How to preserve IP address of client withnout external LB or Proxy

[jonaskowalczyk]

Hello,

I have kubernetes cluster with 2 replicas of nginx ingress controller. I don't have any external LB or proxy. I am trying to preserve IP address from client (PC, phone, whatever) but what I always got is the IP address of the node, where the final pod is running (since there are 2 pods, sometimes I get first IP, sometimes I get another)

I also tried to set X-Forwarded-For header with $remote_addr or $proxy_add_x_forwarded_for within the configmap configuration, but with no success. I tried to look everywhere, but I didn't find any piece of documentation about this specific (and really simple) problem.

I am trying to achieve that for further whitelisting with nginx.ingress.kubernetes.io/whitelist-source-range annotation.

When I set externalTrafficPolicy to local, everything works fine. But since this is not good practise for loadbalancing (due to the many blog posts and documentation) I want to avoid it and try to find different way.

[k8s-ci-robot]

@jonaskowalczyk: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

Post the link to the documentation related to what you are trying to achieve

[jonaskowalczyk]

Hello,

It is very similar to this one: https://stackoverflow.com/questions/60968806/nginx-ingress-controller-forward-source-ip with the difference, that I don't want to use service.spec.externalTrafficPolicy: Local in ingress controller service as is mentioned in the answer section.

There is many posts out there, but all of them count with the way of having external load balancer or proxy before nginx ingress controller (like ELB) and therefore they use proxy protocol or X-Forwarded-For headers to achieve preserving ip address.

There are some post, which doesn't count with that, but these are not answered.

I dont want to use service.spec.externalTrafficPolicy: Local because in this blog he says:

"By setting ExternalTrafficPolicy=local, nodes only route traffic to pods that are on the same node, which then preserves client IP. It’s important to recognize that ExternalTrafficPolicy is not a way to preserve source IP; it’s a change in networking policy that happens to preserve source IP."

[longwuyuan]

Better to discuss such topics in kubernetes slack. We don't test your scene.

On Tue, 13 Dec, 2022, 2:41 pm Jonáš Kowalczyk, @.***> wrote:

Hello,

It is very similar to this one: https://stackoverflow.com/questions/60968806/nginx-ingress-controller-forward-source-ip with the difference, that I don't want to use service.spec.externalTrafficPolicy: Local in ingress controller service as is mentioned in the answer section.

There is many posts out there, but all of them count with the way of having external load balancer or proxy before nginx ingress controller (like ELB) and therefore they use proxy protocol or X-Forwarded-For headers to achieve preserving ip address.

There are some post, which doesn't count with that, but these are not answered.

I dont want to use service.spec.externalTrafficPolicy: Local because in this https://blog.getambassador.io/externaltrafficpolicy-local-on-kubernetes-e66e498212f9 blog he says:

"By setting ExternalTrafficPolicy=local, nodes only route traffic to pods that are on the same node, which then preserves client IP. It’s important to recognize that ExternalTrafficPolicy is not a way to preserve source IP; it’s a change in networking policy that happens to preserve source IP."

— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/9402#issuecomment-1347994110, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWWZLDAD6TOFSH72MJ3WNA4SJANCNFSM6AAAAAAS4BNBLQ . You are receiving this because you commented.Message ID: @.***>

[jonaskowalczyk]

Can I get invitation link? I would like to provide more information. You can send me to: jonaskowalczyk12@gmail.com

[longwuyuan]

Use slack.k8s.io . Read about kind cluster configuration for port config https://kind.sigs.k8s.io/docs/user/quick-start#mapping-ports-to-the-host-machine

On Tue, 13 Dec, 2022, 2:57 pm Jonáš Kowalczyk, @.***> wrote:

Can I get invitation link? I would like to provide more information. You can send me to: @.***

— Reply to this email directly, view it on GitHub https://github.com/kubernetes/ingress-nginx/issues/9402#issuecomment-1348036230, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGZVWS7CYI4JWP7NQICAZLWNA6QLANCNFSM6AAAAAAS4BNBLQ . You are receiving this because you commented.Message ID: @.***>

[longwuyuan]

discussion moved here https://kubernetes.slack.com/archives/CANQGM8BA/p1670925074384859 /close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/9402#issuecomment-1348224399): >discussion moved here https://kubernetes.slack.com/archives/CANQGM8BA/p1670925074384859 >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.