|
1 | 1 |
|
2 | 2 | # FAQ |
3 | 3 |
|
4 | | -## How can I easily install multiple instances of the ingress-nginx controller in the same cluster? |
| 4 | +## Multiple controller in one cluster |
| 5 | + |
| 6 | +Question - How can I easily install multiple instances of the ingress-nginx controller in the same cluster? |
5 | 7 |
|
6 | 8 | You can install them in different namespaces. |
7 | 9 |
|
@@ -61,7 +63,80 @@ helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ |
61 | 63 |
|
62 | 64 | ## Retaining Client IPAddress |
63 | 65 |
|
64 | | -Please read [Retain Client IPAddress Guide here](./user-guide/retaining-client-ipaddress.md). |
| 66 | +Question - How to obtain the real-client-ipaddress ? |
| 67 | + |
| 68 | +The goto solution for retaining the real-client IPaddress is to enable PROXY protocol. |
| 69 | + |
| 70 | +Enabling PROXY protocol has to be done on both, the Ingress NGINX controller, as well as the L4 load balancer, in front of the controller. |
| 71 | + |
| 72 | +The real-client IP address is lost by default, when traffic is forwarded over the network. But enabling PROXY protocol ensures that the connection details are retained and hence the real-client IP address doesn't get lost. |
| 73 | + |
| 74 | +Enabling proxy-protocol on the controller is documented [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol) . |
| 75 | + |
| 76 | +For enabling proxy-protocol on the LoadBalancer, please refer to the documentation of your infrastructure provider because that is where the LB is provisioned. |
| 77 | + |
| 78 | +Some more info available [here](https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#source-ip-address) |
| 79 | + |
| 80 | +Some more info on proxy-protocol is [here](https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#proxy-protocol) |
| 81 | + |
| 82 | +### client-ipaddress on single-node cluster |
| 83 | + |
| 84 | +Single node clusters are created for dev & test uses with tools like "kind" or "minikube". A trick to simulate a real use network with these clusters (kind or minikube) is to install Metallb and configure the ipaddress of the kind container or the minikube vm/container, as the starting and ending of the pool for Metallb in L2 mode. Then the host ip becomes a real client ipaddress, for curl requests sent from the host. |
| 85 | + |
| 86 | +After installing ingress-nginx controller on a kind or a minikube cluster with helm, you can configure it for real-client-ip with a simple change to the service that ingress-nginx controller creates. The service object of --type LoadBalancer has a field service.spec.externalTrafficPolicy. If you set the value of this field to "Local" then the real-ipaddress of a client is visible to the controller. |
| 87 | + |
| 88 | +``` |
| 89 | +% kubectl explain service.spec.externalTrafficPolicy |
| 90 | +KIND: Service |
| 91 | +VERSION: v1 |
| 92 | +
|
| 93 | +FIELD: externalTrafficPolicy <string> |
| 94 | +
|
| 95 | +DESCRIPTION: |
| 96 | + externalTrafficPolicy describes how nodes distribute service traffic they |
| 97 | + receive on one of the Service's "externally-facing" addresses (NodePorts, |
| 98 | + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will |
| 99 | + configure the service in a way that assumes that external load balancers |
| 100 | + will take care of balancing the service traffic between nodes, and so each |
| 101 | + node will deliver traffic only to the node-local endpoints of the service, |
| 102 | + without masquerading the client source IP. (Traffic mistakenly sent to a |
| 103 | + node with no endpoints will be dropped.) The default value, "Cluster", uses |
| 104 | + the standard behavior of routing to all endpoints evenly (possibly modified |
| 105 | + by topology and other features). Note that traffic sent to an External IP or |
| 106 | + LoadBalancer IP from within the cluster will always get "Cluster" semantics, |
| 107 | + but clients sending to a NodePort from within the cluster may need to take |
| 108 | + traffic policy into account when picking a node. |
| 109 | + |
| 110 | + Possible enum values: |
| 111 | + - `"Cluster"` routes traffic to all endpoints. |
| 112 | + - `"Local"` preserves the source IP of the traffic by routing only to |
| 113 | + endpoints on the same node as the traffic was received on (dropping the |
| 114 | + traffic if there are no local endpoints). |
| 115 | +``` |
| 116 | + |
| 117 | +### client-ipaddress L7 |
| 118 | + |
| 119 | +The solution is to get the real client IPaddress from the ["X-Forward-For" HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) |
| 120 | + |
| 121 | +Example : If your application pod behind Ingress NGINX controller, uses the NGINX webserver and the reverseproxy inside it, then you can do the following to preserve the remote client IP. |
| 122 | + |
| 123 | +- First you need to make sure that the X-Forwarded-For header reaches the backend pod. This is done by using a Ingress NGINX conftroller ConfigMap key. Its documented [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers) |
| 124 | + |
| 125 | +- Next, edit `nginx.conf` file inside your app pod, to contain the directives shown below: |
| 126 | + |
| 127 | +``` |
| 128 | +set_real_ip_from 0.0.0.0/0; # Trust all IPs (use your VPC CIDR block in production) |
| 129 | +real_ip_header X-Forwarded-For; |
| 130 | +real_ip_recursive on; |
| 131 | +
|
| 132 | +log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| 133 | + '$status $body_bytes_sent "$http_referer" ' |
| 134 | + '"$http_user_agent" ' |
| 135 | + 'host=$host x-forwarded-for=$http_x_forwarded_for'; |
| 136 | +
|
| 137 | +access_log /var/log/nginx/access.log main; |
| 138 | +
|
| 139 | +``` |
65 | 140 |
|
66 | 141 | ## Kubernetes v1.22 Migration |
67 | 142 |
|
|
0 commit comments