Kubernetes Istio入口控制器不保留客户端原始IP
我们使用Istio 0.7和Istio入口控制器来处理外部世界的请求。 我们使用“ClusterIP”类型服务的“externalIPs”属性在kubernetes外部公开入口控制器 Istio入口控制器Yaml:Kubernetes Istio入口控制器不保留客户端原始IP,kubernetes,kubernetes-ingress,istio,Kubernetes,Kubernetes Ingress,Istio,我们使用Istio 0.7和Istio入口控制器来处理外部世界的请求。 我们使用“ClusterIP”类型服务的“externalIPs”属性在kubernetes外部公开入口控制器 Istio入口控制器Yaml: apiVersion: v1 kind: Service metadata: name: istio-ingress-3 namespace: istio-system labels: istio: ingress spec: ports: - port:
apiVersion: v1
kind: Service
metadata:
name: istio-ingress-3
namespace: istio-system
labels:
istio: ingress
spec:
ports:
- port: 80
name: http
- port: 443
name: https
externalIPs:
- 192.168.X.X
selector:
istio: ingress-3
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-ingress-3
namespace: istio-system
spec:
replicas: 1
template:
metadata:
labels:
istio: ingress-3
annotations:
sidecar.istio.io/inject: "false"
spec:
nodeSelector:
kubernetes.io/hostname: node3.example.com
serviceAccountName: istio-ingress-service-account
containers:
- name: istio-ingress
image: docker.io/istio/proxy:0.7.1
args:
- proxy
- ingress
- --discoveryAddress
- istio-pilot:8080 #--controlPlaneAuthPolicy
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingress
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-mixer:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE #--controlPlaneAuthPolicy
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingress-certs
mountPath: /etc/istio/ingress-certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingress-service-account
optional: true
- name: ingress-certs
secret:
secretName: istio-ingress-certs
optional: true
问题是,每当我们在触发请求后检查入口控制器的日志时,它提供的ip与我们在外部ip(主机ip)中提供的ip相同。
但我们需要客户端原始信息,如客户端原始IP
您预期会发生什么:
apiVersion: v1
kind: Service
metadata:
name: istio-ingress-3
namespace: istio-system
labels:
istio: ingress
spec:
ports:
- port: 80
name: http
- port: 443
name: https
externalIPs:
- 192.168.X.X
selector:
istio: ingress-3
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-ingress-3
namespace: istio-system
spec:
replicas: 1
template:
metadata:
labels:
istio: ingress-3
annotations:
sidecar.istio.io/inject: "false"
spec:
nodeSelector:
kubernetes.io/hostname: node3.example.com
serviceAccountName: istio-ingress-service-account
containers:
- name: istio-ingress
image: docker.io/istio/proxy:0.7.1
args:
- proxy
- ingress
- --discoveryAddress
- istio-pilot:8080 #--controlPlaneAuthPolicy
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingress
- --zipkinAddress
- zipkin:9411
- --statsdUdpAddress
- istio-mixer:9125
- --proxyAdminPort
- "15000"
- --controlPlaneAuthPolicy
- NONE #--controlPlaneAuthPolicy
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingress-certs
mountPath: /etc/istio/ingress-certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingress-service-account
optional: true
- name: ingress-certs
secret:
secretName: istio-ingress-certs
optional: true
我们想要原始的客户端IP,而不是externalIP ie(192.168.X.X)中给出的IP
其他信息
我在internet上进行了检查,发现使用“externalTrafficPolicy:Local”标志可以保留客户端ip,但该标志仅在NodePort类型的服务中有效。
我们不想使用NodePort服务,因为如果我们使用它,它将为主机的所有私有和公共接口打开入口控制器
Kubernetes版本
客户端版本:Version.Info{Major:“1”,Minor:“10”,
GitVersion:“v1.10.1”,
GitCommit:“d4ab47518836c750f9949b9e0d387f20fb92260b”,
吉特庄园:“清洁”,建造日期:“2018-04-12T14:26:04Z”,
GoVersion:“go1.9.3”,编译器:“gc”,平台:“linux/amd64”}服务器
版本:Version.Info{大调:“1”,小调:“10”,
GitVersion:“v1.10.3+coreos.0”,
GitCommit:“f1b890dbbf11abe58280b3ffe17d67749f5ae70e”,
吉特庄园:“清洁”,建造日期:“2018-05-21T17:27:17Z”,
GoVersion:“go1.9.3”,编译器:“gc”,平台:“linux/amd64”}
OS(例如从/etc/OS发布)
NAME=“Container Linux by CoreOS”ID=CoreOS VERSION=1745.5.0
VERSION_ID=1745.5.0 BUILD_ID=2018-05-31-0701 PRETTY_NAME=“Container
Linux由CoreOS 1745.5.0(流纹岩)“ANSI_COLOR=“38;5;75”
主页地址=”https://coreos.com/"
错误报告URL=”https://issues.coreos.com“COREOS_BOARD=“amd64 usr”
内核(例如uname-a)
Linux node1.example.com 4.14.44-coreos-r1#1 SMP周四5月31日06:04:02
UTC 2018 x86_64英特尔(R)至强(R)CPU L5640@2.27GHz GenuineIntel
GNU/Linux
有人能帮我们吗?基于Istio似乎足够聪明,可以在其上游请求中包含X-Forwarded-For
头,因此我希望目标Pod需要更新以参考该头,而不是$HTTP\u REMOTE
或它现在用来获取IP的任何机制