Kong on AKS and IP restriction suddenly started blocking traffic

mloskot · March 29, 2023, 1:48pm

I run Kong/KIC on AKS cluster

Kubernetes 1.25.5
Kong 3.0
KIC 2.7
Kong Helm charts 2.15.3

I use the ip-restriction plugin:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: ip-restriction-allow-contoso-vpn
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  allow:
  # VPN
  - 123.456.789.1
  # AKS LB
  - 987.654.321.1
plugin: ip-restriction

Everything worked fine for months and suddenly routes and services that were restricted with the plugin stopped working with Kong Error: Your IP address is not allowed.

The only things that I changed in my cluster were

re-deployment of the Kong stack
updated Kong Helm chart from 2.13.1 to 2.14.0 and then to 2.15.3 (as part of troubleshooting of Kong Proxy Service not reachable from outside with Kubernetes AKS 1.24.6 · Issue #694 · Kong/charts · GitHub).

Additionally, IP Restriction plugin | Kong Docs doesn’t mention any breaking changes and my AKS LP IP has not changed.

What could break my setup? Is this possible the charts upgrades or perhaps AKS LBS fiddling with X-Forwarded-For headers?

mloskot · March 29, 2023, 7:43pm

Well, this is embarrassing! Several months ago I manually applied this according to the Preserving Client IP Address - v2.9.x | Kong Docs guide:

kubectl patch -n kong service kong-kong-proxy -p '{"spec":{"externalTrafficPolicy":"Local"}}'

and I had not recorded this setting in my IasC - at that time, I had no idea how to set it on kong-kong-proxy service in my kind: HelmRelease manifest deploying Kong and KIC.

I have figured it out, I think, so I now can record it in my IasC:

kind: HelmRelease
metadata:
  name: kong
  namespace: kong
...
spec:
  values:
    proxy:
      enabled: true
      type: LoadBalancer
      externalTrafficPolicy: Local
...

Apologies for the noise!