kubernetes nginx ingress log not displaying external ips

5/14/2018

I got the ingress nginx working in gcloud. However, when I see the log with the command kubectl log

$ kubectl logs nginx-ingress-controller-59f55c679c-zcr24
myhost.com/clients"
10.28.0.1 - [10.28.0.1] - - [14/May/2018:09:00:59 +0000] "GET /api/users/2/10 HTTP/1.1" 304 0 "http://myhost.com/clients" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" 796 0.083 [default-back-main-80] 10.28.0.93:1337 0 0.083 304
2018/05/14 09:01:00 [notice] 10982#10982: *6937489 "/api/(.*)" matches "/api/users/1/10", client: 10.28.0.1, server: myhost.com, request: "GET /api/users/1/10 HTTP/1.1", host: "myhost.com", referrer: "http://myhost.com/clients"
2018/05/14 09:01:00 [notice] 10982#10982: *6937489 rewritten data: "/users/1/10", args: "", client: 10.28.0.1, server: myhost.com, request: "GET /api/users/1/10 HTTP/1.1", host: "myhost.com", referrer: "http://myhost.com/clients"
10.28.0.1 - [10.28.0.1] - - [14/May/2018:09:01:00 +0000] "GET /api/users/1/10 HTTP/1.1" 304 0 "http://myhost.com/clients" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" 796 0.014 [default-back-main-80] 10.28.0.93:1337 0 0.014 304

This is only one part of the logs, however, all the ips are coming from 10.28.0.1. I would like to see the external ip, or my users' ips.

Furthermore, the root of the ip 10.28.*.* seems a bit weird to me. If I display the ip of my containers, you can see that it seems different.

$ kubectl get service | awk '{print $3}'
CLUSTER-IP
10.31.243.114
10.31.245.58
10.31.241.148
10.31.240.1

I understand that the request in my other containers comes from a private ip, however in the ingress container I should receive the external ips of my users. How can I see these ips?

-- silgon
google-kubernetes-engine
kubernetes
kubernetes-ingress
nginx

1 Answer

5/15/2018

It looks like source IP (in your case, External IP) must be preserved while using the GKE service. Here, the default is set to use cluster IP, which means that traffic will go through SNAT and get transferred from node to node. During this time, the ‘Source IP' (External IP) get replaced with the node’s IP(a detailed explanation is provided in this help center article).

As per the article, by setting ‘service.spec.externalTrafficPolicy’ to the value ‘Local’ which will bypass the SNAT and you might be able to route traffic directly to the correct node/pod thus preserving the source IP.

The command for setting this exernalTrafficPolicy for a service might look like this:-

$kubectl patch svc [service_name] -p '{"spec":{"externalTrafficPolicy":"Local"}'

In your case, service_name=nginx-ingress-controller-59f55c679c-zcr24

-- Digil
Source: StackOverflow