Kong ingress controller with k3s, "forwarded_ip" not forwarded

Hi all

The installation is based on k3s on a bare metal debian instance.

export INSTALL_K3S_VERSION=v1.18.8+k3s1;
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --disable traefik" sh

The installation of kong ingress was done according to the file https://bit.ly/k4k8s with a few adoptions:

spec:
  containers:
    - env:
        - name: KONG_TRUSTED_IPS
          value: 0.0.0.0/0,::/0
        - name: KONG_REAL_IP_RECURSIVE
          value: "on"

I deployed the echo service and configured a route accordingly. However, the ip address is still not the external one.

x-forwarded-for=10.42.0.1
x-real-ip=10.42.0.1

Also the variable “kong.client.get_forwarded_ip()” is 10.42.0.1 in the serverless function context.

What did I miss here? I haven’t found more information on that topic. Any help is appreciated, as knowing the ip is crutial for the application due to geolocation features (currencies, etc.).

Thank you!

This guide might be useful to you: https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/preserve-client-ip.md

Thanks Harry,

I don’t have (yet) a loadbalancer in front of the k3s installation and I’m aware that that’s not the purpose of distributed systems. So in my case, client requests hit port 80/443 of k3s with kong for the time being.

As traefik is disabled I assumed kong would have the information of the client request.

I haven’t found more information about this topic so far: Design

Thanks a lot!

In that case, you need to figure out how is traffic being routed to the Kong pod running inside the k3s cluster and then see how to preserve the IP address.

ExternalTrafficPolicy setting on Service might help in this case.

I found the solution based on your reply. The traffic policy was indeed missing. I assumed that this was not supported by k3s. By adding

externalTrafficPolicy: Local

to the kong-proxy service, I got it working.

Thank you very much!