Rate Limiting#

This was built as a go service to ingest logs and then limit IPs.

Adding PVC#

apiVersion: v1
kind: PersistentVolume
metadata:
  name: traefik-pv
spec:
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  storageClassName: traefik-local
  local:
    path: /var/lib/nik3sx/traefik
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - l-nodet

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: traefik-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: traefik-local
  resources:
    requests:
      storage: 2Gi
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-34.2.1+up34.2.0.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-

# Needed to add this persistence using the pvc
    persistence:
      enabled: true
      existingClaim: traefik-pvc
      path: /data
# End line addition

    deployment:
      podAnnotations:
        prometheus.io/port: "8082"
        prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      repository: "rancher/mirrored-library-traefik"
      tag: "3.3.6"

This allows us to access the access logs from the host for our go service.

Fixing issues with SNAT#

       effect: "NoSchedule"
     service:
       ipFamilyPolicy: "PreferDualStack"
+      spec:
+        externalTrafficPolicy: Local
     logs:
       access:
         enabled: true
@@ -94,8 +96,12 @@ spec:
     entryPoints:
       web:
         address: ":80"
+        forwardedHeaders:
+          insecure: true
       websecure:
         address: ":443"
+        forwardedHeaders:
+          insecure: true
     certificatesResolvers:
       le-staging:
         acme:

Make sure to add forwardedHeaders as well as setting the service spec externalTrafficPolicy to Local. This will ensure the real ip is shown of the request in the logs.