VIP AuthHub Missing Client ip address in VIP authHub Flow
Article ID: 267138
Updated On:
Products
Issue/Introduction
Client ip address being lost during VIPAH flow.
Environment
Release : 12.8
Resolution
This is something that you'll need to do together with your IT/network team.
XFF is passed to SSP by the ingress-nginx. ingress-nginx can get it from the LB that sits in front of it, using XFF, or use proxy-protocol.
The command below below configure the LB and nginx-ingress to use proxy protocol.
Please use the instructions below when deploying the ingress-nginx ingress controller.
this command will enable the preserve client ip option in the AWS load balancer (NLB) and the proxy protocol (both in the LB and the nginx configuration).
If you wish the ingress controller service to use an external Load Balancer (NLB) exposed on the Internet:
|
helm install ingress-nginx -n ingress ingress-nginx/ingress-nginx \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-scheme"="internet-facing" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"="external" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-proxy-protocol"="*" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-nlb-target-type"="instance" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-target-group-attributes"="preserve_client_ip.enabled=true" \ --set controller.kind=DaemonSet \ --set-string controller.config.use-proxy-protocol="true" \ --set-string controller.config.use-forwardrd-headers="true" \ --set imagePullSecrets[0].name=docker-hub-reg-pullsecret \ --set-string controller.config.annotation-value-word-blocklist="load_module\,lua_package\,_by_lua\,location\,root\,proxy_pass\,serviceaccount\,{\,}\,\'\,\\\\" --version=4.0.16 |
Otherwise, If you wish the ingress controller service to use an internal Load Balancer (NLB) exposed only internally within your AWS Project's VPC ("internal" AWS ):
|
helm install ingress-nginx -n ingress ingress-nginx/ingress-nginx \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="true" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"="external" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-proxy-protocol"="*" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-nlb-target-type"="instance" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-target-group-attributes"="preserve_client_ip.enabled=true" \ --set controller.kind=DaemonSet \ --set-string controller.config.use-proxy-protocol="true" \ --set-string controller.config.use-forwardrd-headers="true" \ --set imagePullSecrets[0].name=docker-hub-reg-pullsecret \ --set-string controller.config.annotation-value-word-blocklist="load_module\,lua_package\,_by_lua\,location\,root\,proxy_pass\,serviceaccount\,{\,}\,\'\,\\\\" --version=4.0.16 |
Note: By default, on the EKS control plane, there is an in-tree AWS cloud controller manager that will provision classic/network load balancers for services of type Load Balancer. [1] This in-tree controller is being phased out and it is recommended to use the aws-load-balancer-controller to provision ALB/NLB resources on EKS. [2] The aws-load-balancer-controller pod is likely already running on your cluster, but in order for the service of type LoadBalancer to be provisioned by it, the \"service.beta.kubernetes.io/aws-load-balancer-type: external\" annotation needed to be set. This annotation lets the in-tree AWS cloud controller manager know to skip provisioning of the Load Balancer and allow the aws-load-balancer-controller to provision it.
[1] https://github.com/kubernetes/cloud-provider-aws
[2] https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
Note , for Azure Ingress , you can set the following
Feedback
