-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to set proxy-real-ip-cidr #160
Comments
Hey, basically you encountered a "bug" within the kube proxy (kubernetes/kubernetes#66607). If you use the Load Balancer IP in-cluster the request will never reach the Load Balancer. Therefore we would recommend using the in cluster name or using the |
perfect, this worked! I just took some arbitrary hostname |
Is this documented anywhere? I couldn't find it any reference in any docs. Thanks... |
<!-- section-start changelog --> ### Feature Highlights & Upgrade Notes #### Load Balancer IPs set to Private IPs If networking support is enabled, the load balancer IPs are now populated with the private IPs, unless the `load-balancer.hetzner.cloud/disable-private-ingress` annotation is set to `true`. Please make sure that you configured the annotation according to your needs, for example if you are using `external-dns`. #### Provided-By Label We introduced a the label `instance.hetzner.cloud/provided-by`, which will be automatically added to all **new** nodes. This label can have the values `cloud` or `robot` to distinguish between our products. We use this label in the csi-driver to ensure the daemonset is only running on cloud nodes. We recommend to add this label to your existing nodes with the appropriate value. - `kubectl label node $CLOUD_NODE_NAME instance.hetzner.cloud/provided-by=cloud` - `kubectl label node $ROBOT_NODE_NAME instance.hetzner.cloud/provided-by=robot` #### Load Balancer IPMode Proxy Kubernetes KEP-1860 added a new field to the Load Balancer Service Status that allows us to mark if the IP address we add should be considered as a Proxy (always send traffic here) and VIP (allow optimization by keeping the traffic in the cluster). Previously Kubernetes considered all IPs as VIP, which caused issues when when the PROXY protocol was in use. We have previously recommended to use the annotation `load-balancer.hetzner.cloud/hostname` to workaround this problem. We now set the new field to `Proxy` if the PROXY protocol is active so the issue should no longer appear. If you only added the `load-balancer.hetzner.cloud/hostname` annotation for this problem, you can remove it after upgrading. Further information: - kubernetes/enhancements#1860 - #160 (comment) ### Features - **service**: Specify private ip for loadbalancer (#724) - add support & tests for Kubernetes 1.31 (#747) - **helm**: allow setting extra pod volumes via chart values (#744) - **instance**: add label to distinguish servers from Cloud and Robot (#764) - emit event when robot server name and node name mismatch (#773) - **load-balancer**: Set IPMode to "Proxy" if load balancer is configured to use proxy protocol (#727) (#783) - **routes**: emit warning if cluster cidr is misconfigured (#793) - **load-balancer**: ignore nodes that don't use known provider IDs (#780) - drop tests for kubernetes v1.27 and v1.28 ### Bug Fixes - populate ingress private ip when disable-private-ingress is false (#715) - wrong version logged on startup (#729) - invalid characters in label instance-type of robot servers (#770) - no events are emitted as broadcaster has no sink configured (#774) ### Kubernetes Support This version was tested with Kubernetes 1.29 - 1.31. Furthermore, we dropped v1.27 and v1.28 support. <!-- section-end changelog --> --- <details> <summary><h4>PR by <a href="https://github.com/apricote/releaser-pleaser">releaser-pleaser</a> 🤖</h4></summary> If you want to modify the proposed release, add you overrides here. You can learn more about the options in the docs. ## Release Notes ### Prefix / Start This will be added to the start of the release notes. ```rp-prefix ### Feature Highlights & Upgrade Notes #### Load Balancer IPs set to Private IPs If networking support is enabled, the load balancer IPs are now populated with the private IPs, unless the `load-balancer.hetzner.cloud/disable-private-ingress` annotation is set to `true`. Please make sure that you configured the annotation according to your needs, for example if you are using `external-dns`. #### Provided-By Label We introduced a the label `instance.hetzner.cloud/provided-by`, which will be automatically added to all **new** nodes. This label can have the values `cloud` or `robot` to distinguish between our products. We use this label in the csi-driver to ensure the daemonset is only running on cloud nodes. We recommend to add this label to your existing nodes with the appropriate value. - `kubectl label node $CLOUD_NODE_NAME instance.hetzner.cloud/provided-by=cloud` - `kubectl label node $ROBOT_NODE_NAME instance.hetzner.cloud/provided-by=robot` #### Load Balancer IPMode Proxy Kubernetes KEP-1860 added a new field to the Load Balancer Service Status that allows us to mark if the IP address we add should be considered as a Proxy (always send traffic here) and VIP (allow optimization by keeping the traffic in the cluster). Previously Kubernetes considered all IPs as VIP, which caused issues when when the PROXY protocol was in use. We have previously recommended to use the annotation `load-balancer.hetzner.cloud/hostname` to workaround this problem. We now set the new field to `Proxy` if the PROXY protocol is active so the issue should no longer appear. If you only added the `load-balancer.hetzner.cloud/hostname` annotation for this problem, you can remove it after upgrading. Further information: - kubernetes/enhancements#1860 - #160 (comment) ``` ### Suffix / End This will be added to the end of the release notes. ```rp-suffix ### Kubernetes Support This version was tested with Kubernetes 1.29 - 1.31. Furthermore, we dropped v1.27 and v1.28 support. ``` </details> Co-authored-by: releaser-pleaser <>
Im using hetzner loadbalancers with nginx-ingress-controller with 10.42.0.0/24 as network with following config:
and
Now my requests include the real-ip headers. Thats a good thing!
But now, if I want to make a request from inside the network:
I get
And nginx logs:
Now that sucks!
My limited understanding tells me that this is what
proxy-real-ip-cidr
is for. And I guess that hetzners loadbalancers does need this info, too. I tried utilizingload-balancer.hetzner.cloud/disable-private-ingress: "true"
not entirely sure what that means but with no success.I do not know whether this is by design, or whether my configuration is just wrong.
Workaround would be to use internal names like
servicename.namespace.svc.cluster.local
instead, but Im curious whether there is a better solutionThe text was updated successfully, but these errors were encountered: