container-service-extension icon indicating copy to clipboard operation
container-service-extension copied to clipboard

Published 20 hours ago verified publisher icon vmware

service.spec.externalTrafficPolicy does not get real client IP

Open mbelchin opened this issue 5 years ago • 3 comments

Hi everyone,

I'm not sure if this is an issue or just a question, anyway I'm gonna expose my case here to see if someone may shed some light on the issue I'm having.

I've been working with Kubernetes for several years already. One of the requirements we need for one part of our application is to be able to get the real client IP.

In older Kubernetes versions we had to use the old annotation way in our service to achieve that:

annotations:
  service.beta.kubernetes.io/external-traffic: OnlyLocal

With Kubernetes 1.6 it worked fine.

Since we're using right now VMWare and CSE we have migrated our clusters to Kubernetes 1.10.11 and Kubernetes 1.15.3.

In newer versions of Kubernetes you can avoid the annotations showed above and start using this new service spec:

apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
  labels:
    app: nginx
spec:
  type: NodePort
  externalTrafficPolicy: Local
  ports:
  - port: 443
    nodePort: 30443
    protocol: TCP
    name: https
  selector:
    app: nginx

On both versions we're now using Weave as network provider, it's the one included in the CSE template we're using. We've tried with Weave version 2.3.0 for Kubernetes 1.10.11 and Weave 2.5.2 in the newer 1.15.3

On both scenarios we're not able to get the real client IP.

Here is my complete story also asked to the Kubernetes team, since I'm not sure if this is a Kubernetes issue or something related directly with CSE:

https://github.com/kubernetes/kubernetes/issues/83900

  • Is anyone else experiencing an issue like that ?
  • Anyone that's able to get the real client IP using Service NodePort but using a different network provider ?
  • Could you please confirm that this is not an issue with CSE itself or Weave regarding the service.spec.externalTrafficPolicy ?

Thanks.

mbelchin avatar Nov 15 '19 10:11 mbelchin

Hi mbelchin,

The above issue does not seem relevant to CSE. Kubernetes-weave version combinations in all our native templates are officially supported and CSE plays little or no role in inner workings of K8 cluster once is deployed.

Let me know if you have any other questions.

Thanks Sahithi

sahithi avatar Nov 15 '19 21:11 sahithi

@sahithi Is it then possible to create a template that is using calico as network provider instead of Weave and still work with CSE? @mbelchin needs this to get going again.

akamphuis avatar Dec 05 '19 15:12 akamphuis

Hi,

Theoretically it's possible to replace weave with calico in CSE templates. However it's not on our roadmap as of now, and it's not an easy task. The change will probably need a lot of rework of the scripts themselves.

Regards Aritra Sen

rocknes avatar Dec 17 '19 01:12 rocknes