kubernetesingress控制器traefik获取真实客户源IP
一.现象
公司kubenetes生产环境使用的ingress控制器是traefik,默认是通过deployment部署的,现在研发上反馈不能获取客户的真实源IP地址,通过x_forward_for获取的IP地址都是kubernetes集群内部的IP地址。
二.解决思路
通过查找traefik的官方文档
Traefik EntryPoints Documentation - Traefik
traefik传输客户源地址到后端需要配置Forwarded Headers参数,用于x_forwarded_for保存客户源IP地址
具体配置如下
yaml格式,用于启用的时候指定配置文件
-
## Static configuration
-
entryPoints:
-
web:
-
address: ":80"
-
forwardedHeaders:
-
insecure: true
TOML格式,用于traefik启动的时候指定配置文件,这个文件在kubernetes中可以以comfigmap存在
-
-
[]
-
[]
-
address = ":80"
-
-
[]
-
insecure = true
命名行格式
-
--entryPoints.web.address=:80
-
--entryPoints.web.forwardedHeaders.insecure
三.问题处理
1.公司现有环境配置
-
---
-
apiVersion: apps/v1
-
kind: Deployment
-
metadata:
-
annotations:
-
meta.helm.sh/release-name: traefik
-
meta.helm.sh/release-namespace: default
-
labels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/managed-by: Helm
-
app.kubernetes.io/name: traefik
-
helm.sh/chart: traefik-9.11.0
-
name: traefik
-
namespace: default
-
resourceVersion: '505763774'
-
spec:
-
progressDeadlineSeconds: 600
-
replicas: 6
-
revisionHistoryLimit: 10
-
selector:
-
matchLabels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/name: traefik
-
strategy:
-
rollingUpdate:
-
maxSurge: 1
-
maxUnavailable: 1
-
type: RollingUpdate
-
template:
-
metadata:
-
creationTimestamp: null
-
labels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/managed-by: Helm
-
app.kubernetes.io/name: traefik
-
helm.sh/chart: traefik-9.11.0
-
spec:
-
containers:
-
- args:
-
- '--global.checknewversion'
-
- '--global.sendanonymoususage'
-
- '--entryPoints.traefik.address=:9000/tcp'
-
- '--entryPoints.web.address=:8000/tcp'
-
- '--entryPoints.websecure.address=:8443/tcp'
-
- '--api.dashboard=true'
-
- '--ping=true'
-
- '--providers.kubernetescrd'
-
- '--providers.kubernetesingress'
-
image: 'traefik:2.3.3'
-
imagePullPolicy: IfNotPresent
-
livenessProbe:
-
failureThreshold: 3
-
httpGet:
-
path: /ping
-
port: 9000
-
scheme: HTTP
-
initialDelaySeconds: 10
-
periodSeconds: 10
-
successThreshold: 1
-
timeoutSeconds: 2
-
name: traefik
-
ports:
-
- containerPort: 9000
-
name: traefik
-
protocol: TCP
-
- containerPort: 8000
-
name: web
-
protocol: TCP
-
- containerPort: 8443
-
name: websecure
-
protocol: TCP
-
readinessProbe:
-
failureThreshold: 1
-
httpGet:
-
path: /ping
-
port: 9000
-
scheme: HTTP
-
initialDelaySeconds: 10
-
periodSeconds: 10
-
successThreshold: 1
-
timeoutSeconds: 2
-
resources: {}
-
securityContext:
-
capabilities:
-
drop:
-
- ALL
-
readOnlyRootFilesystem: true
-
runAsGroup: 65532
-
runAsNonRoot: true
-
runAsUser: 65532
-
terminationMessagePath: /dev/termination-log
-
terminationMessagePolicy: File
-
volumeMounts:
-
- mountPath: /data
-
name: data
-
- mountPath: /tmp
-
name: tmp
-
dnsPolicy: ClusterFirst
-
restartPolicy: Always
-
schedulerName: default-scheduler
-
securityContext:
-
fsGroup: 65532
-
serviceAccount: traefik
-
serviceAccountName: traefik
-
terminationGracePeriodSeconds: 60
-
volumes:
-
- emptyDir: {}
-
name: data
-
- emptyDir: {}
-
name: tmp
-
status:
-
availableReplicas: 6
-
conditions:
-
- lastTransitionTime: '2022-10-10T07:58:50Z'
-
lastUpdateTime: '2022-10-10T07:58:50Z'
-
message: Deployment has minimum availability.
-
reason: MinimumReplicasAvailable
-
status: 'True'
-
type: Available
-
- lastTransitionTime: '2020-11-25T22:53:59Z'
-
lastUpdateTime: '2022-11-17T10:44:40Z'
-
message: ReplicaSet "traefik-54bf67c74d" has successfully progressed.
-
reason: NewReplicaSetAvailable
-
status: 'True'
-
type: Progressing
-
observedGeneration: 13
-
readyReplicas: 6
-
replicas: 6
-
updatedReplicas: 6
-
-
---
-
apiVersion: v1
-
kind: Service
-
metadata:
-
annotations:
-
meta.helm.sh/release-name: traefik
-
meta.helm.sh/release-namespace: default
-
labels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/managed-by: Helm
-
app.kubernetes.io/name: traefik
-
helm.sh/chart: traefik-9.11.0
-
name: traefik
-
namespace: default
-
resourceVersion: '505762379'
-
spec:
-
clusterIP: 10.96.252.108
-
externalTrafficPolicy: Cluster
-
ports:
-
- name: web
-
nodePort: 30079
-
port: 80
-
protocol: TCP
-
targetPort: web
-
selector:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/name: traefik
-
sessionAffinity: None
-
type: NodePort
-
status:
-
loadBalancer: {}
-
发现trafik启动的参数里面没有指定配置文件,也没有以comfigmap形式存在,所以只能考虑通过添加启动参数的方式(即命令行方式)解决问题
2.解决问题
在deployment部署中的traefik启动参数中添加 - '--entrypoints.web.forwardedHeaders.insecure'和- '--entrypoints.websecure.forwardedHeaders.insecure'启动参数,其中标红的web和websecure根据--entryPoints.web.address=:8000/tcp和--entryPoints.websecure.address=:8443/tcp要保持一致,有可能不一样。
修改后的derloyment的yaml文件如下:
-
---
-
apiVersion: apps/v1
-
kind: Deployment
-
metadata:
-
annotations:
-
meta.helm.sh/release-name: traefik
-
meta.helm.sh/release-namespace: default
-
labels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/managed-by: Helm
-
app.kubernetes.io/name: traefik
-
helm.sh/chart: traefik-9.11.0
-
name: traefik
-
namespace: default
-
resourceVersion: '505763774'
-
spec:
-
progressDeadlineSeconds: 600
-
replicas: 6
-
revisionHistoryLimit: 10
-
selector:
-
matchLabels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/name: traefik
-
strategy:
-
rollingUpdate:
-
maxSurge: 1
-
maxUnavailable: 1
-
type: RollingUpdate
-
template:
-
metadata:
-
creationTimestamp: null
-
labels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/managed-by: Helm
-
app.kubernetes.io/name: traefik
-
helm.sh/chart: traefik-9.11.0
-
spec:
-
containers:
-
- args:
-
- '--global.checknewversion'
-
- '--global.sendanonymoususage'
-
- '--entryPoints.traefik.address=:9000/tcp'
-
- '--entryPoints.web.address=:8000/tcp'
-
- '--entryPoints.websecure.address=:8443/tcp'
-
- '--api.dashboard=true'
-
- '--ping=true'
-
- '--providers.kubernetescrd'
-
- '--providers.kubernetesingress'
-
- '--entrypoints.web.forwardedHeaders.insecure'
-
- '--entrypoints.websecure.forwardedHeaders.insecure'
-
image: 'traefik:2.3.3'
-
imagePullPolicy: IfNotPresent
-
livenessProbe:
-
failureThreshold: 3
-
httpGet:
-
path: /ping
-
port: 9000
-
scheme: HTTP
-
initialDelaySeconds: 10
-
periodSeconds: 10
-
successThreshold: 1
-
timeoutSeconds: 2
-
name: traefik
-
ports:
-
- containerPort: 9000
-
name: traefik
-
protocol: TCP
-
- containerPort: 8000
-
name: web
-
protocol: TCP
-
- containerPort: 8443
-
name: websecure
-
protocol: TCP
-
readinessProbe:
-
failureThreshold: 1
-
httpGet:
-
path: /ping
-
port: 9000
-
scheme: HTTP
-
initialDelaySeconds: 10
-
periodSeconds: 10
-
successThreshold: 1
-
timeoutSeconds: 2
-
resources: {}
-
securityContext:
-
capabilities:
-
drop:
-
- ALL
-
readOnlyRootFilesystem: true
-
runAsGroup: 65532
-
runAsNonRoot: true
-
runAsUser: 65532
-
terminationMessagePath: /dev/termination-log
-
terminationMessagePolicy: File
-
volumeMounts:
-
- mountPath: /data
-
name: data
-
- mountPath: /tmp
-
name: tmp
-
dnsPolicy: ClusterFirst
-
restartPolicy: Always
-
schedulerName: default-scheduler
-
securityContext:
-
fsGroup: 65532
-
serviceAccount: traefik
-
serviceAccountName: traefik
-
terminationGracePeriodSeconds: 60
-
volumes:
-
- emptyDir: {}
-
name: data
-
- emptyDir: {}
-
name: tmp
-
status:
-
availableReplicas: 6
-
conditions:
-
- lastTransitionTime: '2022-10-10T07:58:50Z'
-
lastUpdateTime: '2022-10-10T07:58:50Z'
-
message: Deployment has minimum availability.
-
reason: MinimumReplicasAvailable
-
status: 'True'
-
type: Available
-
- lastTransitionTime: '2020-11-25T22:53:59Z'
-
lastUpdateTime: '2022-11-17T10:44:40Z'
-
message: ReplicaSet "traefik-54bf67c74d" has successfully progressed.
-
reason: NewReplicaSetAvailable
-
status: 'True'
-
type: Progressing
-
observedGeneration: 13
-
readyReplicas: 6
-
replicas: 6
-
updatedReplicas: 6
-
-
---
-
apiVersion: v1
-
kind: Service
-
metadata:
-
annotations:
-
meta.helm.sh/release-name: traefik
-
meta.helm.sh/release-namespace: default
-
labels:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/managed-by: Helm
-
app.kubernetes.io/name: traefik
-
helm.sh/chart: traefik-9.11.0
-
name: traefik
-
namespace: default
-
resourceVersion: '505762379'
-
spec:
-
clusterIP: 10.96.252.108
-
externalTrafficPolicy: Cluster
-
ports:
-
- name: web
-
nodePort: 30079
-
port: 80
-
protocol: TCP
-
targetPort: web
-
selector:
-
app.kubernetes.io/instance: traefik
-
app.kubernetes.io/name: traefik
-
sessionAffinity: None
-
type: NodePort
-
status:
-
loadBalancer: {}
3.验证测试
通过和研发和业务验证测试,通过x_forwarded_for获取的客户端源Ip地址格式如下
其中第一个公网IP地址是客户的真实IP地址,其他几个是经过的k8s节点和pod的IP地址,至此解决业务上获取真实客户IP地址的需求。
这篇好文章是转载于:学新通技术网
- 版权申明: 本站部分内容来自互联网,仅供学习及演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,请提供相关证据及您的身份证明,我们将在收到邮件后48小时内删除。
- 本站站名: 学新通技术网
- 本文地址: /boutique/detail/tanhghbfbg
-
photoshop保存的图片太大微信发不了怎么办
PHP中文网 06-15 -
《学习通》视频自动暂停处理方法
HelloWorld317 07-05 -
word里面弄一个表格后上面的标题会跑到下面怎么办
PHP中文网 06-20 -
Android 11 保存文件到外部存储,并分享文件
Luke 10-12 -
photoshop扩展功能面板显示灰色怎么办
PHP中文网 06-14 -
微信公众号没有声音提示怎么办
PHP中文网 03-31 -
excel下划线不显示怎么办
PHP中文网 06-23 -
excel打印预览压线压字怎么办
PHP中文网 06-22 -
TikTok加速器哪个好免费的TK加速器推荐
TK小达人 10-01 -
怎样阻止微信小程序自动打开
PHP中文网 06-13