2

I'm using GKE version 1.21.12-gke.1700 and I'm trying to configure externalTrafficPolicy to "local" on my nginx external load balancer (not ingress). After the change, nothing happens, and I still see the source as the internal IP for the kubernetes IP range instead of the client's IP.

This is my service's YAML:

apiVersion: v1
kind: Service
metadata:
  name: nginx-ext
  namespace: my-namespace
spec:
  externalTrafficPolicy: Local
  healthCheckNodePort: xxxxx
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  loadBalancerSourceRanges:
  - x.x.x.x/32
  ports:
  - name: dashboard
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  type: LoadBalancer

And the nginx logs:

*2 access forbidden by rule, client: 10.X.X.X

My goal is to make a restriction endpoint based (to deny all and allow only specific clients)

Idan
  • 143
  • 8

1 Answers1

0

You can use curl to query the ip from the load balance, this is an example curl 202.0.113.120 . Please notice that the service.spec.externalTrafficPolicy set to Local in GKE will force to remove the nodes without service endpoints from the list of nodes eligible for load balanced traffic; so if you are applying the Local value to your external traffic policy, you will have at least one Service Endpoint. So based on this, it is important to deploy the service.spec.healthCheckNodePort . This port needs to be allowed in the ingress firewall rule, you can get the health check node port from your yaml file with this command:

kubectl get svc loadbalancer -o yaml | grep -i healthCheckNodePort

You can follow this guide if you need more information about how the service load balancer type works in GKE and finally you can limit the traffic from outside at your external load balancer deploying loadBalancerSourceRanges. In the following link, you can find more information related on how to protect your applications from outside traffic.

Leo
  • 695
  • 3
  • 11