Home / server / Questions / 1089501
In Process
Brolantor
Asked: 2022-01-10 15:05:41 +0800 CST

Forward real requestor IP in K3S NGINX ingress

  • 772

I've set up a K3S Kubernetes Environment in my private Home-Lab on Raspberry PIs in order to teach myself some Kubernetes (Noob-Alert), using NGINX as Ingress Controller and I'm kind of stuck at passing the real IP of requests to the target Pods, in my case a Nextcloud instance. The Version of K3S is v1.22.5+k3s1.

The K3S was set up using Docker as container runtime and with the --no-deploy traefik option.

After that I deployed the NGINX Ingress Controller using

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.yaml

Then, after deploying the Nextcloud pods, I deployed the Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - my.own-dns.org
    secretName: very-secret-ssl-secret
  ingressClassName: nginx
  rules:
  - host: my.own-dns.org
    http:
      paths:
        - path: /somepath
          pathType: Prefix
          backend:
            service:
              name: someservice-service
              port:
                number: 8081
        - path: /
          pathType: Prefix
          backend:
            service:
              name: nextcloud-service
              port:
                number: 80

In the deployment of the IngressController, I added the following entries in the ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
  allow-snippet-annotations: 'true'
  compute-full-forwarded-for: 'true'
  use-forwarded-headers: 'true'
  enable-real-ip: 'true'
  proxy-add-original-uri-header: 'true'
  forwarded-for-header: 'X-Forwarded-For'

and changed the ServiceType from the http service to LoadBalancer, so my Service of the IngressController looks like this:

apiVersion: v1
kind: Service
metadata:
  annotations:
  labels:
    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  ipFamilyPolicy: SingleStack
  ipFamilies:
    - IPv4
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller

So far so good, accessing the Nextcloud Instance from the Internet working great, including redirection to https, etc. But the Nextcloud Audit Log is only getting an internal Cluster IP as Source IP (surprisingly no IP from any Service I am running inside the Cluster), not the real from the outer world.

So what am I missing? I tried setting use-proxy-protocol to true, but this results in a ERR_CONNECTION_RESET.

kubernetes nginx-ingress k3s

1 Answers

  1. Have you tried setting the spec.externalTrafficPolicy to local? Have a look at kubernetes documentatio about the implications.

    • 1