0

I'm trying to setup Network Policy for kubernetes, and more general question, that I have can be found here.

For the purpose of this particular question, this is the line I'm getting in nginx logs:

10.244.0.0 - - [18/Mar/2020:19:47:16 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.69.1-DEV" "192.168.80.88"

Note the $remote_addr that nginx sees, it's 10.244.0.0. But this is not a real IP address!

I read this question and it appears, that sometimes addresses like that can be valid, but this is not standard.

For the purpose of this question, the CNI plugin that manages 10.244.0.0/16 is Calico.

For what it worth, if I try to white-list in the NetworkPolicy object 10.244.0.0/32, the requests such as above stop coming through, which once again confirms to me that this is not the real IP. But if I white-list 10.244.0.0/16 they come through no problem.

What makes nginx think, that the request is coming from this x.y.0.0 address? How do I emulate it, say with curl?

Andrew Savinykh
  • 526
  • 2
  • 7
  • 21
  • Maybe it sees that, because that is what is coming in. Probably would be more useful to look at tcpdump output to see if you can trace things down. – Zoredache Mar 18 '20 at 20:18
  • @Zoredache can you explain it more? I understand this is a TCP connection, do you mean that this is the source address in the TCP packet? If it is then the response packets should be sent back to `10.244.0.0` too, but there is nothing there? – Andrew Savinykh Mar 18 '20 at 20:23
  • tcpdump is not a bad idea but it would take me awhile to figure out how to run it in a nginx container inside kubernetes.... – Andrew Savinykh Mar 18 '20 at 20:23
  • 1
    Start a netshoot container, in the same network namespace. - https://github.com/nicolaka/netshoot That you mention kubernetes makes me wonder if that is some address related to some kind of service mesh/proxy or something. – Zoredache Mar 18 '20 at 21:05

1 Answers1

2

10.244.0.0 is a completely valid IP address - in any subnet with the prefix 10.240.0.0/13 or shorter, or in the 10.244.0.0/31 point-to-point subnet.

Zac67
  • 10,320
  • 2
  • 12
  • 32