Requirement:
We often need to save and check original source IP of clients for audit or analysis. In K8S , Source NAT is enabled by default for NodePort and LoadBalancer.Solution:
We can set externalTrafficPolicy = Local to reserve client source IP. More details in K8S source ip docSquid Proxy Logs Sample ouput:
External Traffic Policy : not set (10.244.1.1 is sourced nat IP)```1554177505.281 0 10.244.1.1 TCP_DENIED/403 4116 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html
1554177510.401 0 10.244.1.1 TCP_DENIED/403 4116 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html```
External Traffic Policy : Local (132.30.131.49 is client IP)
```1554180756.818 0 132.30.131.49 TCP_DENIED/403 3995 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html
1554180984.270 0 132.30.131.49 TCP_DENIED/403 4104 CONNECT 140.84.22.11:443 - HIER_NONE/- text/html```
No comments:
Post a Comment