I have a few services running that require the Source IP to be preserved to perform authentication properly. I am running a Kubernetes environment in AKS using Nginx as my Ingress controller and am having problems understanding how I can implement this properly.
I read through this
as well as this
https://github.com/kubernetes/ingress-nginx/issues/1067
And read that setting this service.spec.externalTrafficPolicy to Local should resolve my problem, but I am having a hard time understanding which Service I should apply this to. It almost sounds like this needs to be added to the nginx deployment and it would effect all deployments which is going to be undesirable.
My question is, is there a way to apply this to my Service manifests for just the services that need it and not blanket add this to everything either with Nginx annotations or adjusting the Service manifest for the services I am deploying?
For reference, here is my Service manifest I am deploying with helm:
apiVersion: v1
kind: Service
metadata:
name: {{ template "service.fullname" . }}
labels:
app: {{ template "service.name" . }}
chart: {{ template "service.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}. #ClusterIP
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.service.targetPort }}
protocol: TCP
name: http
selector:
app: {{ template "service.name" . }}
release: {{ .Release.Name }}
CodePudding user response:
You clearly need to add that setting to the nginx ingress controller service, the one with type = LoadBalancer.
If you think about it, there is no other option. Nginx ingress controller is the entry point in your cluster, so if you don't keep the source IP address there, there is no way you can have it in the services that come after that.