Help Needed: Unexpected Cross-Namespace TLS Secret Behavior in Traefik 2.1.4 on Kubernetes 1.20.1

Hello Traefik Community,

I am encountering an unexpected issue with Traefik 2.1.4 deployed in my Kubernetes 1.20.1 cluster using CRD mode. I have a situation with TLS Secrets that I am struggling to understand and resolve.


  • Kubernetes Version: 1.20.1
  • Traefik Version: 2.1.4
  • Deployment Mode: CRD

Issue Description:
I have deployed Traefik as my ingress gateway. In the monitoring namespace, I mistakenly applied an outdated TLS Secret (winbaoxian-com-geotrust-tls) which was expired. In my prod namespace, I have a TLS Secret with the same name but it is up-to-date and not expired. This Secret is used for the https configuration of an IngressRoute.

Despite the prod namespace having the correct and updated TLS Secret, Traefik was reflecting an expired state, which was resolved only after updating the TLS Secret in the monitoring namespace. This behavior is unexpected as I assumed Traefik should not access TLS configurations across different namespaces.

Traefik Configuration Snippet:
checkNewVersion = false
sendAnonymousUsage = false
insecureSkipVerify = true
level = "INFO"
dashboard = true
entryPoint = "traefik"
labelSelector = ""
namespaces =
labelSelector = ""
buckets = [0.1,0.3,1.2,5.0]
entryPoint = "traefik"
address = ":80"
insecure = true
address = ":443"
insecure = true
address = ":8080"
address = ":9876"
format = "json"
filePath = "/var/log/access.log"
minDuration = "1ms"
retryAttempts = true
defaultMode = "keep"
"RequestHost" = "keep"
"ClientHost" = "keep"
"RequestMethod" = "keep"
"RequestPath" = "keep"
"RequestProtocol" = "keep"
"OriginStatus" = "keep"
"Duration" = "keep"
"OriginDuration" = "keep"
"StartUTC" = "drop"
"StartLocal" = "drop"
"FrontendName" = "drop"
"BackendName" = "drop"
"BackendURL" = "drop"
"BackendAddr" = "drop"
"ClientAddr" = "drop"
"ClientPort" = "drop"
"ClientUsername" = "drop"
"RequestAddr" = "drop"
"RequestPort" = "drop"
"RequestLine" = "drop"
"RequestContentSize" = "drop"
"OriginContentSize" = "drop"
"OriginStatusLine" = "drop"
"DownstreamStatus" = "drop"
"DownstreamStatusLine" = "drop"
"DownstreamContentSize" = "drop"
"RequestCount" = "drop"
"GzipRatio" = "drop"
"Overhead" = "drop"
"RetryAttempts" = "drop"
"RouterName" = "drop"
"ServiceAddr" = "keep"
"ServiceName" = "keep"
"ServiceURL" = "drop"
"entryPointName" = "drop"
"origin_Content-Type" = "drop"
"User-Agent" = "keep"
"Authorization" = "drop"
"Content-Type" = "drop"

I am unsure why Traefik is exhibiting this behavior and how to resolve this issue. It appears to be accessing or conflicting with TLS Secrets across namespaces, which should not be the case.

Any guidance, insights, or suggestions from the community would be greatly appreciated. I am particularly interested in understanding whether this is a configuration issue, a version-specific bug, or something else.

Thank you in advance for your assistance.

Traefik v2.1.4 was released Feb 6, 2020 (link) and is not supported anymore.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.