Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preserving incoming Client IP with externalTrafficPolicy:Local on Windows nodes #1028

Closed
brobichaud opened this issue May 31, 2019 · 1 comment
Closed

Preserving incoming Client IP with externalTrafficPolicy:Local on Windows nodes #1028

brobichaud opened this issue May 31, 2019 · 1 comment
Labels
triage

Comments

@brobichaud
Copy link

What happened:
Running an AKS cluster with Windows nodes. I am trying to preserve the incoming Client IP address so that Windows pods can whitelist or otherwise utilize the callers IP. When creating my service using externalTrafficPolicy:Local the Client IP Address is the cluster nodes internal IP Address, NOT the original callers Client IP.

This article was used a reference on k8s external traffic policies: http://bit.ly/2YVJELy

What you expected to happen:
For the incoming Client IP that a pod see's to be the actual callers IP Address, not an SNAT'ed IP address.

How to reproduce it (as minimally and precisely as possible):

  1. Create an AKS cluster with Windows nodes
  2. Deploy a service that looks something like the yaml below (using externalTrafficPolicy: Local)
  3. Deploy a pod that uses the service from step 2, pod logs/displays the callers IP address
  4. Call into the service from outside the cluster
  5. Note whether the IP address logs/displayed in step 3 matches my IP address, it does not
apiVersion: v1
kind: Service
metadata:
  name: my-svc
  labels:
    environment: dev
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
  - name: https
    protocol: TCP
    port: 443
    targetPort: 44372
  selector:
    environment: dev

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): 1.14.0
  • Size of cluster (how many worker nodes are in the cluster?): 2 Windows Standard_F8s_v2 nodes, 1 linux Standard_D1_v2 node
  • General description of workloads in the cluster (e.g. HTTP microservices, Java app, Ruby on Rails, machine learning, etc.): A mix of HTTP AspNetCore services and .NET Framework worker services (console apps). 19 Pods running on the Windows nodes, none of the linux node.
  • Others:
@seanmck
Copy link
Collaborator

seanmck commented May 31, 2019

This is a limitation of the basic load balancer. Since it can only support one backend pool, it points to the default pool, which is the Linux-based one. Thus to get to Windows pods, you must transit through the Linux nodes and the source IP is lost.

This will be fixed once we add support for the standard LB: #643.

@seanmck seanmck closed this as completed May 31, 2019
@brobichaud brobichaud mentioned this issue Aug 16, 2019
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jul 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brobichaud @seanmck