7

I'm trying to set up a pod on public AWS NLB that will be visible only for a certain range of IPs. For this i figured I could use the security group policy from EKS.

If I come from IP 123.45.67.81 I would expect to see this in Traefik logs as my clientHost and then see the same in my end application. What happens instead is that I see Traefik's IP that is our internal network 10.X.Y.Z. I managed to setup the NLB to pass the client IP to traefik by adding:

    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*",

and

spec: {
    externalTrafficPolicy: Local
}

but I still can't see the IP on the final pod. I added the following to traefik's config:

- "--entryPoints.web.forwardedHeaders.trustedIPs=10.X.0.0/16"
- "--entryPoints.web.forwardedHeaders.insecure"
- "--entryPoints.web.proxyProtocol.trustedIPs=10.X.0.0/16"
- "--entryPoints.web.proxyProtocol.insecure"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.X.0.0/16"
- "--entryPoints.websecure.forwardedHeaders.insecure"
- "--entryPoints.websecure.proxyProtocol.trustedIPs=10.X.0.0/16"
- "--entryPoints.websecure.proxyProtocol.insecure"

but it doesn't seem to make any difference. I understand that to get this working I need to make proxy protocol work but I'm not sure why it doesn't!

Kasia Gogolek
  • 3,374
  • 4
  • 33
  • 50
  • Could you update the question with HTTP request headers that your application receives? Specifically those starting with 'X-'. – anemyte Dec 18 '20 at 11:46

1 Answers1

0

You may wish to update your question with traefik and eks versions as there are many ways this can go sideways that have to do with versions.

Since you say nlb, I'll assume that to get this far you've set .spec.metadata.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-type=nlb, which would mean you're using the in-tree provider.

Have you verified that the loadbalancer indeed receives the configuration for service.beta.kubernetes.io/aws-load-balancer-proxy-protocol? Go to the ec2 > load balancers area of the console and verify the field is set as you expect. I'd wager it's not.

In my eks 1.19.x cluster, this behavior doesn't work as advertised. This seems to be an active issue, amongst the active re-organization of the load balancer provider which makes it super hard to track. As far as I can tell, a fix is slated to land in k8s 1.20, no idea whether/when a backport will be available.

Until then, I can at least confirm that the annotation seems to work properly using the newly minted aws-load-balancer-controller project, but they only support nlb-ip, which comes with its own problems (like 5+ minute registration/deregistration times in my case! quote: It can take a few minutes for the registration process to complete and health checks to start.)

mars64
  • 171
  • 2
  • 7