K
Q

Getting kube-proxy IP instead of Real client IP

4/15/2020

In Kubernetes whenever I tried to send a request to Kubernetes pods, it shows me Kube-proxy IP instead of real IP.

Command root@192.168.9.11:/home# curl -v http://192.168.9.10:8006/ping

It shows Kube-proxy IP not the REAL Client IP from which I am sending a request.

Below is my python script

'''    Simple socket server using threads
'''
     import socket
import sys
HOST = ''   # Symbolic name, meaning all available interfaces
PORT = 8006 # Arbitrary non-privileged port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Socket created'
#Bind socket to local host and port
try:
    s.bind((HOST, PORT))
except socket.error as msg:
    print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
    sys.exit()
print 'Socket bind complete'
#Start listening on socket
s.listen(10)
print 'Socket now listening'
#now keep talking with the client
while 1:
    #wait to accept a connection - blocking call
    conn, addr = s.accept()
    print 'Connected with ' + addr[0] + ':' + str(addr[1])
s.close()

Service file

apiVersion: v1
kind: Service
metadata:
  annotations:
   service.beta.kubernetes.io/external-traffic: OnlyLocal
  labels:
    app: test
 name: test
spec:
  externalIPs:
  - 192.168.9.10
  ports:
 - name: "8006"
    port: 8006
    protocol: TCP
    targetPort: 8006
  type: NodePort
  externalTrafficPolicy: Local
  selector:
name: test

Deployment is simple ubuntu container

output when I hit port 8006 from different machine curl -i http://192.168.9.10:8006/ping

Received request shows k8s IP instead of real source IP(192.168.9.11)

bash-4.4# python /tmp/1.py 
Socket created
Socket bind complete
Socket now listening

Connected with 10.244.1.1:32884
-- user3568034
kube-proxy
kubernetes

Similar Questions

Kubernetes, access IP outside the cluster
Change network plugin on existing cluster
Question about concept on Kubernetes pod assignment to nodes
Enabling hostNetwork: true for IPv6 oly

1 Answer

4/15/2020

I am not sure how are you receiving traffic on your pod, since you have not mentioned the topology. Are you using some ingress controller to receive traffic in POD? In case you are using Nginx as ingress controller you might want to enable https://docs.catalystcloud.nz/kubernetes/nginx-ingress.html i.e. use-forwarded-headers: True.

EDIT I have tried to reproduce this in Kubernetes with httpbin and busybox-curl. This setup is done on EKS :

[ root@curl-66bdcf564-p2lkj:/ ]$ curl 10.100.20.222:8000/ip
{
  "origin": "172.28.30.41"
}
[ root@curl-66bdcf564-p2lkj:/ ]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 2A:86:3D:F4:82:9A
          inet addr:172.28.30.41  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12000 (11.7 KiB)  TX bytes:2440 (2.3 KiB)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
  type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

Curl POD

+ kubectl get deployment -o=yaml curl
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2020-04-16T12:49:31Z"
  generation: 1
  labels:
    run: curl
  name: curl
  namespace: dnsmapper
  resourceVersion: "20750418"
  selfLink: /apis/extensions/v1beta1/namespaces/dnsmapper/deployments/curl
  uid: b755fe72-7fe0-11ea-9bfc-0a03b74daf36
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      run: curl
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        run: curl
    spec:
      containers:
      - image: radial/busyboxplus:curl
        imagePullPolicy: IfNotPresent
        name: curl
        resources: {}
        stdin: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2020-04-16T12:49:36Z"
    lastUpdateTime: "2020-04-16T12:49:36Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2020-04-16T12:49:31Z"
    lastUpdateTime: "2020-04-16T12:49:36Z"
    message: ReplicaSet "curl-66bdcf564" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

Can you share a little more detail about your cluster to try and reproduce this.

-- Shubham Singh
Source: StackOverflow