Monday, April 15, 2019

Reserve Source IP via externalTrafficPolicy

Requirement:

We often need to save and check original source IP of clients for audit or analysis.  In K8S , Source NAT is enabled by default for NodePort and LoadBalancer.

Solution:

We can set externalTrafficPolicy = Local to reserve client source IP. More details in K8S source ip doc

Squid Proxy Logs Sample ouput:

External Traffic Policy : not set   (10.244.1.1 is sourced nat IP)
```1554177505.281      0 10.244.1.1 TCP_DENIED/403 4116 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html
1554177510.401      0 10.244.1.1 TCP_DENIED/403 4116 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html```

External Traffic Policy : Local  (132.30.131.49 is client IP)
```1554180756.818      0 132.30.131.49 TCP_DENIED/403 3995 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html
1554180984.270      0 132.30.131.49 TCP_DENIED/403 4104 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html```

No comments: