vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/cce/umn/cce_bestpractice_00035.html
Dong, Qiu Jian 86fb05065f CCE UMN for 24.2.0 version -20240428 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-06-10 08:19:07 +00:00

60 lines
15 KiB
HTML
Raw Blame History

<a name="cce_bestpractice_00035"></a><a name="cce_bestpractice_00035"></a>
<h1 class="topictitle1">Obtaining the Client Source IP Address for a Container</h1>
<div id="body8662426"><p id="cce_bestpractice_00035__en-us_topic_0112307025_p16169173419396">In containers, multiple types of proxy servers may exist between a client and the container servers. After an external request is forwarded for multiple times, the source IP address of the client cannot be transmitted to the containers. As a result, Services in the containers cannot obtain the real source IP addresses of the client.</p>
<div class="section" id="cce_bestpractice_00035__en-us_topic_0112307025_section14623143319552"><h4 class="sectiontitle">Description</h4><p id="cce_bestpractice_00035__p1773572516282"><strong id="cce_bestpractice_00035__b10990522751">Layer-7 forwarding:</strong></p>
<p id="cce_bestpractice_00035__p127218392817">Ingresses: If this access mode is used, the client's source IP address is saved in the <strong id="cce_bestpractice_00035__b131051668461">X-Forwarded-For</strong> field of the HTTP header by default. No other configuration is required.</p>
<ul id="cce_bestpractice_00035__ul14638131964712"><li id="cce_bestpractice_00035__li116385193479">LoadBalancer Ingresses use ELB for Layer 7 network access between the Internet and internal network (in the same VPC) based on the ELB service.</li></ul>
<p id="cce_bestpractice_00035__p127358257286"><strong id="cce_bestpractice_00035__b665912598571">Layer-4 forwarding:</strong></p>
<ul id="cce_bestpractice_00035__ul378957151212"><li id="cce_bestpractice_00035__li18219175312486">LoadBalancer: Use ELB to achieve load balancing. You can manually enable the <strong id="cce_bestpractice_00035__b317146172315">Transfer Client IP Address</strong> option for TCP and UDP listeners of shared load balancers. By default, the <strong id="cce_bestpractice_00035__b9724952192219">Transfer Client IP Address</strong> option is enabled for TCP and UDP listeners of dedicated load balancers. You do not need to manually enable it.</li><li id="cce_bestpractice_00035__li137845712121">NodePort: The container port is mapped to the node port. If the cluster-level affinity is selected, access requests will be forwarded through the node and the client source IP address cannot be obtained. If the node-level affinity is selected, access requests will not be forwarded and the client source IP address can be obtained.</li></ul>
</div>
<div class="section" id="cce_bestpractice_00035__section14505340154812"><h4 class="sectiontitle">ELB Ingress</h4><p id="cce_bestpractice_00035__p833641315714">For the ELB Ingresses (using HTTP- or HTTPS-compliant), the function of obtaining the source IP addresses of the client is enabled by default. No other operation is required.</p>
<p id="cce_bestpractice_00035__p107351425162815">The real IP address is placed in the <strong id="cce_bestpractice_00035__b129812919298">X-Forwarded-For</strong> HTTP header field by the load balancer in the following format:</p>
<pre class="screen" id="cce_bestpractice_00035__screen154815112816">X-Forwarded-For: <em id="cce_bestpractice_00035__i0263819192912">IP address of the client</em>,<em id="cce_bestpractice_00035__i4263619162919">Proxy server 1-IP address</em>,<em id="cce_bestpractice_00035__i1526310197290">Proxy server 2-IP address</em>,...</pre>
<p id="cce_bestpractice_00035__p1125010419480">If you use this method, the first IP address obtained is the IP address of the client.</p>
</div>
<ol id="cce_bestpractice_00035__ol7236122610"><li id="cce_bestpractice_00035__li14416337124719"><span>Take the Nginx workload as an example. Before configuring the source IP address, obtain the access logs. <strong id="cce_bestpractice_00035__b179721238171817">nginx-c99fd67bb-ghv4q</strong> indicates the pod name.</span><p><pre class="screen" id="cce_bestpractice_00035__screen197029465477">kubectl logs nginx-c99fd67bb-ghv4q</pre>
<p id="cce_bestpractice_00035__p9395727392">Information similar to the following is displayed:</p>
<pre class="screen" id="cce_bestpractice_00035__screen148671840103316">...
10.0.0.7 - - [17/Aug/2023:01:30:11 +0000] "GET / HTTP/1.1" 200 19 "http://114.114.114.114:9421/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" "<strong id="cce_bestpractice_00035__b787117161375">100.125.**.**</strong>"</pre>
<p id="cce_bestpractice_00035__p14471738114710"><strong id="cce_bestpractice_00035__b810811061511">100.125.**.**</strong> specifies the CIDR block of the load balancer, indicating that the traffic is forwarded through the load balancer.</p>
</p></li><li id="cce_bestpractice_00035__li1389172484312"><span>Go to the ELB console and enable the function of obtaining the client IP address of the listener corresponding to the load balancer. <strong id="cce_bestpractice_00035__b670319210497">Transparent transmission of source IP addresses is enabled for dedicated load balancers by default. You do not need to manually enable this function.</strong></span><p><ol type="a" id="cce_bestpractice_00035__en-us_topic_0261817701_ol167779541767"><li id="cce_bestpractice_00035__en-us_topic_0261817701_li11777154764">Log in to the ELB console.</li><li id="cce_bestpractice_00035__en-us_topic_0261817701_li187771754967">Click <span><img id="cce_bestpractice_00035__en-us_topic_0261817701_image1677716541169" src="en-us_image_0000001898023829.png"></span> in the upper left corner of the management console and select a region and a project.</li><li id="cce_bestpractice_00035__en-us_topic_0261817701_li17777145417611">Click <strong id="cce_bestpractice_00035__b1920642154511">Service List</strong>. Under <strong id="cce_bestpractice_00035__b52066214452">Networking</strong>, click <strong id="cce_bestpractice_00035__b82074216451">Elastic Load Balance</strong>.</li><li id="cce_bestpractice_00035__en-us_topic_0261817701_li877713542067">On the <strong id="cce_bestpractice_00035__b7806736153212">Load Balancers</strong> page, click the name of the load balancer.</li><li id="cce_bestpractice_00035__en-us_topic_0261817701_li17771254563">Click the <strong id="cce_bestpractice_00035__b8234103954117">Listeners</strong> tab, locate the row containing the target listener, and click <span class="uicontrol" id="cce_bestpractice_00035__uicontrol2234103944117"><b>Edit</b></span>. If modification protection exists, disable the protection on the basic information page of the listener and try again.</li><li id="cce_bestpractice_00035__en-us_topic_0261817701_li477720541864">Enable <strong id="cce_bestpractice_00035__b198712143011">Transfer Client IP Address</strong>.</li></ol>
</p></li><li id="cce_bestpractice_00035__li162363217610"><span>(Perform this step only for Nginx ingresses.) Edit the nginx-ingress add-on. In the nginx configuration parameter area, configure the configuration fields and information. For details about the parameter range, see <a href="https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/" target="_blank" rel="noopener noreferrer">community document</a>. After the configuration is complete, update the add-on.</span><p><pre class="screen" id="cce_bestpractice_00035__screen11494749133416">{
<strong id="cce_bestpractice_00035__b1881751143514"> "enable-real-ip": <i><span class="varname" id="cce_bestpractice_00035__varname18529948369">"true"</span></i>,</strong>
<strong id="cce_bestpractice_00035__b589135123513"> "forwarded-for-header": <i><span class="varname" id="cce_bestpractice_00035__varname14300874369">"X-Forwarded-For"</span></i>,</strong>
<strong id="cce_bestpractice_00035__b390145123512"> "proxy-real-ip-cidr": <i><span class="varname" id="cce_bestpractice_00035__varname4518810203616">"100.125.0.0/16"</span></i>,</strong>
"keep-alive-requests": "100"
}</pre>
<div class="note" id="cce_bestpractice_00035__note183683423415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_00035__p19726103533415">The <strong id="cce_bestpractice_00035__b45416107177">proxy-real-ip-cidr</strong> parameter indicates the CIDR block of the proxy server.</p>
<ul id="cce_bestpractice_00035__ul4726635143410"><li id="cce_bestpractice_00035__li1072653513343">For shared load balancers, add CIDR block 100.125.0.0/16 (reserved only for load balancers and therefore, there is no risk) and the high-defense CIDR block.</li></ul>
<ul id="cce_bestpractice_00035__ul172633593420"><li id="cce_bestpractice_00035__li3726203511342">For dedicated load balancers, add the CIDR block of the VPC subnet where the ELB resides.</li></ul>
<p id="cce_bestpractice_00035__p13412284711">For details, see <a href="https://docs.otc.t-systems.com/usermanual/elb/elb_faq_0090.html" target="_blank" rel="noopener noreferrer">How Can I Transfer the IP Address of a Client?</a></p>
</div></div>
</p></li><li id="cce_bestpractice_00035__li8463107174914"><span>Access the workload again and view the new access log.</span><p><pre class="screen" id="cce_bestpractice_00035__screen1384712354495">...
10.0.0.7 - - [17/Aug/2023:02:43:11 +0000] "GET / HTTP/1.1" 304 0 "http://114.114.114.114:9421/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" <strong id="cce_bestpractice_00035__b1094910314501">"124.**.**.**"</strong></pre>
<p id="cce_bestpractice_00035__p15681064508">The source IP address of the client is obtained.</p>
</p></li></ol>
<div class="section" id="cce_bestpractice_00035__en-us_topic_0112307025_section968953616401"><h4 class="sectiontitle">LoadBalancer</h4><div class="p" id="cce_bestpractice_00035__p17777185411612">For a LoadBalancer Service, different types of clusters obtain source IP addresses in different scenarios. In some scenarios, source IP addresses cannot be obtained currently.<ul id="cce_bestpractice_00035__ul69812610345"><li id="cce_bestpractice_00035__li119822612344">CCE Clusters (using VPC or Tunnel network): Source IP addresses can be obtained when either a shared or dedicated load balancer is used.</li><li id="cce_bestpractice_00035__li62571778387">CCE Turbo Clusters (using the Cloud Native Network 2.0): Source IP addresses can be obtained for dedicated load balancers, and for shared load balancers with hostNetwork enabled.</li></ul>
</div>
<p id="cce_bestpractice_00035__p101483813463"><strong id="cce_bestpractice_00035__b94263121219">VPC and Container Tunnel Network Models</strong></p>
<p id="cce_bestpractice_00035__p420914396245">To obtain source IP addresses, perform the following steps:</p>
<ol id="cce_bestpractice_00035__ol1477712543620"><li id="cce_bestpractice_00035__li12777454962"><span>When creating a LoadBalancer Service on the CCE console, set <strong id="cce_bestpractice_00035__b1745114210315">Service Affinity</strong> to <strong id="cce_bestpractice_00035__b9844491834">Node-level</strong> instead of <strong id="cce_bestpractice_00035__b1631105614320">Cluster-level</strong>.</span><p><p id="cce_bestpractice_00035__p07779548616"></p>
</p></li><li id="cce_bestpractice_00035__li1777795419614"><span>Go to the ELB console and enable the function of obtaining the client IP address of the listener corresponding to the load balancer. <strong id="cce_bestpractice_00035__b517120669">Transparent transmission of source IP addresses is enabled for dedicated load balancers by default. You do not need to manually enable this function.</strong></span><p><ol type="a" id="cce_bestpractice_00035__ol167779541767"><li id="cce_bestpractice_00035__li11777154764">Log in to the ELB console.</li><li id="cce_bestpractice_00035__li187771754967">Click <span><img id="cce_bestpractice_00035__image1677716541169" src="en-us_image_0000001851743660.png"></span> in the upper left corner of the management console and select a region and a project.</li><li id="cce_bestpractice_00035__li17777145417611">Click <strong id="cce_bestpractice_00035__b11958203315514">Service List</strong>. Under <strong id="cce_bestpractice_00035__b1096313310516">Networking</strong>, click <strong id="cce_bestpractice_00035__b1396312337513">Elastic Load Balance</strong>.</li><li id="cce_bestpractice_00035__li877713542067">On the <strong id="cce_bestpractice_00035__b23354676">Load Balancers</strong> page, click the name of the load balancer.</li><li id="cce_bestpractice_00035__li17771254563">Click the <strong id="cce_bestpractice_00035__b33521052018">Listeners</strong> tab, locate the row containing the target listener, and click <strong id="cce_bestpractice_00035__b535215915">Edit</strong>. If modification protection exists, disable the protection on the basic information page of the listener and try again.</li><li id="cce_bestpractice_00035__li477720541864">Enable <strong id="cce_bestpractice_00035__b138718246221">Transfer Client IP Address</strong>.</li></ol>
</p></li></ol>
<p id="cce_bestpractice_00035__p137934255415"><strong id="cce_bestpractice_00035__b394828132711">Cloud Native Network 2.0 Model (CCE Turbo Clusters)</strong></p>
<p id="cce_bestpractice_00035__p04171456145412">In the Cloud Native Network 2.0 model, when a shared load balancer is used for load balancing, the service affinity cannot be set to <strong id="cce_bestpractice_00035__b719220591463">Node-level</strong>. As a result, source IP addresses cannot be obtained. To obtain a source IP address, you must use a <strong id="cce_bestpractice_00035__b1522218319505">dedicated load balancer</strong>. External access to the container does not need to pass through the forwarding plane.</p>
<p id="cce_bestpractice_00035__p117973552062">By default, transparent transmission of source IP addresses is enabled for dedicated load balancers. You do not need to manually enable <strong id="cce_bestpractice_00035__b156061533152211">Transfer Client IP Address</strong> on the ELB console. Instead, you only need to select a dedicated load balancer when creating an ENI LoadBalancer Service on the CCE console.</p>
<p id="cce_bestpractice_00035__p59816519"></p>
</div>
<div class="section" id="cce_bestpractice_00035__section6340152911914"><h4 class="sectiontitle">NodePort</h4><p id="cce_bestpractice_00035__p12338629898">Set the service affinity of a NodePort Service to <strong id="cce_bestpractice_00035__b18193342472">Node-level</strong> instead of <strong id="cce_bestpractice_00035__b13200442778">Cluster-level</strong>. That is, set <strong id="cce_bestpractice_00035__b122003421077">spec.externalTrafficPolicy</strong> of the Service to <strong id="cce_bestpractice_00035__b1920020424712">Local</strong>.</p>
<div class="note" id="cce_bestpractice_00035__note103399291919"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_00035__p18339102916915">When a node (using Cloud Native Network 2.0) accesses a NodePort Service, source IP addresses can be obtained only when hostNetwork is enabled for workloads.</p>
</div></div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_bestpractice_0052.html">Networking</a></div>
</div>
</div>
View Git Blame Copy Permalink