Route security management by end user #4590
Conversation
| @@ -807,6 +807,7 @@ For all the items outlined in this section, you can set annotations on the | |||
| |`*haproxy.router.openshift.io/rate-limit-connections.rate-tcp*`| Limits the rate at which an IP address can make TCP connections. | | |||
| |`*haproxy.router.openshift.io/timeout*` | Sets a server-side timeout for the route. xref:time-units[(TimeUnits)] | `ROUTER_DEFAULT_SERVER_TIMEOUT` | |||
| |`*router.openshift.io/haproxy.health.check.interval*`| Sets the interval for the back-end health checks. xref:time-units[(TimeUnits)] | `ROUTER_BACKEND_CHECK_INTERVAL` | |||
| |`*haproxy.router.openshift.io/p_whitelist*` | xref:whitelist[Whitelist] | | |||
There was a problem hiding this comment.
I think you need a little description here before the xref...
| == Route Specific IP Whitelists | ||
| You can restrict access to a route to a select set of IP addresses by using the | ||
| *haproxy.router.openshift.io/ip_whitelist* annotation on the route. The whitelist is a space | ||
| separated list of IP addresses and/or CIDRs for the approved users. Requests from |
There was a problem hiding this comment.
users isn't quite right... how about source addresses, or client addresses or something.
| Some examples: | ||
|
|
||
| When editing a route add the following annotation to define the desired | ||
| source ip's. Alternatively, oc annotate route <name> may be used. |
There was a problem hiding this comment.
Wrap the "code" in backticks please: oc annotate route <name>
| [[whitelist]] | ||
| == Route Specific IP Whitelists | ||
| You can restrict access to a route to a select set of IP addresses by using the | ||
| *haproxy.router.openshift.io/ip_whitelist* annotation on the route. The whitelist is a space |
There was a problem hiding this comment.
Why asterisks not backticks? I'd have thought we wanted to typeset them in fixed width.
| When editing a route add the following annotation to define the desired | ||
| source ip's. Alternatively, oc annotate route <name> may be used. | ||
|
|
||
| Allow only one ip: |
There was a problem hiding this comment.
OK. Cleaning up the rest in the description as well.
| haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 | ||
| ---- | ||
|
|
||
| Several ip's: |
| haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12 | ||
| ---- | ||
|
|
||
| Ip ranges: |
| haproxy.router.openshift.io/ip_whitelist: 192.168.1.0/24 | ||
| ---- | ||
|
|
||
| Ip's and ranges: |
There was a problem hiding this comment.
Mixed IP addresses and networks
| separated list of IP addresses and/or CIDRs for the approved users. Requests from | ||
| IP addresses that are not in the whitelist are dropped. | ||
|
|
||
| When the annotation is present for a route, an acl is set up in the route's haproxy backend with the whitelist. |
There was a problem hiding this comment.
s/acl/ACL
What is an ACL?
There was a problem hiding this comment.
Deleted 841. It is a level of detail that won't be interesting to the reader. The discussion is found in the haproxy 1.5 documentation. FYI haproxy includes addess control lists (acl). A list can be created and later used in the backend for different purposes. This PR uses the acl as a source of white list source IP addresses.
| Some examples: | ||
|
|
||
| When editing a route add the following annotation to define the desired | ||
| source ip's. Alternatively, oc annotate route <name> may be used. |
Openshift 3.6 Add a new route annotation "haproxy.router.openshift.io/ip_whitelist" that specifies a space separated list of white listed source IP addresses and/or CIDRs. Requests from IP addresses that are not in the whitelist are dropped. origin PR 14536 openshift/origin#14536 Trello: TbZPhHKE Route security management by end user https://trello.com/c/TbZPhHKE/ Bug: 1426562 https://bugzilla.redhat.com/show_bug.cgi?id=1426562
|
@knobunc @ahardin-rh PTAL |
|
LGTM |
|
[rev_history] |
Openshift 3.6
Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.
origin PR 14536
openshift/origin#14536
Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/
Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562