Preserving original external source IP address information for HTTPS traffic through an Nginx ingress controller for Kubernetes clusters

The problem

In a Kubernetes cluster configured with an Nginx ingress controller (and Envoy proxy), HTTPS traffic from external IP sources to a pod within the cluster has the source IP address translated to an internal address (such as after it passes through the ingress controller. The original source IP address is lost, and cannot be attached to the HTTPS header (as in this solution, for HTTP) since it is encrypted.
This makes it difficult to define network rules to govern external IP sources.

The solution

There are a few solutions for this situation, that will allow the original source IP address to be recovered, (and attached to the HTTPS header), and allow network rules to be defined.

  1. Use HTTP instead of HTTPS, if at all possible. This will allow the solution , already publicized by Panoptica.
  2. Use the Istio ingress controller instead of Nginx.
  3. Disable the Envoy proxy, with this setting in nginx-ingress deployment file: ""

This will disable external host authentication, and prevent the envoy proxy from intercepting the inbound connection to nginx.