Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy-protocol is not actually supported on GKE using the default LoadBalancer service. #12829

Open
mzglinski opened this issue Feb 14, 2025 · 7 comments
Open

Proxy-protocol is not actually supported on GKE using the default LoadBalancer service. #12829

mzglinski opened this issue Feb 14, 2025 · 7 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@mzglinski
Copy link

What happened

The ingress-nginx deployment documentation for GKE (https://kubernetes.github.io/ingress-nginx/deploy/#gce-gke) states that "Proxy-protocol is supported in GCE check the Official Documentations on how to enable.". When you check the GCE documentation and try to follow the instructions, you will realize that enabling Proxy protocol on an existing Passthrough load balancer is impossible, which is the type of LB created by default.
However, when checking the GKE LoadBalancer Service parameters documentation (https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer-parameters), there is no annotation available to enable proxy protocol for the default LoadBalancer service.

This creates confusion for users trying to enable proxy protocol on GKE, as the documentation suggests it's supported but provides no clear way to enable it.

What you expected to happen

The documentation should either:

  1. Clearly specify how to enable proxy protocol on GKE (if it is actually supported)
  2. Remove or correct the statement about proxy protocol support if it's not actually supported
  3. Clarify if there are specific requirements or limitations for proxy protocol support on GKE

How to reproduce

  1. Deploy ingress-nginx on GKE using the documented method
  2. Try to enable proxy protocol by following the official documentation on the created passthrough load balancer
  3. Discover that it's not possible to modify an existing load balancer

Environment

  • Kubernetes version: 1.31.5-gke.1023000 (GKE)
  • Ingress-NGINX version: v4.12.0
  • Cloud provider: Google Kubernetes Engine (GKE)

/kind documentation
/remove-kind feature
@mzglinski mzglinski added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 14, 2025
@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority and removed kind/feature Categorizes issue or PR as related to a new feature. labels Feb 14, 2025
@longwuyuan
Copy link
Contributor

We don't test on GKE. Somone can potentially create GKE cluster and reproduce but it costs money and time. Have you found the right way to enable proxy-protocol already and are just reporting this as a docs error ? Or you have not been able to enable proxy protocol on GCP LB ?

@longwuyuan
Copy link
Contributor

https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#proxy-protocol

@mzglinski
Copy link
Author

I'm reporting this as a docs error, to the best of my knowledge, a way to achieve this would involve

  • configuring ingress service with a Cluster type, and setting up a NEG for it
  • creating proxy load balancer service manually (via Web UI, gcloud or terraform)

Probably something else, after realizing that, I did not follow that route, my goal was to switch to proxy protocol to retain real IP addresses, but in the end, I decided that the added complexity is not worth it, when the alternative exists (using DaemonSet and setting externalTrafficPolicy: Local).

@longwuyuan
Copy link
Contributor

I am not convinced until I get reliable data. I think the effort is limited to editing the LB created by the ingress-controller install. But it will be a while before I can test.

@Gacko will comment if he already knows more details about this.

@mzglinski
Copy link
Author

That is the issue here, you do not have that option for LB created by the ingress-controller install. These screenshots are from my project

Image

Image

Image

@strongjz
Copy link
Member

@mzglinski We do not test configurations against clouds regularly in our CI; it is only with kind; docs go out of date as providers update services; it may have worked at one time. Please don't hesitate to update the documentation to reflect a known working status.

@strongjz strongjz added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Feb 14, 2025
@strongjz
Copy link
Member

/priority backlog
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[SIG Network] Ingress NGINX
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@strongjz @longwuyuan @k8s-ci-robot @mzglinski