How to include the X-Forwarded-For header in HTTP packet for applications in Tanzu Kubernetes Grid Integrated Edition (TKGI) with NSX-T
search cancel

How to include the X-Forwarded-For header in HTTP packet for applications in Tanzu Kubernetes Grid Integrated Edition (TKGI) with NSX-T

book

Article ID: 298649

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

This article will discuss how to include the X-Forwarded-For header in HTTP packet for applications in Tanzu Kubernetes Grid Integrated Edition (TKGI) with NSX-T.

Environment

Product Version: 1.8+

Recently tested on 1.19+

Resolution

Follow these steps to include the X-Forwarded-* headers in the HTTP packet for applications running in TKGI with NSX-T.

1. Create a network profile:

$ cat xff.json
{
  "name": "xff-network-profile",
  "description": "x_forwarded_for insert",
  "parameters" : {
     "cni_configurations": {
         "type": "nsxt",
         "parameters": {
           "x_forwarded_for": "insert"
      }
    }
  }
}
$ tkgi create-network-profile xff.json


2. Create a new TKGI cluster using the network profile:

$ tkgi create-cluster testcluster -e testcluster.domain.com -p small --network-profile xff-network-profile -n 1


3. Create a nginx pod:

$ kubectl run nginx --image=nginx


4. Create a ClusterIP service for the nginx pod:

$ kubectl expose pod nginx --port 80


5. Create an Ingress for the ClusterIP service:

$ cat nginx-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
spec:
  defaultBackend:
    service:
      name: nginx
      port:
        number: 80

$ kubectl apply -f nginx-ingress.yaml


6. Then, find the IP address of the Ingress (output of `kubectl get ingress`), and browse that IP. At this point, the HTTP request packet should now contain the X-Forwarded-* headers:

$ kubectl get ingress
NAME            CLASS    HOSTS   ADDRESS        PORTS   AGE
nginx-ingress   <none>   *       10.###.###.39   80      46s


7. You can verify that the X-Forwarded-For value is now being included by checking the application logs. By default, the last field in the log is the X-Forwarded-For value, which in this example is "10.11.12.13":

$ kubectl logs nginx
100.###.###.### - - [22/Jan/2021:17:03:53 +0000] "GET / HTTP/1.0" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0" "10.11.12.13"



Additional Information

NOTE that the "x-forwarded-for headers" require an L7 LoadBalancer, which will be created only when an Ingress is created on the cluster. If a Service object of type LoadBalancer is created, it will be created under the default L4 LoadBalancer and will NOT pick up the network-profile applied to the cluster, see documentation here

 

NOTE: Different types of Ingress controllers present traffic differently (LoadBalancer Service vs. Ingress) and may not forward the source IP accordingly.

Powered by Wolken Software