问题描述
我设置了一个具有一个主节点和一个工作节点的Kubernetes集群。
通过从主机到类型为MetalBb的LoadBalancer类型的ingress-nginx服务进行NAT,将流量路由到群集中:
#!/bin/bash
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination "$1":80
iptables -A FORWARD -p tcp -d "$1" --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$1是ingress-nginx的外部IP。
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
这时,如果我查看ingress-nginx pod的日志,就可以看到真实的源IP地址。
问题是,当我检查下游应用程序的日志(从入口获取流量)时,源IP是入口Pod的IP。
kind: Ingress
metadata:
namespace: laurkyt
name: laurkyt-ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/session-cookie-hash: sha1
nginx.ingress.kubernetes.io/session-cookie-name: REALTIMESERVERID
nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/send-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-body-size: 50m
ingress.kubernetes.io/proxy-body-size: 50m
spec:
tls:
- hosts:
- example.com
- '*.example.com'
secretName: wildcard-example-com
rules:
- host: example.com
http:
paths:
- backend:
serviceName: laurkyt
servicePort: 443
apiVersion: v1
kind: Service
metadata:
namespace: laurkyt
name: laurkyt
labels:
app: laurkyt
spec:
externalTrafficPolicy: Local
ports:
- port: 80
targetPort: 80
name: "http"
- port: 443
targetPort: 443
name: "https"
selector:
app: laurkyt
tier: laurkyt
有没有人知道我想在后端Pod上保留源IP吗?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)