I have AKS with nginx load balancer (ingress controller) installed with helm as the entry point to my cluster.
I want to preserve the real IP addresses from clients for further whitelisting with nginx.ingress.kubernetes.io/whitelist-source-range
on certain paths of specific services.
I found the solution here:
nginx ingress controller forward source ip
which works, but also I found in certain blogs and in the Kubernetes documentation, that setting externalTrafficPolicy=Local is not good for proper load balancing.
I tried to set different variations of settings to my nginx configmap, but with no luck. I also found, that it can be done somehow with X-Forwarded-For header, but I couldn't resolve it.
I also made a github issue with the same question here: https://github.com/kubernetes/ingress-nginx/issues/9402
And the discussion on the kuberenetes stack took me to the following link: https://www.asykim.com/blog/deep-dive-into-kubernetes-external-traffic-policies
where he says that: "if you have a service receiving external traffic from an LB (using NodePorts), you almost always want to use externalTrafficPolicy: Local (with pod anti-affinity to alleviate imbalanced traffic)."
I didn't find the way how to preserve client IP without external LB or Proxy so this looks like the only possible solution. If you find any better, please comment.
For more info see the discussion on kubernetes stack: https://kubernetes.slack.com/archives/CANQGM8BA/p1670925074384859