Скачать или смотреть Preserve Source IP on Kubernetes Bare-Metal with Ingress-Nginx, Iptables, and MetalLb

Learn how to preserve the `source IP` in your Kubernetes applications using ingress-nginx, iptables, and MetalLb on a bare-metal cluster.
---
This video is based on the question https://stackoverflow.com/q/63836681/ asked by the user 'Mihaimyh' ( https://stackoverflow.com/u/10955627/ ) and on the answer https://stackoverflow.com/a/63837996/ provided by the user 'Chayne P. S.' ( https://stackoverflow.com/u/3849555/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Preserve source IP on Kubernetes bare-metal with ingress-nginx, Iptables and MetalLb

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Preserving Source IP on Kubernetes Bare-Metal with Ingress-Nginx, Iptables, and MetalLb

In today's cloud-native ecosystem, managing incoming traffic and preserving meaningful data is crucial for monitoring and security purposes. One common challenge that Kubernetes users face is how to keep the original source IP when routing traffic through ingress controllers like ingress-nginx. If you're running a bare-metal setup with Kubernetes, iptables, and MetalLb, you'll want to understand how to effectively preserve that source IP throughout the entire traffic flow to your backend applications. Let's dive into the issue and explore a structured approach to solving it.

Understanding the Problem

You have a Kubernetes cluster where traffic enters through an ingress-nginx service configured as a LoadBalancer. You’ve set up iptables to route traffic from your host to this ingress-nginx service. However, despite being able to see the source IP in the logs of the ingress-nginx pod, you encounter a problem when checking the logs of your backend applications. Instead of seeing the original source IPs, you're seeing the IP address of the ingress pod. This makes it difficult to track and identify client requests properly.

Current Setup Overview

Kubernetes Cluster: Consists of one master and one worker node.

Traffic Routing: Uses NAT from host to ingress-nginx service via MetalLb.

Iptables Configuration: Custom rules to handle forward and NAT traffic.

Here’s a quick overview of how the iptables rules are set up:

[[See Video to Reveal this Text or Code Snippet]]

$1 in this script represents the external IP of your ingress-nginx service.

The Solution: Utilizing X-Forwarded-For Header

The root of the solution lies in understanding how traffic is handled at Layer 4 and above. As the ingress controller operates as a Layer 4 proxy, it cannot preserve the source IP in the traditional Layer 3 IP protocol. However, there is a widely accepted convention in HTTP traffic management that allows source IP information to be included in the traffic data: the X-Forwarded-For header.

Steps to Preserve Source IP

Enable X-Forwarded-For Header in Nginx Ingress: The good news is that Nginx Ingress Controller typically adds the X-Forwarded-For header by default when forwarding HTTP requests. Make sure your Nginx configuration does not override this behavior.

Update Your Application Code: To log the original source IP, your application needs to capture and log the X-Forwarded-For header. Depending on the programming language and framework you are using, this usually involves extracting the header from the request object and logging it.

Check Your Application Logs: After implementing the above changes, check your application logs again. You should now see the original client IPs listed in the logs instead of the ingress pod IP.

Example of Logging X-Forwarded-For

Here is a pseudocode example of what logging the X-Forwarded-For header might look like in popular web frameworks:

[[See Video to Reveal this Text or Code Snippet]]

This simple change can make it much easier to identify the source of requests and enhance your application's security and performance logging capabilities.

Conclusion

Working with Kubernetes on a bare-metal setup has its challenges, but preserving the source IP with ingress-nginx, iptables, and MetalLb is achievable. By leveraging the X-Forwarded-For header and ensuring your backend applications log this information, you can gain valuable insights into client interactions, leading to better monitoring, debugging, and overall system health.

By following the steps outlined above, you can effectively maintain visibility into the true source of your traffic,