[英]Preserve source IP on Kubernetes bare-metal with ingress-nginx, Iptables and MetalLb
I have a setup of a Kubernetes cluster with one master and one worker node.我设置了一个 Kubernetes 集群,其中包含一个主节点和一个工作节点。
Traffic is being routed into the cluster by doing NAT from the host to the ingress-nginx service of type LoadBalancer, setup with MetalLb:通过从主机到 LoadBalancer 类型的 ingress-nginx 服务执行 NAT,流量被路由到集群中,使用 MetalLb 设置:
#!/bin/bash
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination "$1":80
iptables -A FORWARD -p tcp -d "$1" --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$1
is the external IP of the ingress-nginx. $1
是 ingress-nginx 的外部 IP。
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
At this point, if I am looking into the logs of ingress-nginx pod I am able to see the real source IP address.此时,如果我查看 ingress-nginx pod 的日志,我可以看到真正的源 IP 地址。
The problem is when I check the logs of the downstream apps, which gets traffic from the ingress, the source IP is the IP of the ingress pod.问题是当我检查从入口获取流量的下游应用的日志时,源 IP 是入口 pod 的 IP。
kind: Ingress
metadata:
namespace: laurkyt
name: laurkyt-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/session-cookie-hash: sha1
nginx.ingress.kubernetes.io/session-cookie-name: REALTIMESERVERID
nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/send-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-body-size: 50m
ingress.kubernetes.io/proxy-body-size: 50m
spec:
tls:
- hosts:
- example.com
- '*.example.com'
secretName: wildcard-example-com
rules:
- host: example.com
http:
paths:
- backend:
serviceName: laurkyt
servicePort: 443
apiVersion: v1
kind: Service
metadata:
namespace: laurkyt
name: laurkyt
labels:
app: laurkyt
spec:
externalTrafficPolicy: Local
ports:
- port: 80
targetPort: 80
name: "http"
- port: 443
targetPort: 443
name: "https"
selector:
app: laurkyt
tier: laurkyt
Does anyone knows what I am missing in order to preserve the source IP at backend pods too?有谁知道我还缺少什么以便在后端 pod 中保留源 IP?
As ingress is above-layer-4 proxy.由于入口是高于第 4 层代理。 There is no way you can preserve SRC IP in layer 3 IP protocol.您无法在第 3 层 IP 协议中保留 SRC IP。 The best is and I think Nginx Ingress already been set by default that they put the "X-Forwarded-For" header in any HTTP forward.最好的是,我认为 Nginx Ingress 已经默认设置为将“X-Forwarded-For”标头放在任何 HTTP 转发中。
Your app supposes to log the X-Forwarded-For header.您的应用程序应该记录 X-Forwarded-For 标头。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.