-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx ingress - tcp services source ip not preserved #11268
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-kind bug |
I see the packets arrive in the ingress controller with the correct ip. So ip is lost after the ingress controller. |
oh ok. If I am not wrong, then using host-ip address means all bets are off and not much to be said from the project side. You can route like that or NodePort etc etc, but its not a gurantee of preserving headers or other client info that the controller can rely on. That is a termination on that host so only you can tell how any headers and other info is preserved across that hop. We only test loadbalancers that offer those features to preserver info across hops etc. Hope it works out for you by some expert comments |
But seems the nginx controller is somehow natting the traffic, because it arrives at nginx with the correct ip 192.168.0.6 and then arrives at the pod with the ip of the nginx controller. |
Routing is what controller does. Preserving client info across hop is not
what controller decides. Do tcpdump in controller if possible to check what
info is preserved. But AFAIK, this is not what is tested in CI
…On Tue, 16 Apr, 2024, 11:07 pm mvrk69, ***@***.***> wrote:
But seems the nginx controller is somehow natting the traffic, because it
arrives at nginx with the correct ip 192.168.0.6 and then arrives at the
pod with the ip of the nginx controller.
—
Reply to this email directly, view it on GitHub
<#11268 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGZVWRR333WKPBBOJRZARLY5VOVHAVCNFSM6AAAAABGJM7CQGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJZGYYDCMRRGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
For what it is worth, please do tcpdump in syslog pod and check the headers received. It may tell if headers are preserved or not. If preserved then maybe X-real-ip or some such header may have the info, I am not sure because I never tested like this. |
Isn't x-real-ip an http header? I don't think we will find anything like that on a syslog tcp packet. I also right now found on the nginx documentation (https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/#IpBackend) that the only way to preserve client ip for tcp/udp traffic to a destination that doesn't support proxy protocol like syslog is using nginx is with the proxy_bind transparent. Does the nginx ingress controller for kubernetes supports that? |
https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/ This requires efforts in k8s networking side and nginx.conf updated with proxy_bind transparent. Setting |
L7 Load balancer needs to have X-Forwarded https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers |
Thank you all for the information. |
Hey @mvrk69, how did you solve this issue? |
Well, depends, if you have several nodes, then for now i think there is no solution. Though in my case as i only have one node i used NodePort to expose the rsyslog port on the node and that's it. |
What happened:
Hi,
I have a pod with rsyslog running as a central logging system, and i need that the logs that arrive at my rsyslog pod from external network arrive with the original source ip address, but i have not been able to make it work with nginx ingress.
I've set the ingress-nginx-controller service externalTrafficPolicy="Local" as explained all over the internet and in the docs.
Example
I have a VM with ip 192.168.0.6 which is sending logs to my rsyslog pod service (syslog.apps.k8s.azar.pt - 192.168.0.115) but the logs arrive with ip 10.32.80.24 which is the ip of the ingress-nginx-controller instead of 192.168.0.6.
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
uname -a
):kubectl describe cm kubeadm-config -n kube-system
kubectl get nodes -o wide
kubectl describe cm tcp-services -n ingress-nginx
helm ls -A | grep -i ingress
helm -n <ingresscontrollernamespace> get values <helmreleasename>
kubectl describe ingressclasses
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
The text was updated successfully, but these errors were encountered: