试图找出正确的设置,以便使客户端真实IP显示在我们的日志中,并使会话亲和力正常工作。
我现在没有在日志中获取客户端IP,如果我从1个Pod移到2个,我将无法再登录,等等。nginx日志中似乎没有任何问题。
Values.yml
controller:
config:
use-forwarded-headers: "true"
use-proxy-protocol: "true"
proxy-real-ip-cidr: "172.21.0.0/16"
replicaCount: 2
image:
repository: quay.io/kubernetes-ingress-controller/nginx-ingress-controller
tag: "0.28.0"
ingressClass: ingress-internal
publishService:
enabled: true
service:
externalTrafficPolicy: Local
targetPorts:
http: 80
https: http
loadBalancerSourceRanges: ["0.0.0.0/0"]
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:523447765480:certificate/3972f84d-c167-43da-a207-8be0b955df48"
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Name=idaas2-ingress-internal,cluster=idaas2,Environment=prd,Project=idaas2,Customer=idauto"
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "True"
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-02ca93f2fe8cbc950"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
入口注释
ingress:
annotations:
kubernetes.io/ingress.class: ingress-internal
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
monitor.stakater.com/enabled: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
我什至不确定在哪里继续搜索,我可以提供所需的任何其他信息。
答案 0 :(得分:0)
不确定如何修复真实的客户端 IP,但我在 Ingress 元数据中使用了粘性会话:
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=1200
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
答案 1 :(得分:0)
您好,我刚刚将我的副本从 1 增加到 2,并陷入了同样的情况。因为我确实很喜欢从我的应用程序上的用户基于哪里知道:)(我不想进入 Nginx 控制器日志来了解它的该死的 ip,我有时想通过电子邮件接收它,嗨)
但现在一切正常(经过 24 小时的思考)
我正在使用代理协议 v2(以获取真实 IP)和会话亲和性,两者都与 Nginx 结合使用。
我只是给你一个选择我的设置
helm upgrade nginx ingress-nginx/ingress-nginx --set-string controller.config."use-gzip"="true",controller.config."http-redirect-code"="301",controller.config."use-proxy-protocol"="true",controller.service.annotations."service\.beta\.kubernetes\.io/scw-loadbalancer-proxy-protocol-v2"="true",controller.service.annotations."service\.beta\.kubernetes\.io/scw-loadbalancer-use-hostname"="true",controller.service.annotations."service\.beta\.kubernetes\.io/scw-loadbalancer-sticky-sessions"="cookie",controller.service.annotations."service\.beta\.kubernetes\.io/scw-loadbalancer-sticky-sessions-cookie-name"="route"
然后在后端 pod 中使用这些注释
nginx.ingress.kubernetes.io/websocket-services: "footballdata-scaleway"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
nginx.ingress.kubernetes.io/session-cookie-path: /
nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
顺便说一下,我的集群在 scaleway.com :)
自己制作 Kubernetes 图表会伤害自己。请切换到掌舵 3 兄弟 :)