kubernetesGateway labelSelector not working when set via values.yaml #1576
Description
Welcome!
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've searched similar issues on the Traefik community forum and didn't find any.
What version of the Traefik's Helm Chart are you using?
37.4.0
What version of Traefik are you using?
3.6.2
What did you expect to happen ?
I expect the log to look like this:
(And traefik to behave accordingly, by only picking up the corresponding routes)
2025-11-25T21:32:08Z INF Label selector is: "traefik=dmz" providerName=kubernetesgateway
2025-11-25T21:32:08Z INF label selector is: "traefik=dmz" providerName=kubernetescrd
What did you notice instead ?
I observe the log was like this:
2025-11-25T21:32:08Z INF Label selector is: "" providerName=kubernetesgateway
2025-11-25T21:32:08Z INF label selector is: "traefik=dmz" providerName=kubernetescrd
What are your values ?
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://helm.traefik.io/traefik
chart: traefik
targetRevision: 37.4.0
helm:
values: |
# --- 1. GLOBAL ISOLATION ---
# Tags all resources with the DMZ label for controller-level filtering
commonLabels:
traefik: dmz
logs:
access:
enabled: true
deployment:
kind: DaemonSet
additionalVolumes:
- name: plugins
emptyDir: {}
service:
enabled: true
type: LoadBalancer
spec:
loadBalancerIP: 10.11.12.100
externalTrafficPolicy: Local
# --- 2. GATEWAY RESOURCE CONFIG ---
gateway:
gatewayClassName: traefik-dmz
listeners:
web:
port: 80
protocol: HTTP
namespacePolicy:
from: All
websecure:
port: 443
protocol: HTTPS
certificateRefs:
- name: dmz-cert
namespace: traefik-dmz
namespacePolicy:
from: All
ingressRoute:
dashboard:
enabled: false
ports:
web:
port: 80
expose:
default: true
protocol: TCP
websecure:
port: 443
expose:
default: true
protocol: TCP
tls:
enabled: true
additionalArguments:
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
- "--providers.kubernetesIngress.ingressEndpoint.ip=10.11.12.100"
- "--providers.kubernetesGateway.statusAddress.ip=10.11.12.100"
# ModSecurity Plugins
- "--experimental.plugins.traefik-modsecurity-plugin.modulename=github.com/acouvreur/traefik-modsecurity-plugin"
- "--experimental.plugins.traefik-modsecurity-plugin.version=v1.3.0"
additionalVolumeMounts:
- name: plugins
mountPath: /plugins-storage
rbac:
enabled: true
# --- 3. PROVIDER CONFIGURATION (ISOLATION) ---
providers:
kubernetesCRD:
enabled: true
# CRITICAL: Only watch resources labeled 'traefik=dmz'
labelSelector: "traefik=dmz"
allowCrossNamespace: true
kubernetesIngress:
enabled: true
ingressClass: traefik-dmz
ingressClassStrict: true
kubernetesGateway:
enabled: true
# CRITICAL: Only watch resources labeled 'traefik=dmz'
labelSelector: "traefik=dmz"
gatewayClass:
enabled: true
name: "traefik-dmz"
web:
middlewares:
- security-headers@kubernetescrd
websecure:
middlewares:
- security-headers@kubernetescrd
extraObjects:
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: security-headers
namespace: traefik-dmz
labels:
traefik: dmz
spec:
headers:
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
sslRedirect: true
frameDeny: false
contentTypeNosniff: true
browserXssFilter: true
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: allow-local
namespace: traefik-dmz
labels:
traefik: dmz
spec:
# FIX: Using ipWhiteList (Traefik CRD term)
ipWhiteList:
sourceRange:
- 192.168.0.0/16
- 10.0.0.0/8
- 100.100.0.0/24
- 100.100.100.0/24
- 100.115.92.0/23
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: waf-dmz
namespace: traefik-dmz
labels:
traefik: dmz
spec:
plugin:
traefik-modsecurity-plugin:
modSecurityUrl: "http://owasp-waf.traefik-dmz.svc.cluster.local:80"
maxBodySize: 10485760
destination:
server: https://kubernetes.default.svc
namespace: traefik-dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Additional Information
Workaround:
Setting Argument:
`- "--providers.kubernetesgateway.labelSelector=traefik=dmz"`