Hi I'm trying to get client real-ip to restrict some access at pod on kubernetes environemnt

8/21/2020

Hi I'm trying to get client real-ip to restrict some access at pod. But unfortunately I'm always getting 10.244.1.1 at every pod. I have tried with https://kubernetes.io/docs/tutorials/services/source-ip/ but unfortunately no luck. Please help.

I'm using kubernetes 1.8.2 version on cent os 7 bare metal servers for kubernetes cluster. I do not have any choice bu to use bare metal . As an ingress controller I'm using kong. My kong ingress controller is always getting 10.244.1.1. In kong there is a feature called IP restriction. I'm trying to use it.

So other suggested to use another kong hop as a loadbalancer which is not a good solution for my situation.

-- Assaduzzaman Assad
kong
kong-ingress
kubernetes
kubernetes-ingress

2 Answers

8/22/2020

Checkout the properties for "real IP" determining (https://docs.konghq.com/2.1.x/configuration/#trusted_ips):

  • trusted_ips
  • real_ip_header
  • real_ip_recursive

This might also of interest: https://github.com/Kong/kong/pull/5861

-- Tieske
Source: StackOverflow

9/2/2020

You need to specify the traffic policy on the kong-proxy service

spec:
...
  selector:
    app: ingress-kong
  type: LoadBalancer
  externalTrafficPolicy: Local

And you may need to add one or both of the following environment variables to the kong container

- name: KONG_TRUSTED_IPS
  value: 0.0.0.0/0,::/0
- name: KONG_REAL_IP_RECURSIVE
  value: "on"

I got this working with a k3s instance.

There are detailed information about the issues with the source-ip in "bare metal considerations for k8s" on the k8s documentation and "preserving client ip addresses" in kong docs. They contain too many details to briefly summarize.

-- d.sndrs
Source: StackOverflow