How to get client ip from Google Network Load Balancer with kubernetes service

6/2/2020

I created a kubernetes service in GKE with type:LoadBalancer.

apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: http
  selector:
    app: nginx

It's a nginx service and try to get origin client IP. like

        location / {
            echo $remote_addr;
            echo $http_x_forwarded_for;   
        }

But the result will get:

10.140.0.97

$remote_addr is like inside kubernetes IP.

$http_x_forwarded_for is empty.

I don't know why this is not like document said.

What I read

https://cloud.google.com/load-balancing/docs/network

Network Load Balancing is a pass-through load balancer, which means that your firewall rules must allow traffic from the client source IP addresses.

https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview#ext-lb

If your Service needs to be reachable from outside the cluster and outside your VPC network, you can configure your Service as a LoadBalancer, by setting the Service's type field to LoadBalancer when defining the Service. GKE then provisions a Network Load Balancer in front of the Service. The Network Load Balancer is aware of all nodes in your cluster and configures your VPC network's firewall rules to allow connections to the Service from outside the VPC network, using the Service's external IP address. You can assign a static external IP address to the Service. Visit Configuring Domain Names with Static IP Addresses for more information.

-- RammusXu
google-cloud-platform
google-kubernetes-engine
kubernetes
load-balancing

2 Answers

6/2/2020

Just add externalTrafficPolicy: Local

spec:
  externalTrafficPolicy: Local
  type: LoadBalancer

Packets sent to Services with Type=LoadBalancer are source NAT’d by default, because all schedulable Kubernetes nodes in the Ready state are eligible for load-balanced traffic. So if packets arrive at a node without an endpoint, the system proxies it to a node with an endpoint, replacing the source IP on the packet with the IP of the node (as described in the previous section).

Reference

-- RammusXu
Source: StackOverflow

6/2/2020

Because Network Load Balancer handles all incoming traffics and redirect to your GKE cluster. Inside k8s cluster, everything is running under virtual IP network, so you get 10.140.0.97.

The 1st document says you need to setup firewall to accept traffics from client source IP, otherwise by GCP default you are not gonna get any incoming traffic. But 2nd document indicates that GKE will automatically setup for you. All you need to do is find out your external IP and give it a try. You should be able to see your nginx welcome page.

P.S. The default external IP is dynamic, if you want a static IP you can get one via console or gcloud CLI.

-- Ken Chen
Source: StackOverflow