From 936b6c8ad5ee55e592c9767696e3d38ec03f958b Mon Sep 17 00:00:00 2001 From: Houssem Dellai Date: Thu, 5 Dec 2024 15:48:46 +0100 Subject: [PATCH] added preserving client IP address - 570 --- .../1-deploy-svc.yaml | 32 ++++++++++++++ .../{app.yaml => 2-ingress-svc.yaml} | 28 ------------ 570_ingress_preserve_source_ip/Readme.md | 44 ++++++++++++++----- 570_ingress_preserve_source_ip/commands.ps1 | 43 ++++++++++++++---- 4 files changed, 101 insertions(+), 46 deletions(-) create mode 100644 570_ingress_preserve_source_ip/1-deploy-svc.yaml rename 570_ingress_preserve_source_ip/{app.yaml => 2-ingress-svc.yaml} (59%) diff --git a/570_ingress_preserve_source_ip/1-deploy-svc.yaml b/570_ingress_preserve_source_ip/1-deploy-svc.yaml new file mode 100644 index 0000000..f342da4 --- /dev/null +++ b/570_ingress_preserve_source_ip/1-deploy-svc.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: webapp +spec: + replicas: 3 + selector: + matchLabels: + app: webapp + template: + metadata: + labels: + app: webapp + spec: + containers: + - name: webapp + image: jelledruyts/inspectorgadget + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: webapp +spec: + type: LoadBalancer # ClusterIP + externalTrafficPolicy: Cluster # Local + ports: + - port: 80 + targetPort: 80 + selector: + app: webapp \ No newline at end of file diff --git a/570_ingress_preserve_source_ip/app.yaml b/570_ingress_preserve_source_ip/2-ingress-svc.yaml similarity index 59% rename from 570_ingress_preserve_source_ip/app.yaml rename to 570_ingress_preserve_source_ip/2-ingress-svc.yaml index 4136843..d5b8b57 100644 --- a/570_ingress_preserve_source_ip/app.yaml +++ b/570_ingress_preserve_source_ip/2-ingress-svc.yaml @@ -1,34 +1,7 @@ apiVersion: v1 -kind: Namespace -metadata: - name: webapp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: webapp - namespace: webapp -spec: - replicas: 3 - selector: - matchLabels: - app: webapp - template: - metadata: - labels: - app: webapp - spec: - containers: - - name: webapp - image: jelledruyts/inspectorgadget - ports: - - containerPort: 80 ---- -apiVersion: v1 kind: Service metadata: name: webapp - namespace: webapp spec: type: ClusterIP ports: @@ -41,7 +14,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app-ingress - namespace: webapp annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/use-proxy-protocol: "true" diff --git a/570_ingress_preserve_source_ip/Readme.md b/570_ingress_preserve_source_ip/Readme.md index efe48f4..71edc64 100644 --- a/570_ingress_preserve_source_ip/Readme.md +++ b/570_ingress_preserve_source_ip/Readme.md @@ -15,7 +15,7 @@ Here is a step-by-step guide to demonstrate how to preserve the client's IP addr ```sh # create an AKS cluster -$AKS_RG="rg-aks-cluster" +$AKS_RG="rg-aks-cluster-570" $AKS_NAME="aks-cluster" az group create -n $AKS_RG -l swedencentral @@ -27,11 +27,40 @@ az aks get-credentials -n $AKS_NAME -g $AKS_RG --overwrite-existing # verify connection to the cluster kubectl get nodes +# create and expose a service of type LoadBalancer + +kubectl apply -f 1-deploy-svc.yaml + +# check the app working, and get the public IP address of the service + +kubectl get svc,deploy + +# navigate to the public IP address in the browser +# check the IP address of the client in the request. +# It doesn't match the IP address of the client. +# It should be the IP address of the node/vm. +# It was SNAT'd by the VM. +# You can see the IP addresses of the node/vm and the LoadBalancer in the request. + +kubectl get nodes -o wide + +# now enable `externalTrafficPolicy: Local` in the public service + +kubectl patch svc webapp -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}' + +# if using Linux, use the following command instead +# kubectl patch svc webapp -p '{"spec":{"externalTrafficPolicy":"Local"}}' + +# check the request. It should contain the original client IP address (Remote IP Address). + +# What about the traffic coming through ingress controller? + # install Nginx ingress controller + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update -NAMESPACE_INGRESS="ingress-nginx" +$NAMESPACE_INGRESS="ingress-nginx" helm install ingress-nginx ingress-nginx/ingress-nginx ` --create-namespace ` @@ -43,11 +72,8 @@ kubectl get pods,deployments,services --namespace $NAMESPACE_INGRESS $INGRESS_PUPLIC_IP=$(kubectl get services ingress-nginx-controller -n $NAMESPACE_INGRESS -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $INGRESS_PUPLIC_IP -# 20.103.25.154 - -kubectl apply -f app.yaml -curl $INGRESS_PUPLIC_IP +kubectl apply -f 2-ingress-svc.yaml # check the "X-Forwarded-For" header in the response. It should contain the SNAT'd IP address of the client, which become the IP address of the node/vm. @@ -55,12 +81,10 @@ curl $INGRESS_PUPLIC_IP kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}' -# use the following if using Linux +# if using Linux, use the following command instead # kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}' -curl $INGRESS_PUPLIC_IP - -# check the "X-Forwarded-For" and "X-Real-IP" headers in the response. They should contain the original client IP address. +# check the "X-Forwarded-For" and "X-Real-IP" headera in the response. They should contain the original client IP address. ``` ## More resources and references diff --git a/570_ingress_preserve_source_ip/commands.ps1 b/570_ingress_preserve_source_ip/commands.ps1 index bc1573a..425095b 100644 --- a/570_ingress_preserve_source_ip/commands.ps1 +++ b/570_ingress_preserve_source_ip/commands.ps1 @@ -1,5 +1,5 @@ # create an AKS cluster -$AKS_RG="rg-aks-cluster" +$AKS_RG="rg-aks-cluster-570" $AKS_NAME="aks-cluster" az group create -n $AKS_RG -l swedencentral @@ -11,11 +11,40 @@ az aks get-credentials -n $AKS_NAME -g $AKS_RG --overwrite-existing # verify connection to the cluster kubectl get nodes +# create and expose a service of type LoadBalancer + +kubectl apply -f 1-deploy-svc.yaml + +# check the app working, and get the public IP address of the service + +kubectl get svc,deploy + +# navigate to the public IP address in the browser +# check the IP address of the client in the request. +# It doesn't match the IP address of the client. +# It should be the IP address of the node/vm. +# It was SNAT'd by the VM. +# You can see the IP addresses of the node/vm and the LoadBalancer in the request. + +kubectl get nodes -o wide + +# now enable `externalTrafficPolicy: Local` in the public service + +kubectl patch svc webapp -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}' + +# if using Linux, use the following command instead +# kubectl patch svc webapp -p '{"spec":{"externalTrafficPolicy":"Local"}}' + +# check the request. It should contain the original client IP address (Remote IP Address). + +# What about the traffic coming through ingress controller? + # install Nginx ingress controller + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update -NAMESPACE_INGRESS="ingress-nginx" +$NAMESPACE_INGRESS="ingress-nginx" helm install ingress-nginx ingress-nginx/ingress-nginx ` --create-namespace ` @@ -27,18 +56,16 @@ kubectl get pods,deployments,services --namespace $NAMESPACE_INGRESS $INGRESS_PUPLIC_IP=$(kubectl get services ingress-nginx-controller -n $NAMESPACE_INGRESS -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $INGRESS_PUPLIC_IP -# 20.103.25.154 - -kubectl apply -f app.yaml -curl $INGRESS_PUPLIC_IP +kubectl apply -f 2-ingress-svc.yaml # check the "X-Forwarded-For" header in the response. It should contain the SNAT'd IP address of the client, which become the IP address of the node/vm. # Enable "externalTrafficPolicy: Local" in the ingress controller service -kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}' +kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}' -curl $INGRESS_PUPLIC_IP +# if using Linux, use the following command instead +# kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}' # check the "X-Forwarded-For" and "X-Real-IP" headera in the response. They should contain the original client IP address. \ No newline at end of file