Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add annotation to add accept-proxy in bind statements #144

Merged
merged 8 commits into from Jun 6, 2017

Conversation

Projects
None yet
2 participants

@sadlil sadlil added this to the 1.5.6 milestone Jun 5, 2017

@sadlil sadlil self-assigned this Jun 5, 2017

@sadlil sadlil requested a review from tamalsaha Jun 5, 2017

@sadlil sadlil force-pushed the accept-proxy branch 2 times, most recently from 1a9645a to 235c3f0 Jun 5, 2017

@sadlil sadlil force-pushed the accept-proxy branch from 235c3f0 to 9f49290 Jun 5, 2017

@tamalsaha tamalsaha merged commit 0b8dca5 into master Jun 6, 2017

@tamalsaha tamalsaha deleted the accept-proxy branch Jun 6, 2017

tamalsaha added a commit that referenced this pull request Jun 8, 2017

Use ingress.appscode.com/keep-source-ip: true to preserve source IP (#…
…165)

This preserves source IP for LoadBalancer type ingresses  for aws, gce, gke, azure. The actual configuration generated depends on the underlying cloud provider.

 - gce, gke, azure: Adds annotation service.beta.kubernetes.io/external-traffic: OnlyLocal
to services used to expose HAProxy.
ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer

- aws: Enforces the use of the PROXY protocol over any connection accepted by any of
the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol
are supported and correctly detected. The PROXY protocol dictates the layer
3/4 addresses of the incoming connection to be used everywhere an address is
used, with the only exception of "tcp-request connection" rules which will
only see the real connection address. Logs will reflect the addresses
indicated in the protocol, unless it is violated, in which case the real
address will still be used.  This keyword combined with support from external
components can be used as an efficient and reliable alternative to the
X-Forwarded-For mechanism which is not always reliable and not even always
usable. See also "tcp-request connection expect-proxy" for a finer-grained
setting of which client is allowed to use the protocol.
ref: https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/cloudprovider/providers/aws/aws.go#L79  (this was implemented in #144)

Fixes #146, #100

@tamalsaha tamalsaha referenced this pull request Jun 12, 2017

Closed

Document 1.5.6 changes #150

8 of 8 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.