added preserving client IP address - 570

HoussemDellai · Dec 5, 2024 · 936b6c8 · 936b6c8
1 parent 0d583a1
commit 936b6c8
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 46 deletions.
diff --git a/570_ingress_preserve_source_ip/1-deploy-svc.yaml b/570_ingress_preserve_source_ip/1-deploy-svc.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webapp
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: webapp
+  template:
+    metadata:
+      labels:
+        app: webapp
+    spec:
+      containers:
+        - name: webapp
+          image: jelledruyts/inspectorgadget
+          ports:
+            - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webapp
+spec:
+  type: LoadBalancer # ClusterIP
+  externalTrafficPolicy: Cluster # Local
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: webapp
diff --git a/570_ingress_preserve_source_ip/app.yaml → ...ess_preserve_source_ip/2-ingress-svc.yaml b/570_ingress_preserve_source_ip/app.yaml → ...ess_preserve_source_ip/2-ingress-svc.yaml
@@ -1,34 +1,7 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: webapp
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: webapp
-  namespace: webapp
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: webapp
-  template:
-    metadata:
-      labels:
-        app: webapp
-    spec:
-      containers:
-        - name: webapp
-          image: jelledruyts/inspectorgadget
-          ports:
-            - containerPort: 80
----
-apiVersion: v1
 kind: Service
 metadata:
   name: webapp
-  namespace: webapp
 spec:
   type: ClusterIP
   ports:
@@ -41,7 +14,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: app-ingress
-  namespace: webapp
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     # nginx.ingress.kubernetes.io/use-proxy-protocol: "true"

diff --git a/570_ingress_preserve_source_ip/Readme.md b/570_ingress_preserve_source_ip/Readme.md
@@ -15,7 +15,7 @@ Here is a step-by-step guide to demonstrate how to preserve the client's IP addr
 
 ```sh
 # create an AKS cluster
-$AKS_RG="rg-aks-cluster"
+$AKS_RG="rg-aks-cluster-570"
 $AKS_NAME="aks-cluster"
 
 az group create -n $AKS_RG -l swedencentral
@@ -27,11 +27,40 @@ az aks get-credentials -n $AKS_NAME -g $AKS_RG --overwrite-existing
 # verify connection to the cluster
 kubectl get nodes
 
+# create and expose a service of type LoadBalancer
+
+kubectl apply -f 1-deploy-svc.yaml
+
+# check the app working, and get the public IP address of the service
+
+kubectl get svc,deploy
+
+# navigate to the public IP address in the browser
+# check the IP address of the client in the request.
+# It doesn't match the IP address of the client.
+# It should be the IP address of the node/vm.
+# It was SNAT'd by the VM.
+# You can see the IP addresses of the node/vm and the LoadBalancer in the request.
+
+kubectl get nodes -o wide
+
+# now enable `externalTrafficPolicy: Local` in the public service
+
+kubectl patch svc webapp -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}'
+
+# if using Linux, use the following command instead
+# kubectl patch svc webapp -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+
+# check the request. It should contain the original client IP address (Remote IP Address).
+
+# What about the traffic coming through ingress controller?
+
 # install Nginx ingress controller
+
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm repo update
 
-NAMESPACE_INGRESS="ingress-nginx"
+$NAMESPACE_INGRESS="ingress-nginx"
 
 helm install ingress-nginx ingress-nginx/ingress-nginx `
      --create-namespace `
@@ -43,24 +72,19 @@ kubectl get pods,deployments,services --namespace $NAMESPACE_INGRESS
 
 $INGRESS_PUPLIC_IP=$(kubectl get services ingress-nginx-controller -n $NAMESPACE_INGRESS -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo $INGRESS_PUPLIC_IP
-# 20.103.25.154
-
-kubectl apply -f app.yaml
 
-curl $INGRESS_PUPLIC_IP
+kubectl apply -f 2-ingress-svc.yaml
 
 # check the "X-Forwarded-For" header in the response. It should contain the SNAT'd IP address of the client, which become the IP address of the node/vm.
 
 # Enable "externalTrafficPolicy: Local" in the ingress controller service
 
 kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}'
 
-# use the following if using Linux
+# if using Linux, use the following command instead
 # kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}'
 
-curl $INGRESS_PUPLIC_IP
-
-# check the "X-Forwarded-For" and "X-Real-IP" headers in the response. They should contain the original client IP address.
+# check the "X-Forwarded-For" and "X-Real-IP" headera in the response. They should contain the original client IP address.
 ```
 
 ## More resources and references

diff --git a/570_ingress_preserve_source_ip/commands.ps1 b/570_ingress_preserve_source_ip/commands.ps1
@@ -1,5 +1,5 @@
 # create an AKS cluster
-$AKS_RG="rg-aks-cluster"
+$AKS_RG="rg-aks-cluster-570"
 $AKS_NAME="aks-cluster"
 
 az group create -n $AKS_RG -l swedencentral
@@ -11,11 +11,40 @@ az aks get-credentials -n $AKS_NAME -g $AKS_RG --overwrite-existing
 # verify connection to the cluster
 kubectl get nodes
 
+# create and expose a service of type LoadBalancer
+
+kubectl apply -f 1-deploy-svc.yaml
+
+# check the app working, and get the public IP address of the service
+
+kubectl get svc,deploy
+
+# navigate to the public IP address in the browser
+# check the IP address of the client in the request.
+# It doesn't match the IP address of the client.
+# It should be the IP address of the node/vm.
+# It was SNAT'd by the VM.
+# You can see the IP addresses of the node/vm and the LoadBalancer in the request.
+
+kubectl get nodes -o wide
+
+# now enable `externalTrafficPolicy: Local` in the public service
+
+kubectl patch svc webapp -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}'
+
+# if using Linux, use the following command instead
+# kubectl patch svc webapp -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+
+# check the request. It should contain the original client IP address (Remote IP Address).
+
+# What about the traffic coming through ingress controller?
+
 # install Nginx ingress controller
+
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm repo update
 
-NAMESPACE_INGRESS="ingress-nginx"
+$NAMESPACE_INGRESS="ingress-nginx"
 
 helm install ingress-nginx ingress-nginx/ingress-nginx `
      --create-namespace `
@@ -27,18 +56,16 @@ kubectl get pods,deployments,services --namespace $NAMESPACE_INGRESS
 
 $INGRESS_PUPLIC_IP=$(kubectl get services ingress-nginx-controller -n $NAMESPACE_INGRESS -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo $INGRESS_PUPLIC_IP
-# 20.103.25.154
-
-kubectl apply -f app.yaml
 
-curl $INGRESS_PUPLIC_IP
+kubectl apply -f 2-ingress-svc.yaml
 
 # check the "X-Forwarded-For" header in the response. It should contain the SNAT'd IP address of the client, which become the IP address of the node/vm.
 
 # Enable "externalTrafficPolicy: Local" in the ingress controller service
 
-kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}'
 
-curl $INGRESS_PUPLIC_IP
+# if using Linux, use the following command instead
+# kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}'
 
 # check the "X-Forwarded-For" and "X-Real-IP" headera in the response. They should contain the original client IP address.