Use PROXY protocol in a Managed Kubernetes cluster for Traefik Ingress Controller
You can configure the use of the PROXY protocol in an existing load balancer.
If you connect to a pod through a load balancer with a TCP → PROXY rule, the pod logs will show the real IP address of the client, not the load balancer's address.
-
Ensure that the Managed Kubernetes cluster version is 1.21.10 or higher:
kubectl versionYou can upgrade the cluster version.
-
Retrieve the Traefik Ingress Controller values and save them to a
values.yamlfile:helm inspect values traefik/traefik > values.yaml -
Make changes to the
values.yamlfile:4.1. In the
annotationsblock, addloadbalancer.openstack.org/proxy-protocol: "true".4.2. Optional: to allow connection without a TLS certificate, add
insecure: trueto theproxyProtocolblock.4.3. Save your changes.
-
Update Traefik Ingress Controller:
helm upgrade traefik traefik/traefik --values values.yaml -
Create a test echo server Deployment object. For example:
cat <<EOF | kubectl apply -f -apiVersion: apps/v1kind: Deploymentmetadata:name: echoservernamespace: defaultlabels:app: echoserverspec:replicas: 1selector:matchLabels:app: echoservertemplate:metadata:labels:app: echoserverspec:containers:- name: echoserverimage: gcr.io/google-containers/echoserver:1.10imagePullPolicy: IfNotPresentports:- containerPort: 8080EOF -
Create a ClusterIP Service object for the echo server:
kubectl expose deployment echoserver --type=ClusterIP --target-port=8080 -
Create an Ingress object for the echo server. For example:
cat <<EOF | kubectl apply -f -apiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: test-proxy-protocolnamespace: defaultannotations:traefik.ingress.kubernetes.io/router.entrypoints: webspec:ingressClassName: "traefik"rules:- host: test.comhttp:paths:- path: /pingpathType: Exactbackend:service:name: echoserverport:number: 8080EOF -
Check the Ingress object:
kubectl get ingInformation about the Ingress object will appear in the response. The IP address may not appear immediately. For example:
NAME CLASS HOSTS ADDRESS PORTS AGEtest-proxy-protocol traefik test.com 123.123.123.123 80 5sCopy the IP address of the Ingress object.
-
Check the connection:
ip=<ip_address>curl -sH 'Host: test.com' http://$ip/ping | sed '/^\s*$/d'Specify
<ip_address>— the IP address of the Ingress object that you copied in step 9. If you are using Managed Kubernetes cluster version 1.31 or lower, add thenip.iosuffix to the address, for example123.123.123.123.nip.io.Connection information will appear in the response. For example:
Hostname: echoserver-78d689cddd-5bmnkPod Information:-no pod information available-Server values:server_version=nginx: 1.13.3 - lua: 10008Request Information:client_address=10.10.246.7method=GETreal path=/pingquery=request_version=1.1request_scheme=httprequest_uri=http://test.com:8080/pingRequest Headers:accept=*/*accept-encoding=gziphost=test.comuser-agent=curl/8.7.1x-forwarded-for=<xxx>x-forwarded-host=test.comx-forwarded-port=80x-forwarded-proto=httpx-forwarded-server=traefik-54dc77dc47-zd8pxx-real-ip=<xxx>Request Body:-no body in request-