Preserve client IP address without setting externalTrafficPolicy=Local using nginx ingress controller for further IP whitelisting

Question

I have AKS with nginx load balancer (ingress controller) installed with helm as the entry point to my cluster.

I want to preserve the real IP addresses from clients for further whitelisting with nginx.ingress.kubernetes.io/whitelist-source-range on certain paths of specific services.

I found the solution here:

nginx ingress controller forward source ip

which works, but also I found in certain blogs and in the Kubernetes documentation, that setting externalTrafficPolicy=Local is not good for proper load balancing.

I tried to set different variations of settings to my nginx configmap, but with no luck. I also found, that it can be done somehow with X-Forwarded-For header, but I couldn't resolve it.

Answer 1

I also made a github issue with the same question here: https://github.com/kubernetes/ingress-nginx/issues/9402

And the discussion on the kuberenetes stack took me to the following link: https://www.asykim.com/blog/deep-dive-into-kubernetes-external-traffic-policies

where he says that: "if you have a service receiving external traffic from an LB (using NodePorts), you almost always want to use externalTrafficPolicy: Local (with pod anti-affinity to alleviate imbalanced traffic)."

I didn't find the way how to preserve client IP without external LB or Proxy so this looks like the only possible solution. If you find any better, please comment.

For more info see the discussion on kubernetes stack: https://kubernetes.slack.com/archives/CANQGM8BA/p1670925074384859