Traefik on k3s does not forward real client IP

JohnC · March 6, 2025, 2:45am

Hello,

I have a k3s cluster running with Traefik disabled and I installed it through the Helm chart (currently om chart version 34.4.1). I've been having problems with forwarding the real client IP to the Traefik pod. Right now its returning the pod IP.

Traefik LoadBalancer description:

$ kubectl describe service traefik -n kube-system
Name:                     traefik
Namespace:                kube-system
Labels:                   app.kubernetes.io/instance=traefik-kube-system
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=traefik
                          argocd.argoproj.io/instance=traefik
                          helm.sh/chart=traefik-34.4.1
Annotations:              <none>
Selector:                 app.kubernetes.io/instance=traefik-kube-system,app.kubernetes.io/name=traefik
Type:                     LoadBalancer
IP Family Policy:         PreferDualStack
IP Families:              IPv4
IP:                       10.43.2.168
IPs:                      10.43.2.168
Port:                     web  80/TCP
TargetPort:               web/TCP
NodePort:                 web  32268/TCP
Endpoints:                10.42.3.92:8000
Port:                     websecure  443/TCP
TargetPort:               websecure/TCP
NodePort:                 websecure  32175/TCP
Endpoints:                10.42.3.92:8443
Session Affinity:         None
External Traffic Policy:  Local
Internal Traffic Policy:  Cluster
HealthCheck NodePort:     31225
Events:                   <none>

$ kubectl get service traefik -n kube-system

NAME      TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)                      AGE
traefik   LoadBalancer   10.43.2.168   <pending>     80:32268/TCP,443:32175/TCP   3d4h

The external IP is pending but it works.I can access my pods but I get the wrong client IP's in the access logs. I've set the networkTrafficPolicy to Local aswell but that does not seem to solve it.

Helm values:

logs:
        general:
          level: DEBUG
        access:
          enabled: true
      providers:
        kubernetesIngress:
          publishedService:
            enabled: true
      priorityClassName: "system-cluster-critical"
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
        - key: "node-role.kubernetes.io/control-plane"
          operator: "Exists"
          effect: "NoSchedule"
        - key: "node-role.kubernetes.io/master"
          operator: "Exists"
          effect: "NoSchedule"
      service:
        ipFamilyPolicy: "PreferDualStack"
      additionalArguments:
        - "--entryPoints.web.proxyProtocol.trustedips=0.0.0.0/0"
        - "--entryPoints.websecure.proxyProtocol.trustedips=0.0.0.0/0"
        - "--serversTransport.insecureSkipVerify=true"

I copied most settings from the k3s-specific implementation and added a few additional arguments as this setup used to work. Not sure why it doesn't work now.

Thank you for any help you can give me.

JohnC · March 6, 2025, 3:06am

Solved by enforcing that the Traefik pod runs on the master node.

      nodeSelector:
        node-role.kubernetes.io/master: 'true'

system · March 9, 2025, 3:07am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting real client IP (X-FORWARDED-FOR) in k3s multi-server HA setup Traefik v2 rancher , kubernetes-ingress , tcp	7	4500	November 21, 2024
Client IP Address Appears as Traefik Pod IP Traefik v3 (latest) kubernetes-crd	8	168	January 2, 2025
Traefik v2 does not show client IP address in X-Forwarded-For and/or in X-Real-Ip headers when running in K3S Traefik v2 kubernetes-crd , kubernetes-ingress	0	986	May 13, 2024
Traefik with K8s as Ingress: Forward the origin IP of an client to the pods Traefik v2 kubernetes-ingress	2	1429	March 11, 2021
Get real Ip address of client not working Traefik v2 kubernetes-ingress	0	1101	November 25, 2022

Traefik on k3s does not forward real client IP

Related topics