k8s本身获取用户真实IP就有写问题,可以参考这个
https://kubernetes.io/docs/tutorials/services/source-ip/
另一种办法:
在istio-gateway-ingress前面代理用上traefik-ingrss,traefik需要hostPort的方式启动,具体部署方式可以参照https://www.jianshu.com/p/2b50f150ecde
Gateway 参照:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: lps-web
namespace: th #这个是应用所在的namespace
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- lps-web.th.xxx.cn
port:
name: http
number: 80
protocol: HTTP
ingress参照:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
ingress.kubernetes.io/custom-request-headers: 'Host: lps-web.th.xxx.cn' #配置成istiogateway 上面配置的hosts
name: lps-web.th.xxx.cn
namespace: istio-system #需要在istio-system 空间才能访问到istiogateway services
spec:
rules:
- host: lps-web.th.xxx.cn #配置成istiogateway 上面配置的hosts
http:
paths:
- backend:
serviceName: istio-ingressgateway 这里是istio 的gateway services,
servicePort: 80
path: /
注意: 几个Host的一定要和istio geteway-ingess上面的一致
创建EnvoyFilter
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-user-ip
namespace: istio-system
spec:
workloadLabels:
app: istio-ingressgateway
filters:
- listenerMatch:
portNumber: 80
listenerType: ANY
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_request(request_handle)
local xff_header = request_handle:headers():get("X-Forwarded-For");
local client_ip
for ip in string.gmatch (xff_header, "(%d+.%d+.%d+.%d+)") do
client_ip = ip
break #这里只获取第一个IP
end
request_handle:headers():add("x-real-ip", client_ip);
end
网友评论