Hi,
I am running traefik v3.7.5 deployed with the official helm chart 41.0.0 in Kubernetes v1.35.5. I have the Kubernetes Gateway API CRDs installed in version v1.5.1.
My issue is that the Gateway API limits the List of Ancestors in a BackendTLSPolicy to 16. I only have 2 gateways so this really shouldn't be a problem but the BackendTLSPolicy lists every listener from the gateway as a separate ancestor which makes them exceed 16. The service the policy refers to keeps working but my traefik logs are spammed with
{
"level": "warn",
"providerName": "kubernetesgateway",
"http_route": "keycloak-console",
"namespace": "keycloak",
"error": "failed to update BackendTLSPolicy keycloak/keycloak status: failed to update BackendTLSPolicy keycloak/keycloak status: PolicyAncestor statuses count exceeds 16",
"time": "2026-07-02T11:44:48Z",
"message": "Unable to update BackendTLSPolicy status"
}
I have separate listeners so that cert-manager can issue certificates for each listener. All my HTTPRoute and GRPCRoute objects define a section name in their parentRefs.
Any advice on this? Did I misconfigure something? Why is traefik printing every listener to the Ancestors instead of just the relevant one used by the HTTPRoute that references this service?
The startup arguments passed to my traefik container (result of the rendered out helm chart)
- args:
- --entryPoints.metrics.address=:9100/tcp
- --entryPoints.traefik.address=:8080/tcp
- --entryPoints.web.address=:8000/tcp
- --entryPoints.websecure.address=:8443/tcp
- --api.dashboard=true
- --ping=true
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd
- --providers.kubernetescrd.allowEmptyServices=true
- --providers.kubernetesingress
- --providers.kubernetesingress.allowEmptyServices=true
- --providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik
- --providers.kubernetesingress.ingressClass=internal
- --providers.kubernetesgateway
- --providers.kubernetesgateway.statusaddress.service.name=traefik
- --providers.kubernetesgateway.statusaddress.service.namespace=traefik
- --providers.kubernetesgateway.labelSelector=heigit.org/gateway-controller=internal
- --entryPoints.websecure.http.tls=true
- --entryPoints.websecure.allowACMEByPass=true
- --log.format=json
- --log.level=INFO
- --accesslog=true
- --accesslog.format=json
- --accesslog.fields.defaultmode=keep
- --accesslog.fields.names.ClientAddr=drop
- --accesslog.fields.headers.defaultmode=drop
- --accesslog.fields.headers.names.User-Agent=keep
A BackendTLSPolicy that has this issue
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
name: keycloak
namespace: keycloak
spec:
targetRefs:
- group: ""
kind: Service
name: keycloak-http
validation:
caCertificateRefs:
- group: ""
kind: Secret
name: keycloak-internal-cert
hostname: keycloak-http.keycloak.svc