5

I am trying to get the real source IP addresses to my Kubernetes pods using traefik. I am using the digital ocean load balancer which has the proxy protocol enabled. I have also configured my K8s service yaml to set the External Traffic policy to local.

Extract from my configmap in K8s for Traefik Ingress. I've redacted my actual IPs but I use my load balancer IP and Kubernetes worked node private IPs

  [entryPoints]
      [entryPoints.http]
        address = ":80"

        compress = true
        [entryPoints.http.redirect]
        entryPoint = "https"
      [entryPoints.https]

        address = ":443"
        compress = true
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/client_co.crt"
          KeyFile = "/ssl/tls.key"
        [entryPoints.https.proxyProtocol]
          trustedIPs = ["Load Balancer IP, Kubernetes Worker Node IPs"]


      [entryPoints.https.redirect]
        regex = "^https://(?:www\\.)(.*)"
        replacement = "https://$1"
        permanent = true

This is part of the deployment file service yaml

  kind: Service
    apiVersion: v1
    metadata:
      name: traefik-ingress-service
      annotations:
        service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
      namespace: kube-system
    spec:
      selector:
        k8s-app: traefik-ingress-lb
      ports:
        - protocol: TCP
          port: 80
          name: web
        - protocol: TCP
          port: 443
          name: https
        # - protocol: TCP
        #   port: 8080
          name: admin
      type: LoadBalancer
      externalTrafficPolicy: Local

Any help is always appreciated.

Rutnet
  • 1,533
  • 5
  • 26
  • 48
  • how and where are you checking the IP ? – Arghya Sadhu May 09 '20 at 13:21
  • For now I am just checking the traefik logs and they have the private IP addresses – Rutnet May 09 '20 at 13:38
  • can you check the header X-real-IP and X-Forwarded-For – Arghya Sadhu May 09 '20 at 13:39
  • I don't see the header on Chrome. I don't think DO Load Balances passes these headers to the pods that why am using the proxy. Might be wrong – Rutnet May 09 '20 at 14:16
  • Are you doing ssl passthrough or ssl termination at do loadbalancer? Did you hit http or https from chrome? – Arghya Sadhu May 09 '20 at 15:35
  • SSL termination is not at the loadbalancer levle, but through traefik which is one of the pods on the cluster – Rutnet May 14 '20 at 15:02
  • I am experiencing similar issue with Traefik ingress controller with elb. I have enabled `proxyProtocol` and `forwardedHeaders` and added LB IPs and Pod CIDR as `trustedIPs` but only Internal IP is logged in the webserver pod logs. – Kiran Aug 17 '20 at 13:08

0 Answers0