1

I would like to capture the external I.P. address of clients visiting my application. I am using kubernetes on AWS/Kops. The ingress set-up is Voyager configured HAProxy. I am using the LoadBalancer service.

I configured HAProxy through Voyager to add the x-forwarded-for header by using ingress.appscode.com/default-option: '{"forwardfor": "true"}' annotation.

The issue is that when I test the header is coming through with an internal I.P. address of one of my kubernetes nodes, rather than my external I.P. as desired.

I'm not sure what LoadBalancer voyager is using under the covers, there's no associated pod, just one for the ingress-controller.

kubectl describe svc voyager-my-app outputs

Name:                     <name>
Namespace:                <namespace>
Labels:                   origin=voyager
                          origin-api-group=voyager.appscode.com
                          origin-name=<origin-name>
Annotations:              ingress.appscode.com/last-applied-annotation-keys:
                          ingress.appscode.com/origin-api-schema: voyager.appscode.com/v1beta1
                          ingress.appscode.com/origin-name: <origin-name>
Selector:                 origin-api-group=voyager.appscode.com,origin-name=<origin-name>,origin=voyager
Type:                     LoadBalancer
IP:                       100.68.184.233
LoadBalancer Ingress:     <aws_url>
Port:                     tcp-443  443/TCP
TargetPort:               443/TCP
NodePort:                 tcp-443  32639/TCP
Endpoints:                100.96.3.204:443
Port:                     tcp-80  80/TCP
TargetPort:               80/TCP
NodePort:                 tcp-80  30263/TCP
Endpoints:                100.96.3.204:80
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>
James Render
  • 1,490
  • 1
  • 14
  • 26
  • Looking at the haproxy log, the src i.p. address on there is an internal one - so no wonder the header value is the same. How do I get the traffic coming into the ingress controller to have the source IP? Does it mean that I have to switch to the PROXY protocol, currently using http – James Render Feb 04 '20 at 13:18

1 Answers1

1

Typically with Kubernetes ingresses, there are a couple relevant settings:

  • xff_num_trusted_hops, which specifies the number of hops that are "trusted" i.e., internal. This way you can distinguish between internal and external IP addresses.
  • You'll want to make sure you set ExternalTrafficPolicy: local in your load balancer (you didn't specify what your LB is)

Note I'm mostly familiar with Ambassador (built on Envoy Proxy) which does this by default.

Richard Li
  • 528
  • 2
  • 9
  • I'm not sure what the implementation of the LoadBalancer k8s service is under the covers. [The documentation](https://appscode.com/products/voyager/8.0.1/concepts/ingress-types/loadbalancer/) implies that its nginx, but I don't have any kind of pod that like that; I've a loadbalancer service and then voyager (haproxy) ingress controller pods – James Render Feb 04 '20 at 15:28
  • The Load Balancer service is actually _external_ to your Kubernetes cluster. It's dependent on your particular cloud provider. The post [here](https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d) might be helpful to give you an overview of Kubernetes ingress. – Richard Li Feb 05 '20 at 16:55
  • thanks @richard-li , we're using aws. Looking in our k8s setup repo, I can find the ingress definition but nothing relating to load balancer. I've had a poke around the voyager documentation looking for information on the LoadBalancer. – James Render Feb 06 '20 at 08:46