Get client source IPs via Metallb + istio-ingressgateway¶
Background¶
With Metallb ARP mode, users can view the real IP of the operator in Global Management
->Audit Log
, instead of the IP address after SNAT. The key step is to set the spec.externalTrafficPolicy
of the Service to Local
mode.
This method is also suitable for Istio high availability mode to get the source IP of the client.
However, this option has an impact on load balancing, please refer to Load Balancing in L2 and BGP Mode for details.
After the commercial version is installed, the function of obtaining client source IP is enabled by default. If you want to disable this feature before installation You can modify the installer clusterConfig.yaml to configure it (i.e. set SourceIP to false).
Steps¶
Enable getting client source IPs¶
-
Configure Metallb to declare the above node as the next hop for LB IPs.
[root@demo-dev-master-01 ~]# kubectl get l2advertisements.metallb.io -n metallb-system default-l2advertisement -o yaml apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: annotations: helm.sh/hook: post-install helm.sh/resource-policy: keep creationTimestamp: "2022-11-14T06:04:35Z" generation: 2 labels: app.kubernetes.io/instance: metallb app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: metallb app.kubernetes.io/version: 0.13.5 helm.sh/chart: metallb-0.13.5 name: default-l2advertisement namespace: metallb-system resourceVersion: "133681854" uid: c5301f5b-fb08-40ae-8a22-2b03e129a092 spec: ipAddressPoolSelectors: - matchLabels: l2.ipaddress-pool.metallb.io: default-pool ipAddressPools: - default-pool
Binding is achieved by configuring
spec.nodeSelectors
. -
Change the field
spec.externalTrafficPolicy
=Local
in the Service namedistio-ingressgateway
. This mode preserves the real source IP.[root@demo-dev-master-01 ~]# kubectl get svc -n istio-system istio-ingressgateway -o yaml apiVersion: v1 kind: Service metadata: annotations: meta.helm.sh/release-name: istio-ingressgateway meta.helm.sh/release-namespace: istio-system creationTimestamp: "2022-11-25T08:27:35Z" labels: app: istio-ingressgateway app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: istio-ingressgateway app.kubernetes.io/version: 1.15.0 helm.sh/chart: gateway-1.15.0 istio: ingressgateway name: istio-ingressgateway namespace: istio-system resourceVersion: "198389187" uid: 9308a4fa-88b2-48ff-9ccf-a9fa4d6c6bcf spec: allocateLoadBalancerNodePorts: true clusterIP: 10.233.32.214 clusterIPs: - 10.233.32.214 externalTrafficPolicy: Local healthCheckNodePort: 32109 internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: status-port nodePort: 32082 port: 15021 protocol: TCP targetPort: 15021 - name: http2 nodePort: 30421 port: 80 protocol: TCP targetPort: 8080 - name: https nodePort: 30483 port: 443 protocol: TCP targetPort: 8443 selector: app: istio-ingressgateway istio: ingressgateway sessionAffinity: None type: LoadBalancer status: loadBalancer: ingress: - ip: 10.6.229.180
-
On the
Global Management
->Audit Log
page, clickView Details
in any event to view the obtained client source IP.
Disable getting client source IP¶
Modify the field spec.externalTrafficPolicy
= Cluster
in the Service named istio-ingressgateway
.