TechQA.

traefik ingress is not showing the clientAddr external IP when externalTrafficPolicy set to Local

225 views Asked by At

We have the latest traefik [1] deployed with helm into our EKS cluster. We want to setup whitelist on IP for ingress. So we need client address to be external IP.

In Ingress like Nginx. It works when the externalTrafficPolicy set to Local. I did the same on traefik. But it does not work. The following is the full set of configuration on helm.

[1] - https://github.com/traefik/traefik-helm-chart/releases/tag/v25.0.0

logs:
  general:
    format: json
  access:
    enabled: true
    format: json
metrics:
  prometheus:
    service:
      enabled: true
      labels: {}
      annotations: {}
    serviceMonitor:
      jobLabel: traefik
      interval: 30s
      honorLabels: true
      additionalLabels:
        instance: primary
deployment:
  kind: DaemonSet
  podAnnotations:
    reloader.stakater.com/auto: "true"
ports:
  web:
    nodePort: 32080
service:
  spec:
    externalTrafficPolicy: Local
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-subnets: ${lb_subnet_ids}
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
  enabled: true
  single: true
  type: LoadBalancer
providers:
  # Enable cross namespace references
  kubernetesCRD:
    enabled: true
    allowCrossNamespace: true
  # Enable published service
  kubernetesIngress:
    publishedService:
      enabled: true

I thought this could be a version issue. So I update traefik to the latest version. But still not working

kubernetes traefik whitelist traefik-ingress
Original Q&A
1

There are 1 answers

0
Dion V On

As per the [documentation](preserves the client source IP and avoids a second hop for LoadBalancer and NodePort type Services, but risks potentially imbalanced traffic spreading.), when externalTrafficPolicy is set to Local, it preserves the client source IP and avoids a second hop for LoadBalancer and NodePort type Services, but risks potentially imbalanced traffic spreading.

To show the clientAddr external IP, you can set externalTrafficPolicy to Cluster, it obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. Here's an example yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
spec:
  backend:
    serviceName: my-service
    servicePort: 80
  externalTrafficPolicy: Cluster

With this configuration, Traefik Ingress will show the clientAddr external IP when forwarding traffic to the my-service backend service.

Related Questions in KUBERNETES

Related Questions in TRAEFIK

Related Questions in WHITELIST

Related Questions in TRAEFIK-INGRESS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions