Preserve Source IP when using NLB and Nginx LoadBalancer Controller

Preserve Source IP when using vLB Layer 4 and Nginx LoadBalancer Controller in Kubernetes is the process of maintaining the client's original IP address when traffic is forwarded through the load balancer and into the Kubernetes cluster. This is important in some cases when you need detailed information about the client's connection, such as the client's original IP address and root port, to be able to make traffic handling or logging decisions. Exactly. Below are our specific instructions to help you implement this usecase.

Prerequisites

  • You have initialized the Cluster on the VKS system according to the instructions here and VNGCloud LoadBalancer Controller has been installed on your cluster with appversion from v0.2.1 or higher. If your appversion is lower than this standard version, you can perform the upgrade according to the following instructions:

    • First, you need to get the release name of vngcloud-controller-manager installed on your cluster:

    $ helm list -A | grep vngcloud-controller-manager

vngcloud-controller-manager-1716448250          kube-system     10              2024-06-10 17:00:17.866548653 +0700 +07 deployed        vngcloud-controller-manager-0.2.3       v0.2.0

    • Then, please upgrade to the latest version via the command:

    helm upgrade vngcloud-controller-manager-1716448250 oci://vcr.vngcloud.vn/81-vks-public/vks-helm-charts/vngcloud-controller-manager \
  --namespace kube-system

  • Next, you need to install nginx-ingress-controller with the command:

helm install nginx-ingress-controller oci://ghcr.io/nginxinc/charts/nginx-ingress --namespace kube-system

ConfigMap for Nginx LoadBalancer Controller

  • Add to Nginx LoadBalancer Controller's ConfigMap the settings to enable proxy protocol via command:

kubectl edit cm -n kube-system nginx-ingress-controller

  • If you arenot using cert-manager, the code you need to add is as follows:

data:
  proxy-protocol: "True"
  real-ip-header: proxy_protocol
  real-ip-recursive: "True"
  set-real-ip-from: 0.0.0.0/0

  • If you are using cert-manager, the code you need to add is as follows:

data:
  proxy-protocol: "True"
  real-ip-header: proxy_protocol
  real-ip-recursive: "True"
  set-real-ip-from: 0.0.0.0/0
  use-proxy-protocol: "True"

Configure vLB Layer 4

  • Next, you need to configure vLB Layer4 to allow the use of proxy protocol for the Load Balancer Nginx service. The input value is a list of service names in Load Balancer using Proxy Protocol.

kubectl annotate service -n kube-system nginx-ingress-controller-controller \
   vks.vngcloud.vn/enable-proxy-protocol="http,https"

  • Finally, please perform NLB testing on vLB Portal until these Load Balancers are ACTIVE with full listener and pool.

Using

  • Suppose, you have a service prometheus-node-exporter with port 9100 in the default namespace, you can apply the following yaml to make it accessible via NLB

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
spec:
  ingressClassName: nginx
  rules:
  - host: kkk.example.com
    http:
      paths:
      - backend:
          service:
            name: prometheus-node-exporter
            port:
              number: 9100
        path: /metrics
        pathType: Exact

  • Then I use IP 103.245.252.75 to curl to host kkk.example.com as follows:

  • The recorded log result has this Client IP information as shown:

PreviousAutomatically manage Certificates in VKS with Nginx Ingress Controller, Cert-Manager, and Let's EncrNextIntegrate with Container Storage Interface (CSI)

Last updated