Kubernetes上的Traefik在传入连接上出现错误的客户端IP

Question

我正在Kubernetes上运行Traefik，我已经创建了一个具有以下配置的入侵：

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: whitelist-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefix
    traefik.ingress.kubernetes.io/whitelist-source-range: "10.10.10.10/32, 10.10.2.10/23"
    ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
    traefik.ingress.kubernetes.io/preserve-host: "true"
spec:
  rules:
  - host:
    http:
      paths:
      - path: /endpoint
        backend:
          serviceName: endpoint-service
          servicePort: endpoint-port
---

当我在上面的端点上发帖时，Traefik记录输入的IP是172.16.0.1，所以我的白名单不会被触发。执行ifconfig时，我看到IP属于Docker

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.26.0.1  netmask 255.255.0.0  broadcast 172.26.255.255

我如何保留原来的IP而不是码头的IP？

编辑

Traefik公开为LoadBalancer，端口在SSL上为443。

这是它的yml配置。

---
kind: Service
apiVersion: v1
metadata:
  name: traefik
  annotations: {}
    # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
  selector:
    k8s-app: traefik-ingress
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
    name: http
  - protocol: TCP
    port: 443
    targetPort: 443
    name: https
  type: LoadBalancer
  externalTrafficPolicy: Local
  externalIPs:
  - <machine-ip>
---

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: default
  labels:
    k8s-app: traefik-ingress
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: traefik-ingress
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress
        name: traefik-ingress
    spec:
      hostNetwork: true
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 35
      volumes:
        - name: proxy-certs
          secret:
            secretName: proxy-certs
        - name: traefik-configmap
          configMap:
            name: traefik-configmap
      containers:
      - image: traefik:1.7.6
        name: traefik-ingress
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 200m
            memory: 900Mi
          requests:
            cpu: 25m
            memory: 512Mi
        livenessProbe:
          failureThreshold: 2
          httpGet:
            path: /ping
            port: 80
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 5
        readinessProbe:
          failureThreshold: 2
          httpGet:
            path: /ping
            port: 80
            scheme: HTTP
          periodSeconds: 5
        volumeMounts:
          - mountPath: "/ssl"
            name: "proxy-certs"
          - mountPath: "/config"
            name: "traefik-configmap"
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        - name: dashboard
          containerPort: 8080
        args:
        - --logLevel=DEBUG
        - --configfile=/config/traefik.toml
---

如您所见，这是kubectl get svc的输出。

traefik                       LoadBalancer   10.100.116.42    <machine-ip>     80:30222/TCP,443:31578/TCP   <days-up>

注意，Traefik运行在单个节点kubernetes集群中(主/工在同一节点上)。

Answer 1

在LoadBalancer服务类型doc aws上的ssl支持中，您可以读取以下语句：

HTTP和HTTPS将选择第7层代理:当转发请求时，ELB将终止与用户的连接，解析标头并将X转发的头注入到用户的IP地址(pods只会在其连接的另一端看到ELB的IP地址)。

因此，如果向traeffik服务添加以下注释：

service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https

它应该与您的入口配置中的ingress.kubernetes.io/whitelist-x-forwarded-for: "true"注释一起工作，转发的头由aws负载均衡器添加。

免责声明:我还没有测试过这个解决方案。

致以问候。