Question

Load Balancer does not forward source ip

Posted October 24, 2017 2.3k views
Load Balancing

I have a service in a kubernetes cluster exposed through a load balancer. However, the load balancer is not correctly forwarding request headers to Kubernetes. For instance X-Forwarded-For contains the load balancer’s private IP address 10.X.X.X when it should have been [ClientIP],[LoadBalancerPrivateIP]. This is not due to the kubernetes routing controller, because when the service is exposed with an Ingress Controller I am getting all the headers correctly filled.

my kubernetes service definition is the following

apiVersion: v1
kind: Service
metadata:
  name: myservice
  labels:
    app: myapp
spec:
  ports:
  - port: 80
    targetPort: 5000
    protocol: TCP
    name: http
    type: LoadBalancer
  selector:
    app: myapp

Can someone please help out on this?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

This might be too late for you but perhaps it will help others.

In theory, you should be able to resolve this by setting service.spec.externalTrafficPolicy to Local, example below. However, this only seems to work with some vendors (Google Cloud, Azure). I’ve tried it in DO and it doesn’t seem to work unfortunately.

---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: public
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: http
    - protocol: TCP
      port: 443
      name: https
    - protocol: TCP
      port: 8080
      name: admin
  type: LoadBalancer
  externalTrafficPolicy: Local

I’ll update if I find anything.

It still doesn’t work. Another thread with the same issue: https://www.digitalocean.com/community/questions/transparent-load-balancers

  • I managed to make source IP work, check my response to the question you are linking to.

    • Thanks CarlesBarrobes. That still require nginx. GCE and Azure support that by default, without nginx. It would be nice to have it out of the box in DO too.

      • I fully agree with you @brunokakele . I have just discovered that setting both the load balancer and nginx to use proxy protocol still had undesirable effects that made some of the networking inside the cluster not work properly - I’ve had to disable it and I’m left with no solution at the moment to obtain the real client IP

Submit an Answer