I'm facing a networking issue in my Kubernetes cluster that hosts over 100 microservices, and I need some advice on how to handle client IP visibility and whitelisting. My current setup involves an external F5 Load Balancer (L4) directing traffic to Kubernetes NodePort services, which then connect to the individual pods. All services are running with `externalTrafficPolicy: Cluster`. The main challenge is that I need to restrict access to specific microservices based on the real client IP, but setting it up this way causes source NAT (SNAT) to occur. This means the microservices see the internal IP of the node instead of the client's real IP. I'm unable to switch to `externalTrafficPolicy: Local` because I don't have access to the F5 configuration, and migrating to Ingress isn't feasible right now due to the number of legacy services. Additionally, the F5 team cannot manage dynamic IP whitelisting rules. Given these constraints, are there any known methods or tricks to filter traffic based on the original client IP? Any advice or solutions would be greatly appreciated!
4 Answers
The client IP is usually preserved in headers, particularly `X-Forwarded-For`, which can help with filtering. If you're using Cilium CNI or Cilium Ingress, it might work for you, but I'm not sure if it’s always effective unless used with the Gateway API. It’s worth checking out, especially versions >1.18.
Another option could be using a specific CNI plugin with port-mapping capabilities to add iptables rules that block unwanted client IPs. This could allow you to filter traffic effectively. You might take a look at CNI's portmap plugin for more details.
You might want to consider setting up a firewall on each Kubernetes host. This would allow you to restrict access to the specific ports for each microservice, filtering by allowed IPs before the SNAT occurs. It could be a viable solution for your situation!
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically