n default
Configure Ingress with TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-ingress-tls
namespace: default
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- demo.example.com
secretName: demo-tls
rules:
- host: demo.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: demo-service
port:
number: 80
cert-manager Integration
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-ingress-auto-tls
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: nginx
tls:
- hosts:
- demo.example.com
secretName: demo-tls-auto
rules:
- host: demo.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: demo-service
port:
number: 80
How to Compare Nginx and Traefik?
| Criterion | Ingress NGINX | Traefik |
|---|---|---|
| Configuration | Annotations + ConfigMap | Native CRDs |
| Discovery | Manual | Automatic |
| Dashboard | External (Grafana) | Integrated |
| Middlewares | Annotations | Chainable CRDs |
| Let's Encrypt | Via cert-manager | Native |
| Performance | Excellent | Very good |
| Community | Very large | Large and active |
When to Choose NGINX?
- Team familiar with NGINX
- Primarily static configuration
- Need for maximum performance
When to Choose Traefik?
- Frequent dynamic configuration
- Need for advanced middlewares
- Preference for CRDs
How to Configure Advanced Routing?
Path-Based Routing with NGINX
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-path-ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: api.example.com
http:
paths:
- path: /v1/users
pathType: Prefix
backend:
service:
name: users-service
port:
number: 80
- path: /v1/orders
pathType: Prefix
backend:
service:
name: orders-service
port:
number: 80
- path: /v2/.*
pathType: ImplementationSpecific
backend:
service:
name: api-v2-service
port:
number: 80
Traefik Middlewares
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 100
burst: 50
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: compress
spec:
compress: {}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: api-route
spec:
entryPoints:
- websecure
routes:
- match: Host(`api.example.com`)
kind: Rule
middlewares:
- name: rate-limit
- name: compress
services:
- name: api-service
port: 80
Remember: Traefik middlewares chain declaratively. NGINX uses less readable annotations but equally powerful.
How to Monitor Your Ingress Controller?
NGINX Metrics
# values.yaml for Helm
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: monitoring
Traefik Metrics
metrics:
prometheus:
enabled: true
entryPoint: metrics
service:
enabled: true
Grafana Dashboard
# Import the NGINX Ingress Controller dashboard
# ID: 9614
# Import the Traefik dashboard
# ID: 17346
How to Migrate from NGINX to Traefik?
With the Ingress NGINX retirement planned for March 2026, plan your migration.
Migration Steps
- Install Traefik in parallel with NGINX
- Convert Ingresses to IngressRoute progressively
- Test each migrated route
- Switch DNS service by service
- Uninstall NGINX after complete validation
# Check existing Ingresses
kubectl get ingress --all-namespaces
# Export for conversion
kubectl get ingress demo-ingress -o yaml > demo-ingress-nginx.yaml
Take Action: Master Ingress Controllers
Ingress Controller configuration is part of the skills tested in CKA. With 82% of container users running Kubernetes in production, this expertise is essential.
Train with SFEIR:
- The LFS458 Kubernetes Administration training covers Ingress Controllers in detail over 4 days
- The Kubernetes Fundamentals training introduces basic concepts in 1 day
- The LFD459 training for developers covers application exposure. To go deeper, see our Kubernetes Deployment and Production training.
Contact our advisors to plan your training and prepare for CKA certification.