Client ip on kubernetes with loadbalancer

Hi there,

I'm currently setting up a k8s cluster with traefik and the traefik kubernetes-crd for ingress.
I've got everything up and running, and it works perfect and fast.
The only issue I cannot seem to tackle or find any solution on the internet is how to passthrough the client ip to the service.
I'm getting the pod ip or 127.0.0.1
Even in x-forwarded-for header I'm getting the external server ip.

I'm spending days on this and so far no luck whatsoever xD
I need the client ip if I wanna add a useful ip whitelist for my customers.

Any help or thoughts are very much appreciated. :slight_smile:

Thnx. Lars

This is my setup:

Linux Debian 10
K8s 1.18
Traefik 2.1
Using the custom CRD setup of Traefik
calico pod network cidr: 10.244.0.0/16

Container setup in deployment:

containers:
        - name: traefik
          image: traefik:v2.1
          args:
            - --log.level=DEBUG
            - --api
            - --api.insecure
            - --entrypoints.web.address=:80
            - --entrypoints.web.forwardedHeaders.insecure=true
            - --entrypoints.web.proxyProtocol.insecure=true
            - --entrypoints.websecure.address=:443
            - --entrypoints.websecure.forwardedHeaders.insecure=true
            - --entrypoints.websecure.proxyProtocol.insecure=true
            - --providers.kubernetescrd
            - --certificatesresolvers.le.acme.httpchallenge
            - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
            - --certificatesresolvers.le.acme.email=<omitted>
            - --certificatesresolvers.le.acme.storage=/etc/traefik/live/acme.json
          volumeMounts:
            - mountPath: /etc/traefik/live
              name: traefik-cache
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443
            - name: admin
              containerPort: 8080

Service:

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: LoadBalancer
  externalIPs:
    - {{ ipv4.address }}
  selector:
    app: traefik
  externalTrafficPolicy: Local
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 443
      name: websecure
      targetPort: 443
    - protocol: TCP
      port: 8080
      name: admin
      targetPort: 8080

Whoami dummy deployment:

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami
  labels:
    app: whoami

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`host`)
      kind: Rule
      middlewares:
        - name: redirect-to-https
          namespace: default
      services:
        - name: whoami
          port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`host`)
      kind: Rule
      services:
        - name: whoami
          port: 80
  tls:
    certResolver: le
    options:
      name: versiontls12
      namespace: default

result:

Hostname: whoami-678c86b5c7-2ztjh
IP: 127.0.0.1
IP: 10.244.3.170 <-- pod ip
RemoteAddr: 10.244.3.177:33388
Host: host
Cache-Control: max-age=0
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: {{ external server ip }}
X-Forwarded-Host: host
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-57f986cd46-bc46g
X-Real-Ip: {{ external server ip }}

1 Like