使用Ingress保留远程客户端IP [英] Preserving remote client IP with Ingress

问题描述

我的目标是使我的Web应用程序(在Kubernetes 1.4群集上部署)看到最初发出HTTP请求的客户端的IP.由于我打算在裸机群集上运行该应用程序，因此GCE和1.4中引入的service.alpha.kubernetes.io/external-traffic: OnlyLocal服务注释不适用于我.

My goal is to make my web application (deployed on Kubernetes 1.4 cluster) see the IP of the client that originally made the HTTP request. As I'm planning to run the application on a bare-metal cluster, GCE and the service.alpha.kubernetes.io/external-traffic: OnlyLocal service annotation introduced in 1.4 is not applicable for me.

寻找替代品，我发现 NginX Ingress控制器.部署进行得很顺利，我能够通过入口地址和端口80连接到我的Web应用程序.但是，在日志中，我仍然看到群集内部IP(从172.16.0.0/16起)范围-这意味着外部客户端IP未正确通过Ingress传递.您能否告诉我，除了上述内容以外，我还需要配置什么?

Looking for alternatives, I've found this question which is proposing to set up an Ingress to achieve my goal. So, I've set up the Ingress and the NginX Ingress Controller. The deployment went smoothly and I was able to connect to my web app via the Ingress Address and port 80. However in the logs I still see cluster-internal IP (from 172.16.0.0/16) range - and that means that the external client IPs are not being properly passed via the Ingress. Could you please tell me what do I need to configure in addition to the above to make it work?

我的入口"配置:

apiVersion: extensions/v1beta1   
kind: Ingress
metadata:
  name: myWebApp
spec:
  backend:
    serviceName: myWebApp
    servicePort: 8080

推荐答案

作为第4层代理，Nginx无法在实际IP数据包中保留原始源IP地址.您可以使用代理协议(链接点)解决此问题到HAProxy文档中，但Nginx也支持它.)

As a layer 4 proxy, Nginx cannot retain the original source IP address in the actual IP packets. You can work around this using the Proxy protocol (the link points to the HAProxy documentation, but Nginx also supports it).

为此，上游服务器(在您的情况下为myWebApp服务)也需要支持此协议.如果您的上游应用程序也使用Nginx，则可以在服务器配置中启用代理协议支持，如

For this to work however, the upstream server (meaning the myWebApp service in your case) also needs to support this protocol. In case your upstream application also uses Nginx, you can enable proxy protocol support in your server configuration as documented in the official documentation.

根据 Nginx Ingress Controller的文档，可以使用Kubernetes ConfigMap在Ingress Controller中启用此功能:

According to the Nginx Ingress Controller's documentation, this feature can be enabled in the Ingress Controller using a Kubernetes ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress-controller
data:
  use-proxy-protocol: "true"

通过在命令行参数中添加--nginx-configmap=<insert-configmap-name>标志，在Ingress控制器清单中指定ConfigMap的名称.

Specify the name of the ConfigMap in your Ingress controller manifest, by adding the --nginx-configmap=<insert-configmap-name> flag to the command-line arguments.

这篇关于使用Ingress保留远程客户端IP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！