Getting Real Client IP with k3s

[jawabuu]

Is your feature request related to a problem? Please describe.
I am unable to obtain Real Client IP when using k3s and Traefik v2.2. I always get the cluster IP.

Kernel version
4.4.0-174-generic
OS Image
Ubuntu 16.04.6 LTS
Container runtime version
containerd://1.3.0-k3s.4
kubelet version
v1.16.3-k3s.2
kube-proxy version
v1.16.3-k3s.2
Operating system
linux
Architecture
amd64


Images
traefik:2.2.0

Describe the solution you'd like
I would like to obtain the client IP.

Describe alternatives you've considered
I already set
externalTrafficPolicy: Local
in Traefik's Service.
Additional context
Issue can be reproduced by deploying containous/whoami image in cluster
Expected Response

Hostname: a19d325823bb
IP: 127.0.0.1
IP: 10.0.0.147
IP: 172.18.0.4
RemoteAddr: 10.0.0.144:56246
GET / HTTP/1.1
Host: whoami.civo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
X-Apache-Ip: 102.69.228.66
X-Forwarded-For: 102.69.228.66, 102.69.228.66, 172.18.0.1
X-Forwarded-Host: whoami.civo.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: bc3b51f28353
X-Real-Ip: 102.69.228.66

Current Response

Hostname: whoami-76d6dfb846-jltlm
IP: 127.0.0.1
IP: ::1
IP: 192.168.0.33
IP: fe80::7863:88ff:fe45:2ad5
RemoteAddr: 192.168.1.4:36146
GET / HTTP/1.1
Host: who.civo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.0.5
X-Forwarded-Host: who.civo.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-8477c7d8f-fbhdg
X-Real-Ip: 192.168.0.5

Service LoadBalancer Logs

+ trap exit TERM INT
/usr/bin/entry: line 6: can't create /proc/sys/net/ipv4/ip_forward: Read-only file system
+ echo 1
+ true
+ cat /proc/sys/net/ipv4/ip_forward
+ '[' 1 '!=' 1 ]
+ iptables -t nat -I PREROUTING '!' -s 192.168.183.229/32 -p TCP --dport 8080 -j DNAT --to 192.168.183.229:8080
+ iptables -t nat -I POSTROUTING -d 192.168.183.229/32 -p TCP -j MASQUERADE
+ '[' '!' -e /pause ]
+ mkfifo /pause

Related
#955
Related Discussion
#679 (comment)

@erikwilson @btashton

[brandond]

I can validate that this works properly for me with Traefik 2.2 in a 3 node Ubuntu cluster with externalTrafficPolicy: Local. Is there anything else unique about your configuration?

[jawabuu]

Hey @brandond I don't believe so. However, I'm using a managed cloud k3s service.
What is your environment?

[brandond]

Just 3 bare metal nodes running k3s on Ubuntu 19.10. Flannel is in host-gw mode, using Traefik 2.2 for ingress, and MetalLB in bgp mode for external services.

[jawabuu]

Thanks @brandond
Are using Type=LoadBalancer for Traefik Service?
Could you share your k3s startup config and MetalLB ConfigMap?

[jawabuu]

Hey @brandond , any update on this?

[brandond]

@jawabuu I'm now using Traefik 3.1 with the KubernetesCRD provider

here's my traefik service:

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: traefik
  labels:
    app: traefik
    chart: "traefik-3.1.0"
    release: "traefik"
    heritage: "Helm"
spec:
  type: LoadBalancer
  selector:
    app: traefik
    release: traefik
  ports:
  - port: 80
    name: web
    targetPort: "web"
  - port: 443
    name: websecure
    targetPort: "websecure"
  - port: 9000
    name: traefik
    targetPort: "traefik"
  loadBalancerIP: 10.0.3,80
  loadBalancerSourceRanges:
  - "0.0.0.0/0"
  externalTrafficPolicy: Local

For metallb, I found that using bgp works best. I have a Ubiquiti USG as my router, and set it up to peer with all three of my nodes.

---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    peers:
    - peer-address: 10.0.1.1
      peer-asn: 64512
      my-asn: 64512
      hold-time: 120s
    address-pools:
    - name: manual
      auto-assign: false
      protocol: bgp
      addresses:
      - 10.0.3.10-10.0.3.99
    - name: default
      auto-assign: true
      protocol: bgp
      addresses:
      - 10.0.3.100-10.0.3.254

[olaxe]

Lucky me, I also use the Ubiquiti USG as my router so I am also interested how to peer with all three of your nodes.

[brandond]

Here's what /unifi/data/sites/default/config.gateway.json on my unifi pod looks like. I'm using coredns k8s_external to expose services to LAN hosts; from outside the LAN I have ports forwarded to the Traefik ingress for stuff that I actually want to publish.

{
  "protocols": {
    "bgp": {
      "64512": {
        "neighbor": {
          "10.0.1.20": {
            "remote-as": "64512"
          },
          "10.0.1.21": {
            "remote-as": "64512"
          },
          "10.0.1.22": {
            "remote-as": "64512"
          }
        },
        "parameters": {
          "router-id": "10.0.1.1"
        }
      }
    }
  },
  "service": {
    "dns": {
      "forwarding": {
        "cache-size": "10000",
        "except-interface": [
          "eth0"
        ],
        "options": [
          "filterwin2k",
          "local-ttl=60",
          "host-record=usg.khaus,10.0.1.1",
          "host-record=sw-core.khaus,10.0.1.2",
          "host-record=ap-house.khaus,10.0.1.6",
          "host-record=ap-garage.khaus,10.0.1.7",
          "host-record=seago.khaus,10.0.1.20",
          "host-record=maersk.khaus,10.0.1.21",
          "host-record=sealand.khaus,10.0.1.22",
          "srv-host=_etcd-client._tcp,seago.khaus,2379",
          "srv-host=_etcd-client._tcp,maersk.khaus,2379",
          "srv-host=_etcd-client._tcp,sealand.khaus,2379",
          "srv-host=_etcd-server._tcp,seago.khaus,2380",
          "srv-host=_etcd-server._tcp,maersk.khaus,2380",
          "srv-host=_etcd-server._tcp,sealand.khaus,2380",
          "server=/k3s.khaus/10.0.3.53",
          "server=75.75.75.75",
          "server=75.75.76.76"
        ]
      }
    }
  }
}

[jawabuu]

Hey @brandond I have narrowed down the issue - as best as I could :-) to using flannel as CNI.
Calico presents no such issues. Scouring other threads also shows the following which I can confirm.

kubernetes/kubernetes#56934 (comment)

#1175 (comment)

#1175 (comment)

cert-manager/cert-manager#2811

flannel-io/flannel#1243

Calico works with Traefik 2.2 and MetalLB to resolve Real Client IP without any further configuration.

[brandond]

@jawabuu Those comments all seem to be about routing issues, not obtaining the original client IP? Either way, I'm using flannel in host-gw mode with traefik and metallb and getting the original address in the headers, so I know that it is doable. All you have to do is use externalTrafficPolicy: Local on the traefik service.

[jawabuu]

Hey @brandond you are correct. The comments are just meant to provide context that the default installation of the latest k3s with flannel may be having some issues.
I was also able to resolve Real IP using host-gw mode but only if I used a single node. Pods on different nodes could not reach each other.
I am also thinking of a more common scenario where people deploy k3s on a cloud server or where the user does not have access to configure router rules.
I would propose providing documentation that instructs how one can obtain Real-IP in k3s.

1. Use externalTrafficPolicy: Local in Traefik Service or any service (Mandatory)
2. Use;
   a) host-gw mode when using flannel with some configuration ,or,
   b) calico as CNI. This requires no further configuration

Ideally points 2 and 3 should be tested to identify edge cases.

[olaxe]

thanks to both of you @brandond and @jawabuu
the real IP is so important for some web services like Matomo

[jawabuu]

Hey @brandond, upon further testing with flannel, I have found out that it is not necessary to use host-gw mode - which breaks in cloud environments anyway - to obtain source ip.
The appropriate flag is - --ip-masq=false but due to the embedded nature of k3s flannel similar to
#72
one needs to deploy k3s with --flannel-backend=none then manually deploy flannel and set it in the kube-flannel manifest.
Would you consider making - --ip-masq=false the default or adding a flag to set this easily?

[mschneider82]

i have the same issue using --flannel-backend=wireguard and setting externalTrafficPolicy: Local doesnt change anything, I have tried NodePort and LoadBalancer. Any ideas?

[jawabuu]

Hey @mschneider82 You will not be able to get source ip using the embedded flannel in k3s.
You need to use --flannel-backend=none and deploy your own flannel manifest with config - --ip-masq=false

See below

      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:v0.12.0-amd64
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq=false
        - --kube-subnet-mgr
        - --iface=${interface}

[upMKuhn]

Mhh works for me, but not if I have multiple wireguard interfaces :(

[sandys]

If you use haproxy as the load balancer. We did this for a while. Works great actually. Very few load balancer/ingress can actually set proxy protocol headers. ( That's why I filed the issue on kube-vip to incorporate support for proxy protocol injection.) Haproxy is a fully battle tested ingress+lb. Then we moved to AWS built in lb.

…

On Mon, 5 Apr, 2021, 15:40 Ulrich Mayring, ***@***.***> wrote: You have been mentioning before that the HAProxy Ingress not only reads the Proxy Protocol headers, but can also set them, if they are not present. What would be a scenario, where I use this feature? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2997 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAASYU2SFA4J7XEIZL7AYHDTHGECTANCNFSM4YMJZ6EQ> .

[realulim]

Do you mean HAProxy external LB or HAProxy Ingress as LB within K3s? I suppose you mean HAProxy Ingress, which then would mean no HA or load balancing, because you always have to point to one node. Which is why you moved to AWS LB.

If HAProxy external LB, then you would set the Proxy Protocol headers there and could also use Traefik or NGINX Ingress, since they can also read the headers.

I haven't quite gotten my head around how Kube-VIP is supposed to work, but I have upvoted :)

[sandys]

Do you mean HAProxy external LB or HAProxy Ingress as LB within K3s? I

suppose you mean HAProxy Ingress, which then would mean no HA or load balancing, because you always have to point to one node. Which is why you moved to AWS LB. either ways (and yes - ingress would mean no HA) - you will get proxy protocol headers with haproxy.

If HAProxy external LB, then you would set the Proxy Protocol headers

there and could also use Traefik or NGINX Ingress, since they can also read the headers. yes you could. But no use really having a different software for lb and a different one for ingress. Haproxy is just as impressive as traefik in features...and possibly more battle tested.

I haven't quite gotten my head around how Kube-VIP is supposed to work,

but I have upvoted :) kube-vip is a replacement for klipper (the built in LB in k3s). Its fairly well supported. Just like MetalLB basically.

…

On Mon, Apr 5, 2021 at 4:04 PM Ulrich Mayring ***@***.***> wrote: Do you mean HAProxy external LB or HAProxy Ingress as LB within K3s? I suppose you mean HAProxy Ingress, which then would mean no HA or load balancing, because you always have to point to one node. Which is why you moved to AWS LB. If HAProxy external LB, then you would set the Proxy Protocol headers there and could also use Traefik or NGINX Ingress, since they can also read the headers. I haven't quite gotten my head around how Kube-VIP is supposed to work, but I have upvoted :) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2997 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAASYUYZ2NCL7ORVB5R5MM3THGG25ANCNFSM4YMJZ6EQ> .

[realulim]

As far as I have understood Kube-VIP wants to solve HA, which MetalLB can't (it needs an external BGP service). Kube-VIP apparently can work with a virtual IP, which many cloud providers offer (I believe only Vultr offers BGP and you still have to install your own BGP daemon).

[realulim]

Basically, Kube-VIP uses ARP to elect a leader node and assign it a virtual IP and all other nodes then use BGP to advertise the virtual IP. This should take care of HA. As far as load balancing is concerned, there still needs to be a router that does it based on the cost-equivalent routes published by all the nodes.

[lazywalker]

This is how i solved the Client IP issue with my single-node k3s cluster(v1.21.5+k3s2), i think it's almost out-of-box since it need only one line patched, woks with the built-in ServiceLB/Traefik2.

1. with bare metal or vmware

curl -sfL https://get.k3s.io | sh -

2. with Cloud provider, use the same as above, only if you want to disable servicelb:

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--disable servicelb" sh -
kubectl patch svc traefik --patch '{"spec":{"externalIPs":["<local ip>"]}}' -nkube-system

IMPORTANT: use hostNetwork with traefik, otherwise it will not working correct with Real IP.

kubectl patch deployment traefik --patch '{"spec":{"template":{"spec":{"hostNetwork":true}}}}' -nkube-system

Test if X-Real-IP works using whoami

kubectl create ns dev
kubectl apply -f https://gist.github.com/lazywalker/4d48eaad0ef111f5e370c9c25570cd39

# on other machine
curl -H Host:whoami.k3s.local <k3s master ip>

Hostname: web-8557b59f65-mmmxx
IP: 127.0.0.1
IP: ::1
IP: 10.42.0.9
IP: fe80::74cb:efff:fe15:75ad
RemoteAddr: 10.42.0.1:40918
GET / HTTP/1.1
Host: whoami.k3s.local
User-Agent: curl/7.79.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.16.36.142
X-Forwarded-Host: whoami.k3s.local
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: k3s
X-Real-Ip: 172.16.36.142

Clean up

kubectl delete ns dev

There you go! if you add agent nodes you may still need to set externalTrafficPolicy: Local

[gowthamgts]

the kubectl apply link should be https://gist.githubusercontent.com/lazywalker/4d48eaad0ef111f5e370c9c25570cd39/raw/c7c5acc66ca97e05e8e30d0b2042b6fbf0879bef/whoami.yml

[Thomas-Ganter]

This is not working for me.

I do have externalTrafficPolicy: Local in my traefik, and
without the hostNetwork: true I get the internal cluster IP, whereas
with the hostNetwork: true I get the physical node IP.

I no configuration I was able to get the remote host IP on a plain, vanilla k3s installation with default settings.

[SebastienTainon]

Thank you, the 2 commands kubectl patch did the trick for me! After long hours of search and when I thought I had to change all my infrastructure to get rid of Traefik! Phew, thank you very much!! 😃

[anthonypillot]

Many thanks @lazywalker.

The kubectl patch deployment traefik --patch '{"spec":{"template":{"spec":{"hostNetwork":true}}}}' -n kube-system command do the trick for me too.
I've a very basic configuration: k3s with Traefik, Single Node Cluster, installed with the classical curl (curl -sfL https://get.k3s.io | sh -).
The whoami sends me X-Forwarded-For and X-Real-Ip with the rights IPs directly after the kubectl patch.

[strayer]

For what its worth I have been trying this with a dual stack setup and with externalTrafficPolicy: Local the client IPv4 is forwarded to my whoami test deployment but not the IPv6:

❯ curl -s4 http://k3s-test-debian/whoami | grep X-Forwarded-For
X-Forwarded-For: 192.168.178.109
❯ curl -s6 http://k3s-test-debian/whoami | grep X-Forwarded-For
X-Forwarded-For: fc15:1::18

Cluster was installed with:

curl -sfL https://get.k3s.io | sh -s - \
--disable-network-policy \
--node-ip="192.168.178.5,fd3b:2815:be50:4::5" \
--cluster-cidr="10.42.0.0/16,fc15:1::/56" \
--service-cidr="10.43.0.0/16,fc15:2::/112"

Traefik config override:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    service:
      spec:
        externalTrafficPolicy: Local
        ipFamilyPolicy: RequireDualStack

[strayer]

Update: same setup seems to be working on v1.23.2+k3s1

❯ for i in 4 6; curl -s$i http://k3s-1/whoami | grep X-Forwarded-For; end
X-Forwarded-For: 192.168.178.149
X-Forwarded-For: fd3b:2815:be50:4:cad:ca85:29d2:1bd6

[raine]

Thanks. Applying the traefik config override fixed the problem for me.

[svengreb]

I‘d call it “works as designed“ as this is documented, but know you locked yourself down to a single-node “cluster“ as traffic can now potentially be spread imbalanced.
In my opinion this “problem“ is nothing k3s is responsible for but the components that are higher in the “chain“, e.g. load balancers that should preserve the IP and pass it down through (HTTP) header(s).

[oernii]

Can any of this apply to an UDP service ? I'm running pihole in k3s and only see the internal IP, not the clients.

[migs35323]

so, without a load balancer, what are our options to use traefik and still have the hability to get real client ip?
i had been trying this for a while and i always get the pods to see the client as the cni0 network interface ip
i have it as a daemon set, in my case makes sense to get the ingress from any node

apparently if i set it up as a nodeport and externalTrafficPolicy:local i can get the real ip as "X-Real-Ip: 192.168.x.x" and "X-Forwarded-For: 192.168.x.x" headers...
but from several sources it seems nodeport is a really bad practice...
i had not been having success using clusterIP
i did try to use the host network settings but isn't that basically the same as the nodeport and i am exposing traefik?

[gcasale82]

hi all , deploying a mailserver on a deployment on a single node I tried with loadbalancer /nodeport service mode (tried also calico and port forwarding), but unable to have real client ip for SPF mail validation.Which is fastest way to have this work in single node k3s?thanks

[MikaelElkiaer]

I am all kinds of stuck on this.

I feel that I tried just about everything - except that I am sticking with a rootless set-up.
My set-up is fairly well-documented here: https://github.com/MikaelElkiaer/flux-twr

[lictw]

H! What I need to do now to achieve this in multi-node cluster? externalTrafficPolicy: Local works fine out of box, but only for single-node, for cluster seems like traffic can't reach ingress-controller if traffic comes on different node, all nodes have access to each others, what should I change in network? I use mostly default k3s cluster setup with custom nginx-ingress setup, flannel is default.

[dakota-marshall]

I am running a multi (3) node cluster as well. Using externalTrafficPolicy: Local doesnt prevent traffic destined for a service from a different node from hitting the service, but it will show the Ingress Controller IP.

If however, you directly hit the node that the service is sitting on, it wil show you the real IP.

I really hope there is a way to get this working, I would really like to be able to see useful access logs inside Traefik.

[skea999]

Hello, I found a simple solution for this problem.
simply apply this yaml:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    deployment:
      kind: DaemonSet
    ports:
      web:
        forwardedHeaders:
          insecure: true
        proxyProtocol:
          insecure: true
      websecure:
        forwardedHeaders:
          insecure: true
        proxyProtocol:
          insecure: true
    hostNetwork: true
    service:
      spec:
        externalTrafficPolicy: Local
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
        maxSurge: 0

Basically the mode by you contact your service change from:

to:

than you don't contact the cni anymore. once you contact one url that is an ingress in k3s you enter in the node, than in the load balancer, than in traefik and finally on your service.

I only have listened allthing writed here and I have setup traefik with hostNetwork: true and the service with externalTrafficPolicy: Local
the different thing is that traefik need to be deployed on all nodes othervise it will not work, than i changed the deployment type of traefik to daemonset.
I have a base k3s install with all standard things such as default traefik, default flannel and klipper.
It work on 6 node cluster (3 master with taint, 3 workers).

Thank you for this tread and I hope I will be helpfull.

my os:
3.18.5
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.18.5
PRETTY_NAME="Alpine Linux v3.18"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

virt kernel and hardening.

my k3s:
v1.27.5-k3s1
installed with default k3s in alpine repos.

my traefik:
helm chart: traefik:21.2.1+up21.2.0
traefik version: 2.9.10

klipper version: v0.4.4

what I have done for testing:

create a namespace called apache-n

deploy a base http container for testing:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
  namespace: apache-n
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
      namespace: apache-n
    spec:
      containers:
        - args:
            - >-
              dnf -y install iproute bind-utils iputils nmap procps;mkdir
              test;cd test;echo -e '' > index.html;echo -e '#!/usr/bin/env
              python3

              import http.server as SimpleHTTPServer

              import socketserver as SocketServer

              import logging

              PORT = 80

              class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
                  def do_GET(self):
                      logging.error(self.headers)
                      SimpleHTTPServer.SimpleHTTPRequestHandler.do_GET(self)
              Handler = GetHandler

              httpd = SocketServer.TCPServer(("", PORT), Handler)

              httpd.serve_forever()

              ' > test.py; chmod 755 test.py;python3 test.py; while true; do
              sleep 30; done;
          command:
            - /bin/bash
            - '-c'
            - '--'
          image: fedora:latest
          imagePullPolicy: Always
          name: test
          ports:
            - containerPort: 80
              hostPort: 8080
              name: port80
              protocol: TCP

deploy a service:

apiVersion: v1
kind: Service
metadata:
  name: apache-s
  namespace: apache-n
spec:
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: apache-p
      nodePort: 32542
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: test
  sessionAffinity: None
  type: NodePort

create an ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
spec:
  ingressClassName: traefik
  rules:
    - host: example.example.com
      http:
        paths:
          - backend:
              service:
                name: apache-s
                port:
                  number: 80
            path: /
            pathType: Prefix

when contacting the example.example.com I have a response from the container:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Dnt: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.100.34
X-Forwarded-Host: example.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: rom1ra1prova2m1
X-Real-Ip: 192.168.100.34


10.42.0.0 - - [28/Dec/2023 17:19:37] "GET / HTTP/1.1" 200 -

as you can see X-Forwarded-For: is right and X-Real-Ip: also.

[jon-nfc]

thanks for your post. I was looking for a way to confirm what headers are being set by the proxy and your deployment does this.

[omidraha]

I have same issue,
I’m using k3s, I have disabled traefik (but not service-lb) and using NGINX Ingress Controller with default service-lb (klipper-lb).

Info

"controller": {
	"kind": "DaemonSet",
	"allowSnippetAnnotations": True,
	"service": {
		"externalTrafficPolicy": "Local",
	},
	"config": {
		"enable-real-ip": True,
		"use-forwarded-headers": True,
		"compute-full-forwarded-for": True,
		"use-proxy-protocol": True,
		"proxy-add-original-uri-header": True,
		"forwarded-for-header": "proxy_protocol",
		"real-ip-header": "proxy_protocol",
	},
},

Info

kubectl logs -n apps-dev  ingress-nginx-controller

" while reading PROXY protocol, client: 10.42.0.10, server: 0.0.0.0:80
2024/01/09 19:28:10 [error] 98#98: *2465 broken header: "GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

" while reading PROXY protocol, client: 10.42.0.10, server: 0.0.0.0:80

Info

kubectl describe services -n apps-dev ingress-nginx-dev-c34ab985-controlle

Name:                     ingress-nginx-dev-c34ab985-controller
Namespace:                apps-dev
Labels:                   app.kubernetes.io/component=controller
                          app.kubernetes.io/instance=ingress-nginx-dev-c34ab985
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=ingress-nginx
                          app.kubernetes.io/part-of=ingress-nginx
                          app.kubernetes.io/version=1.9.4
                          helm.sh/chart=ingress-nginx-4.8.3
Annotations:              meta.helm.sh/release-name: ingress-nginx-dev-c34ab985
                          meta.helm.sh/release-namespace: apps-dev
Selector:                 app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx-dev-c34ab985,app.kubernetes.io/name=ingress-nginx
Type:                     LoadBalancer
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       10.43.172.22
IPs:                      10.43.172.22
LoadBalancer Ingress:     100.100.100.100
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  30861/TCP
Endpoints:                10.42.0.11:80
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  31713/TCP
Endpoints:                10.42.0.11:443
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     30448
Events:
  Type    Reason                Age   From                Message
  ----    ------                ----  ----                -------
  Normal  EnsuringLoadBalancer  113s  service-controller  Ensuring load balancer
  Normal  AppliedDaemonSet      113s                      Applied LoadBalancer DaemonSet kube-system/svclb-ingress-nginx-dev-c34ab985-controller-8873439e
  Normal  UpdatedLoadBalancer   83s                       Updated LoadBalancer with new IPs: [] -> [100.100.100.100]

Name:              ingress-nginx-dev-c34ab985-controller-admission
Namespace:         apps-dev
Labels:            app.kubernetes.io/component=controller
                   app.kubernetes.io/instance=ingress-nginx-dev-c34ab985
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=ingress-nginx
                   app.kubernetes.io/part-of=ingress-nginx
                   app.kubernetes.io/version=1.9.4
                   helm.sh/chart=ingress-nginx-4.8.3
Annotations:       meta.helm.sh/release-name: ingress-nginx-dev-c34ab985
                   meta.helm.sh/release-namespace: apps-dev
Selector:          app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx-dev-c34ab985,app.kubernetes.io/name=ingress-nginx
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.43.38.162
IPs:               10.43.38.162
Port:              https-webhook  443/TCP
TargetPort:        webhook/TCP
Endpoints:         10.42.0.11:8443
Session Affinity:  None
Events:            <none>

Info

kubectl describe  pods   -n kube-system svclb-ingress-nginx-dev-c34ab985-controller-8873439e-xv9tx

Name:             svclb-ingress-nginx-dev-c34ab985-controller-8873439e-xv9tx
Namespace:        kube-system
Priority:         0
Service Account:  svclb
Node:             ip-10-10-1-110/10.10.1.110
Start Time:       Tue, 09 Jan 2024 11:22:59 -0800
Labels:           app=svclb-ingress-nginx-dev-c34ab985-controller-8873439e
                  controller-revision-hash=78c594c45
                  pod-template-generation=1
                  svccontroller.k3s.cattle.io/svcname=ingress-nginx-dev-c34ab985-controller
                  svccontroller.k3s.cattle.io/svcnamespace=apps-dev
Annotations:      <none>
Status:           Running
IP:               10.42.0.10
IPs:
  IP:           10.42.0.10
Controlled By:  DaemonSet/svclb-ingress-nginx-dev-c34ab985-controller-8873439e
Containers:
  lb-tcp-80:
    Container ID:   containerd://a4aaa9c9e86a1bd738d3fda1615953d95d3c269b3059eab568b2a9a236dca0a3
    Image:          rancher/klipper-lb:v0.4.4
    Image ID:       docker.io/rancher/klipper-lb@sha256:d6780e97ac25454b56f88410b236d52572518040f11d0db5c6baaac0d2fcf860
    Port:           80/TCP
    Host Port:      80/TCP
    State:          Running
      Started:      Tue, 09 Jan 2024 11:23:03 -0800
    Ready:          True
    Restart Count:  0
    Environment:
      SRC_PORT:    80
      SRC_RANGES:  0.0.0.0/0
      DEST_PROTO:  TCP
      DEST_PORT:   30861
      DEST_IPS:     (v1:status.hostIP)
    Mounts:        <none>
  lb-tcp-443:
    Container ID:   containerd://0ff2179299dac6def1471b680ae8c37ed352c94c0c5c5afccf4aee69c1c89f0b
    Image:          rancher/klipper-lb:v0.4.4
    Image ID:       docker.io/rancher/klipper-lb@sha256:d6780e97ac25454b56f88410b236d52572518040f11d0db5c6baaac0d2fcf860
    Port:           443/TCP
    Host Port:      443/TCP
    State:          Running
      Started:      Tue, 09 Jan 2024 11:23:04 -0800
    Ready:          True
    Restart Count:  0
    Environment:
      SRC_PORT:    443
      SRC_RANGES:  0.0.0.0/0
      DEST_PROTO:  TCP
      DEST_PORT:   31713
      DEST_IPS:     (v1:status.hostIP)
    Mounts:        <none>
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       True 
  ContainersReady             True 
  PodScheduled                True 
Volumes:                      <none>
QoS Class:                    BestEffort
Node-Selectors:               <none>
Tolerations:                  CriticalAddonsOnly op=Exists
                              node-role.kubernetes.io/control-plane:NoSchedule op=Exists
                              node-role.kubernetes.io/master:NoSchedule op=Exists
                              node.kubernetes.io/disk-pressure:NoSchedule op=Exists
                              node.kubernetes.io/memory-pressure:NoSchedule op=Exists
                              node.kubernetes.io/not-ready:NoExecute op=Exists
                              node.kubernetes.io/pid-pressure:NoSchedule op=Exists
                              node.kubernetes.io/unreachable:NoExecute op=Exists
                              node.kubernetes.io/unschedulable:NoSchedule op=Exists
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  8m53s  default-scheduler  Successfully assigned kube-system/svclb-ingress-nginx-dev-c34ab985-controller-8873439e-xv9tx to ip-10-10-1-110
  Normal  Pulling    8m52s  kubelet            Pulling image "rancher/klipper-lb:v0.4.4"
  Normal  Pulled     8m49s  kubelet            Successfully pulled image "rancher/klipper-lb:v0.4.4" in 3.335s (3.335s including waiting)
  Normal  Created    8m49s  kubelet            Created container lb-tcp-80
  Normal  Started    8m49s  kubelet            Started container lb-tcp-80
  Normal  Pulled     8m49s  kubelet            Container image "rancher/klipper-lb:v0.4.4" already present on machine
  Normal  Created    8m48s  kubelet            Created container lb-tcp-443
  Normal  Started    8m48s  kubelet            Started container lb-tcp-443

Info

kubectl get pods    -A -o wide 

NAMESPACE      NAME                                                         READY   STATUS    RESTARTS   AGE   IP           NODE             NOMINATED NODE   READINESS GATES
apps-dev       ingress-nginx-dev-c34ab985-controller-zh48d                  1/1     Running   0          36m   10.42.0.11   ip-10-10-1-110   <none>           <none>
kube-system    coredns-6799fbcd5-6r48p                                      1/1     Running   0          37m   10.42.0.2    ip-10-10-1-110   <none>           <none>
kube-system    metrics-server-67c658944b-mrdwm                              1/1     Running   0          37m   10.42.0.3    ip-10-10-1-110   <none>           <none>
kube-system    svclb-ingress-nginx-dev-c34ab985-controller-8873439e-xv9tx   2/2     Running   0          36m   10.42.0.10   ip-10-10-1-110   <none>           <none>

I also tried default configuration that is traefik with service-lb (klipper-lb).
I'm using AWS EC2, and I can't use MetalLB, because as I know MetalLB is not readily available in it.

[kodermax]

is there any standard setting that would allow you to send a real IP through a traefik proxy?

[lyuma]

Yes, use of "hostNetwork": true is required, but it may have required at least one other setting in addition: using hostNetwork by itself wasn't necessarily sufficient.

See here for an example of hostNetwork #2997 (comment)

And yes, hostNetwork means you lose IP isolation, so you need to assign unique ports from what I remember.

[azazel75]

Hello,
I'm using the standard k3s from NixOS 23.05 and internal flannel, with service-lb and traefik enabled. K3s is version v1.26.6+k3s1 and traefik is at version 2.9.10. The cluster is a 3 nodes cluster with flannel connecting the three nodes on a VLAN interface. After some testing to make it work I just added the following:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    # ensure that the traefik service gets the real client IP in most cases. It
    # only fails when the connection come through the node's InternalIP
    service:
      spec:
        externalTrafficPolicy: Local
    # setup persistence for certs

(Note the different than other user reports specification of externalTrafficPolicy as service.spec.externalTrafficPolicy, this matters)
into a traefik.yaml file and then configured the server node to load it with the following Nix config:

  system.activationScripts.customize_traefik =
    let
      traefikCustomization = ./traefik.yaml;
    in ''
      rm -f /var/lib/rancher/k3s/server/manifests/trafeik-letsencrypt.yaml
      ln -sf ${traefikCustomization} /var/lib/rancher/k3s/server/manifests/traefik.yaml
    '';

after applying and trying with whoami image it works:

Hostname: whoami
IP: 127.0.0.1
IP: ::1
IP: 10.42.2.66
IP: fe80::5cb7:2bff:fe78:ae31
RemoteAddr: 10.42.0.34:55170
GET / HTTP/1.1
Host: whoami.foo.bar
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: it,en;q=0.7,en-US;q=0.3
Dnt: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Te: trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 81.67.154.52
X-Forwarded-Host: whoami.foo.bar
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-786b9dbcb5-7btk6
X-Real-Ip: 81.67.154.52

[svengreb]

Preserving client source IPs in general is not a problem, but making it work with a scaled ingress controllers or cluster with more than one node is hard. Setting externalTrafficPolicy to Local risks potentially imbalanced traffic spreading and, in some cases, will causes requests to get lost (e.g. in multi-node clusters with only one ingress controller on a single node and the request hit another one).
This problem must be solved by components in front of the ingress controller so basically LBs or whatever is sitting in front of a cluster to catch traffic. This component must be smart enough to detect the traffic type, e.g. in case of HTTP the X-Forwarded-For or X-Real-IP headers must be set.

[azazel75]

The problem here was getting the client IP in the context of k3s, your other words are coming directly from the page you're linking and are well known and proven by others that have written about using metallb in front of k3s

[IngwiePhoenix]

I have run into this issue too - although, it's a little weird.

I have the policy set to Local, use ServiceLB and my node has the same IP for internal and external.

When a device other than the node does a request, I can see the correct IP in the Traefik log:

192.168.1.4 - - [10/May/2024:08:18:56 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/8.7.1" 354 "proxy-router-proxy-tr-69e06c5f6c42361dc8b1@kubernetescrd" "http://192.168.1.1:80" 13ms

But, when I do the exact same on the node itself:

10.42.0.1 - - [10/May/2024:08:19:32 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/7.88.1" 363 "proxy-router-proxy-tr-2ed3520c3d71313735b6@kubernetescrd" "http://192.168.1.1:80" 4ms

This is very confusing... The reported IP is in fact the cni0 IP:

# ifconfig cni0
cni0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255
        inet6 fe80::f8b0:5fff:fecd:fbc6  prefixlen 64  scopeid 0x20<link>
        ether fa:b0:5f:cd:fb:c6  txqueuelen 1000  (Ethernet)
        RX packets 42029  bytes 10794579 (10.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 45455  bytes 14776319 (14.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And, here is the route config:

# ip route ls
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.3 metric 425
10.42.0.0/24 dev cni0 proto kernel scope link src 10.42.0.1
10.87.116.0/24 dev incusbr0 proto kernel scope link src 10.87.116.1 linkdown
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3 metric 425

When I do curl --head https://router.birb.it, the IP is resolved as 192.168.1.3 - which is also the node's IP:

#  kubectl get node -o wide
NAME         STATUS   ROLES                       AGE   VERSION        INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                            KERNEL-VERSION               CONTAINER-RUNTIME
clusterboi   Ready    control-plane,etcd,master   18d   v1.29.3+k3s1   192.168.1.3   192.168.1.3   Armbian 24.5.0-trunk.468 bookworm   6.8.7-edge-rockchip-rk3588   containerd://1.7.11-k3s2

And, IPv4 forwarding is enabled:

# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
vm.swappiness = 100

Alright... So, as far as I understand, cURL should send the packet as 192.168.1.3 to 192.168.1.3, which in turn gets picked up by ServiceLB/Klipper and Flannel and put through to Traefik.

But why is it still not reporting the right IP? Why can other devices on the network be identified properly, but the node itself can not?

I am trying to set up IP whitelisting for services, and this is definitively breaking my kneecap...

[IngwiePhoenix]

Awesome, using hostNetwork fixed my local network! It still won't recognize my VPN's IP - but that might be a whole different "issue" alltogether since that comes from a TUN device (tailscale0) and thus might in fact end up burried in the node-local traffic policies... Either way, the most important part, my home network, works. THAT was important.

For reference, here is my configuration:

Traefik config

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    logs:
      level: INFO
      access:
        enabled: true
        addInternals: true
        fields:
          general:
            defaultmode: keep
          headers:
            defaultmode: keep

    deployment:
      enabled: true
      replicas: 1
      initContainers:
        - name: volume-permissions
          image: busybox:latest
          command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
          securityContext:
            runAsNonRoot: true
            runAsGroup: 65532
            runAsUser: 65532
          volumeMounts:
            - name: data
              mountPath: /data

    ports:
      web:
        redirectTo:
          port: 443 # FIXME. sometimes redirects to :8443...
        forwardedHeaders:
          trustedIPs: [ "100.64.0.0/24" ]
        proxyProtocol: { trustedIPs: [ "100.64.0.0/24" ] }
      websecure:
        forwardedHeaders:
          trustedIPs: [ "100.64.0.0/24" ]
        proxyProtocol: { trustedIPs: [ "100.64.0.0/24" ] }
        tls:
          certResolver: "letsEncrypt"

    persistence:
      enabled: true
      existingClaim: traefik
      accessMode: ReadWriteOnce
      size: 256Mi
      path: /data

    providers:
      kubernetesCRD:
        enabled: true
        allowExternalNameServices: true
        namespaces: []
    kubernetesIngress:
      enabled: true
      allowExternalNameServices: true
      namespaces: []
      publishedService:
        enabled: true

    rbac:
      enabled: true

    hostNetwork: true
    service:
      enabled: true
      type: LoadBalancer
      spec:
        externalTrafficPolicy: Local

    ingressClass:
      enabled: true
      isDefaultClass: true

    certResolvers:
      letsEncrypt:
        dnsChallenge:
          provider: cloudflare
          delayBeforeCheck: 30
          resolvers:
            - 1.1.1.1
            - 8.8.8.8
            - 9.9.9.9
        storage: /data/acme.json

    updateStrategy:
      type: RollingUpdate
      rollingUpdate:
        maxUnavailable: 1

    env:
      # CF_API_EMAIL, CF_API_KEY || CF_DNS_API_TOKEN[, CF_ZONE_API_TOKEN]
      - name: CF_DNS_API_TOKEN
        value: <snip>

    additionalArguments:
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"

[IngwiePhoenix]

Also, because I ended up with my brain completely noodled from gawking at iptables for too long, I ended up posting here too: flannel-io/flannel#1967

[IngwiePhoenix]

@skea999 Setting the deployment kind is apparently unsupported: https://github.com/traefik/traefik-helm-chart/blob/master/traefik/templates/deployment.yaml#L25

[skea999]

I think that you are right because adding it to my configuration changed nothing, but there is an error, look at here
https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L21
BTW I remember that it has some purposes or can I just delete this line? It is difficult to me to try now...

[IngwiePhoenix]

Honestly, I am not sure. o.o
I just left it in... could be part of an "in-development" thing? idk. Right now it's just a single-node cluster anyway, so it'll be fine. ^^

[davidfrickert]

Solution for me was to ditch servicelb in favor of MetalLB...
Tried hostNetwork solution, does not work for me as the IP detected is actually local machine IP and not client IP (YMMV..).
Don't really want to try the single node solution as I'd rather not lose HA capabilities.

1 - Ditch servicelb
Add disabled.yaml config in all your control plane nodes and restart k3s.
This will efectively disable all external traffic at least until you fully setup metallb so beware. Maybe do this at the end.

# /etc/rancher/k3s/config.yaml.d/disabled.yaml 
disable:
  - servicelb

2 - Install Metallb

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.14.5/config/manifests/metallb-native.yaml

Or use ArgoCD / FluxCD even better.

3 - Configure Metallb

IP address pool for LBs. Change depending on your local network, mine is 192.168.2.0/24 and i want traefik LB to be in 192.168.2.150.

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: pool
  namespace: metallb-system
spec:
  addresses:
  - 192.168.2.150-192.168.2.160
  autoAssign: true
  avoidBuggyIPs: false

Configure L2Advertisment so that metallb provisions your LBs using pool.

apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: lb
  namespace: metallb-system
spec:
  ipAddressPools:
  - pool

4 - Extra stuff

At this point you should be set up. You might encounter issues though.
If you were using your router to port forward to a node IP, now you have to change that port forward to forward to the virtual IP. In my case I was using keepalived to 192.168.2.150 so no changes needed in port forwarding.

If you were accessing some services via tunnel (e.g. Zerotier One), this will stop working, since metallb does not listen directly on the node like servicelb does.
In order to keep this working, I set up HAproxy on the zerotier node:

frontend metallb-frontend
    bind *:443
    mode tcp
    option tcplog
    default_backend metallb-backend

backend metallb-backend
    mode tcp
    option tcp-check
    balance roundrobin
    default-server inter 10s downinter 5s
    server server-1 192.168.2.150:443 check

[WhiteGreeny]

I followed the method you provided, but unfortunately, I still cannot obtain the client's real IP in the service. From the MetalLB documentation I learned that only setting externalTrafficPolicy to Local allows for the acquisition of the client's true IP, though the trade-off is that it leads to unbalanced traffic.

[ammirator-administrator]

After some time I came back to this issue since I managed to fix that
Setup: nginx-ingress + service load balancer

Just set this on nginx ingress helm chart config

controller:
  service:
    # This should help to preserve the client IP
    externalTrafficPolicy: Local
    internal:
      # This should help to preserve the client IP
      externalTrafficPolicy: Local

Remeber to Uninstall and then install again nginx ingress, a simple helm upgrade wont help