kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 3 weeks ago verified publisher icon Kong

Kong IP-Restriction Plugin is not working behind AWS Network Load Balancer

Open MaharaJothi opened this issue 3 years ago • 1 comments

Kong Version: 2.6.3

EKS Version: 1.23

Load Balancer Type: Network Load Balancer (L4)

Current Issue:

I have deployed Kong Helm Chart in EKS cluster on AWS. I have my application deployed as well in the same cluster which is serviced using Kong Gateway.

My requirement is that only certain IP ranges should be able to access the application.
I enabled ip-restriction plugin globally using KongClusterPlugin.
To test, I added only my IP address but when I try to access the application I see: image

1

I added the IP of aws-node pods from the cluster in the plugin list, I can access the application. But it also allows everyone to access that is it applies no restriction at all.

2

I followed this document as suggested in other issues reported similar to mine: https://docs.konghq.com/kubernetes-ingress-controller/1.3.x/guides/preserve-client-ip/ Note:- I cannot set service.spec.externalTrafficPolicy to Local as am not creating service of type LoadBalancer.

I tried following Proxy Protocol method since am using L4 load balancer. I added the below environment variables in Kong:

  KONG_TRUSTED_IPS: ${VPC_CIDR}
  KONG_REAL_IP_HEADER: "proxy_protocol"
  KONG_REAL_IP_RECURSIVE: "on"
  KONG_PROXY_LISTEN: "0.0.0.0:8000 proxy_protocol, 0.0.0.0:8443 ssl proxy_protocol"

After adding this configuration, when I hit the application, I still see Your IP address is not allowed. When I checked the load balancer target groups, it didn't have proxy protocol v2 as enabled. I added the annotation service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" but even then it didn't get enabled when the load balancer is created.

3

In addition to method 2, I enabled proxy protocol v2 manually for the target groups and disabled 'preserve client IP address'. Now when I hit the application, I get 400 Bad request for http and Error: SSL connect error for https

Expected Behavior

If my IP is listed in ip-restriction plugin, then I should be able to access the application.

MaharaJothi avatar Dec 20 '22 12:12 MaharaJothi

Hi. This sounds like a misconfiguration of the EKS cluster. Please refer to: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#:~:text=group%2Dattributes%20command.-,Proxy%20protocol,-Network%20Load%20Balancers

You could diagnose this issue by logging the IP and XFF headers, and those things may be the reason:

  1. VPC_CIDR may be incorrect;
  2. XFF headers are not passed in;
  3. Kong is seeing the real client IP but it's different from what you expect

If that does not work for you, consider applying ACL policy to the AWS EKS cluster: https://aws.amazon.com/cn/premiumsupport/knowledge-center/eks-lock-api-access-IP-addresses/

StarlightIbuki avatar Feb 20 '23 09:02 StarlightIbuki

Dear contributor, We're closing this issue as there hasn't been any update to it for a long time. If the issue is still relevant in the latest version, please feel free to reopen it. We're more than happy to revisit it again. Your contribution is greatly appreciated! Please have a look at our pledge to the community for more information. Sincerely, Kong Gateway Team

StarlightIbuki avatar Oct 18 '23 08:10 StarlightIbuki