Question

Get client source IP with Kubernetes Load Balancer service

Posted November 4, 2018 6.7k views
Load BalancingKubernetes

Hello,

I deployed Traefik to my Kubernetes cluster to act as an Ingress controller. On other clouds (e.g., Azure), you can set ‘External Traffic Policy’ to 'Local’ in order to preserve the client source IP (https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip).

Does Digital Ocean plan on supporting this feature?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
12 answers

Ditto; I’m toying with the idea of some non-HTTP apps that require client IP address information. Something like PROXY protocol would work in at least one case, but it would be simpler to have direct IP-level access to the client address.

I desperately need this as I’m basically ready to launch but can’t without getting the client IP from the load balancer.

Digging more into it:

https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-loadbalancer

IIUC, this means that DO k8s load balancer doesn’t support the client source IP, as it uses the proxy (option 1) described in the link above. Moreover, the load balancer setting doesn’t seem to stick, so the HTTP headers solution isn’t feasible, and if you have a TCP service you have no support.

Correct me if I am wrong, but currently the source IP will be set to one of the nodes and there is no way to change that.

Ideally, DO should implement the option 2 (packet forwarder), as it would support this use case for people that need it (GCP and Azure do implement it).

We definitely need to have an option to set externaTrafficPolicy to local in order to fail the health check on all Droplets that don’t match the service selector. This will fix this issue. I hope DO implements this soon.

Any update on this? We are also trying to get the client ip address.

Seemingly same issue here.

Same issue here. It’s really a bummer not being supported by DO

Also same issue here.

Follow https://github.com/digitalocean/digitalocean-cloud-controller-manager/issues/144

My workaround is to set up haproxy (or nginx) on a droplet (external to the kubernetes cluster) which adds the source IP to the X-Forwarded-For header and places the kubernetes load balancer in the backend.

haproxy: option forwardfor

nginx: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Then your web app can get the source IP from the X-Forwarded-For header.

Of course, this is a last resort :(

Our loadbalancers now support setting proxy protocol Setting your externaltrafficpolicy to ‘local’ and getting clientIP is now fully supported on DOKS.

I’ve just tried setting externalTrafficPolicy: Local on my DOKS LoadBalancer, but I am install getting an internal (10.) IP.

Hi there,

Getting the client IP should be possible with

externalTrafficPolicy: Local

and enabling proxy protocol through the service annotations:

https://www.digitalocean.com/docs/kubernetes/how-to/configure-load-balancers/

Regards,

John Kwiatkoski
Senior Developer Support Engineer - Kubernetes

Submit an Answer