Traefik Labs

Three questions every team building with AI agents should be able to answer right now: 1. If a poisoned file entered your agent's context window, which controls would survive? 2. Can your agent disable its own governance? 3. How many independent enforcement layers exist between a compromised agent and your most sensitive systems? If the answer to #1 is "not sure," the answer to #2 is "technically yes," and the answer to #3 is "one," you have an architecture problem, not a configuration problem. The LiteLLM supply chain attack yesterday compromised a library. The next class of attacks will compromise the files agents read, the code agents write, and the memory agents accumulate. Controls that run inside the runtime get compromised with the runtime. Infrastructure-layer enforcement, independent of the agent framework, is the only layer that survives. We wrote about why and what that architecture actually looks like here: https://lnkd.in/gpepeZdj #AIGovernance #AgentSecurity #MCP #APIGateway #CloudNative

📢 Traefik Labs : du proxy à l’API Management et au MCP Gateway ! 🚀 Emile Vauge, fondateur et CTO de Traefik Labs (3 milliards de téléchargements, 60 000 ⭐ sur GitHub), retrace l’évolution spectaculaire de Traefik. Du reverse proxy open source devenu incontournable à une plateforme complète d’API Management, d’AI Gateway et de MCP Server, il décrypte les grandes transitions de l’écosystème cloud native 💡 🎙️ Interview réalisée par Jean-Francois Le Nilias sur le plateau TV Informatiquenews aux Cloud Native Days France 2026 à Paris. 🎥 A découvrir en vidéo sur notre chaîne YouTube 👉 https://lnkd.in/eTYJc7mV

If your AI agent's runtime gets compromised, do your governance controls survive or do they go down with it? The LiteLLM supply chain attack from March 24 is a sharp reminder that the runtime itself is the attack surface. When access control, content safety, and tool authorization all run inside the same process that can be poisoned (through a malicious dependency, an indirect prompt injection embedded in a document, or insecure agent-generated code) those controls are just assumptions. Enforcement that operates at the infrastructure layer, independent of the agent framework, below the application, governing API calls and LLM interactions as they cross the network, survives a compromised runtime. Application-embedded guardrails don't. Get the story here: https://bit.ly/4c65HYo

🐘 Let's talk about the elephant in the room at KubeCon Amsterdam. IngressNginx has reached the end of life — and if you're wondering what's next, come find us at the Traefik Labs booth! Traefik is the only true drop-in replacement, and our team is here to walk you through the migration, answer your questions, and show you what's possible. See you there! 👇 #KubeCon #Amsterdam #TraefikLabs #CloudNative #IngressNginx

🚨 Kubecon EU kicks off today in Amsterdam and I'm thrilled to share some exciting news from Traefik Labs. IBM Nutanix OVHcloud SUSE TIBCO and many others independently evaluated every alternative to ingress NGINX (⚡ retires in 7 days). Each company arrived at the same conclusion. Traefik Proxy is now the de facto standard for Kubernetes Networking, providing over 90% coverage of the most-used Ingress NGINX annotations. This isn't a coordinated campaign. It's a market signal. The Kubernetes Steering Committee officially retires ingress NGINX this month — ending all maintenance, bug fixes, and security patches for one of the most widely deployed components in the ecosystem. Millions of clusters in financial services, healthcare, government, and telecom now need a path forward. The reason these platform vendors chose Traefik comes down to three things: 🔌 DROP-IN MIGRATION. Traefik's Ingress NGINX Provider automatically translates existing NGINX annotations at runtime. Over 90% coverage. No Ingress annotation changes required. ⏩ FORWARD COMPATIBILITY. Full Kubernetes Gateway API support. Migrate on your timeline. Adopt the future standard when you're ready. 🌐 OPEN SOURCE, NO STRINGS. MIT license. Not a proprietary fork. Not a temporary patch. With Enterprise support backed by a real company. For teams running these platforms, that combination is decisive. And for organizations already on Traefik, this is just the beginning. Traefik Hub extends the same foundation to API Gateway, AI Gateway, and MCP Gateway — single Helm chart upgrade, zero re-architecture, with full portability from edge to cloud to sovereign. 🚪 The front door of your infrastructure matters. More organizations just made their choice. 📄 Full press release: https://lnkd.in/g_5ypt_b 🔗 Migration guide: ingressnginxmigration.org Stop by our booth #981 and meet with the creators of Traefik! Huge thanks to our partners, customers, and the CNCF community! Dan Ciruli Deepak Goel Aniket Daptari Anurag Narula Saveen Pakala Peter Smails Emina C. Troy Topnik Jacques Murez Antonin Anchisi Anthony Monier Maxime Lehmann Jason Henley Mark Bloomfield Devu Heda Cale Rath Luca Marchi Chris Rosen #KubeCon #Kubernetes #CloudNative #TraefikLabs #OpenSource #PlatformEngineering

$ git $h*t done @ Booth #981. Your shirt is waiting.

Haven't replaced Ingress NGINX? Going to KubeCon Amsterdam? Drop by booth 981 to see why Traefik should be top of your list.

$ git yours at #Kubecon Booth 981

An autonomous AI agent from CodeWall recently breached McKinsey's internal LLM platform in under two hours ... with no credentials, no insider access, and no human in the loop. The headlines focused on the data: 46.5 million chat messages, 728,000 files, 57,000 user accounts. But they missed the most important detail: 👉 95 system prompts were writable. No deployment needed. No code change. With a single UPDATE statement wrapped in a single HTTP call, an attacker could silently rewrite how a platform used by 40,000 consultants frames competitive landscapes, evaluates acquisition targets, or assesses risk. Poisoned output could flow directly into client deliverables, with no one the wiser. While the breach was just SQL injection in JSON field names, the real threat this uncovered was an architecture with no independent enforcement layers between the internet and production. There was no WAF at the gateway, no authentication on 22 endpoints, no content safety checks on the AI pipeline. Dig into the story and see what could have prevented this at every step here 👇 https://bit.ly/40IoT8e