From 11d320f2191afbd26aad009967944b9e8d3c5f83 Mon Sep 17 00:00:00 2001 From: dmotte <37443982+dmotte@users.noreply.github.com> Date: Tue, 21 Jan 2025 01:44:27 +0100 Subject: [PATCH 1/5] Added a couple of links to the Miscellaneous / Source IP address section --- docs/user-guide/miscellaneous.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md index 80a38db518..ee3d63056f 100644 --- a/docs/user-guide/miscellaneous.md +++ b/docs/user-guide/miscellaneous.md @@ -4,9 +4,11 @@ By default NGINX uses the content of the header `X-Forwarded-For` as the source of truth to get information about the client IP address. This works without issues in L7 **if we configure the setting `proxy-real-ip-cidr`** with the correct information of the IP/network address of trusted external load balancer. +This setting can be enabled/disabled by setting [`use-forwarded-headers`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers). + If the ingress controller is running in AWS we need to use the VPC IPv4 CIDR. -Another option is to enable proxy protocol using `use-proxy-protocol: "true"`. +Another option is to enable the **PROXY protocol** using [`use-proxy-protocol: "true"`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol). In this mode NGINX does not use the content of the header to get the source IP address of the connection. From d042231c8adef1cbfd5426dd4e9d8e9bcd9702c8 Mon Sep 17 00:00:00 2001 From: dmotte <37443982+dmotte@users.noreply.github.com> Date: Tue, 21 Jan 2025 01:50:13 +0100 Subject: [PATCH 2/5] Linkable baremetal sub-sections --- docs/deploy/baremetal.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index f5ff54174a..dd1cd46b09 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -152,7 +152,7 @@ requests. This approach has a few other limitations one ought to be aware of: -* **Source IP address** +### Source IP address Services of type NodePort perform [source address translation][nodeport-nat] by default. This means the source IP of a HTTP request is always **the IP address of the Kubernetes node that received the request** from the perspective of @@ -191,7 +191,7 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). Requests sent to `host-2` and `host-3` would be forwarded to NGINX and original client's IP would be preserved, while requests to `host-1` would get dropped because there is no NGINX replica running on that node. -* **Ingress status** +### Ingress status Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller **does not update the status of Ingress objects it manages**. @@ -241,7 +241,7 @@ Service. test-ingress myapp.example.com 203.0.113.1,203.0.113.2,203.0.113.3 80 ``` -* **Redirects** +### Redirects As NGINX is **not aware of the port translation operated by the NodePort Service**, backend applications are responsible for generating redirect URLs that take into account the URL used by external clients, including the NodePort. @@ -326,13 +326,13 @@ configuration of the corresponding manifest at the user's discretion. Like with NodePorts, this approach has a few quirks it is important to be aware of. -* **DNS resolution** +### DNS resolution Pods configured with `hostNetwork: true` do not use the internal DNS resolver (i.e. *kube-dns* or *CoreDNS*), unless their `dnsPolicy` spec field is set to [`ClusterFirstWithHostNet`][dnspolicy]. Consider using this setting if NGINX is expected to resolve internal names for any reason. -* **Ingress status** +### Ingress status Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default `--publish-service` flag used in standard cloud setups **does not apply** and the status of all Ingress objects remains From b6193c215b690dbb69898794686d0722805354dd Mon Sep 17 00:00:00 2001 From: dmotte <37443982+dmotte@users.noreply.github.com> Date: Tue, 21 Jan 2025 01:50:49 +0100 Subject: [PATCH 3/5] Link to other ways to preserve the source IP --- docs/deploy/baremetal.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index dd1cd46b09..473fa9d60b 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -191,6 +191,8 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). Requests sent to `host-2` and `host-3` would be forwarded to NGINX and original client's IP would be preserved, while requests to `host-1` would get dropped because there is no NGINX replica running on that node. +Other ways to preserve the source IP in a NodePort setup are described here: [Source IP address](https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#source-ip-address). + ### Ingress status Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller **does not From 7f73b8ec58f85a3857f149192604acad1aa84370 Mon Sep 17 00:00:00 2001 From: dmotte <37443982+dmotte@users.noreply.github.com> Date: Tue, 21 Jan 2025 01:55:04 +0100 Subject: [PATCH 4/5] Fixed broken link to externalTrafficPolicy=Local example --- docs/deploy/baremetal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index 473fa9d60b..2f21bb0db7 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -264,7 +264,7 @@ for generating redirect URLs that take into account the URL used by external cli [nodeport-def]: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport [nodeport-nat]: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport [pod-assign]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ -[preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/deploy/provider/aws/service-nlb.yaml#L12-L14 +[preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.15.2/deploy/static/provider/aws/deploy.yaml#L290 ## Via the host network From 01a174b2b14b1957c8d8d91001ba8214d9962a98 Mon Sep 17 00:00:00 2001 From: dmotte <37443982+dmotte@users.noreply.github.com> Date: Tue, 21 Jan 2025 02:07:34 +0100 Subject: [PATCH 5/5] How to customize node port numbers --- docs/deploy/baremetal.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index 2f21bb0db7..077d1e758d 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -118,6 +118,8 @@ requests. ![NodePort request flow](../images/baremetal/nodeport.jpg) +You can **customize the exposed node port numbers** by setting the `controller.service.nodePorts.*` Helm values, but they still have to be in the 30000-32767 range. + !!! example Given the NodePort `30100` allocated to the `ingress-nginx` Service