-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Route security management by end user #4590
Conversation
@@ -807,6 +807,7 @@ For all the items outlined in this section, you can set annotations on the | |||
|`*haproxy.router.openshift.io/rate-limit-connections.rate-tcp*`| Limits the rate at which an IP address can make TCP connections. | | |||
|`*haproxy.router.openshift.io/timeout*` | Sets a server-side timeout for the route. xref:time-units[(TimeUnits)] | `ROUTER_DEFAULT_SERVER_TIMEOUT` | |||
|`*router.openshift.io/haproxy.health.check.interval*`| Sets the interval for the back-end health checks. xref:time-units[(TimeUnits)] | `ROUTER_BACKEND_CHECK_INTERVAL` | |||
|`*haproxy.router.openshift.io/p_whitelist*` | xref:whitelist[Whitelist] | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need a little description here before the xref...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
== Route Specific IP Whitelists | ||
You can restrict access to a route to a select set of IP addresses by using the | ||
*haproxy.router.openshift.io/ip_whitelist* annotation on the route. The whitelist is a space | ||
separated list of IP addresses and/or CIDRs for the approved users. Requests from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
users isn't quite right... how about source addresses, or client addresses or something.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed.
Some examples: | ||
|
||
When editing a route add the following annotation to define the desired | ||
source ip's. Alternatively, oc annotate route <name> may be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrap the "code" in backticks please: oc annotate route <name>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
[[whitelist]] | ||
== Route Specific IP Whitelists | ||
You can restrict access to a route to a select set of IP addresses by using the | ||
*haproxy.router.openshift.io/ip_whitelist* annotation on the route. The whitelist is a space |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why asterisks not backticks? I'd have thought we wanted to typeset them in fixed width.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got me... I changed them.
When editing a route add the following annotation to define the desired | ||
source ip's. Alternatively, oc annotate route <name> may be used. | ||
|
||
Allow only one ip: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IP address
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. Cleaning up the rest in the description as well.
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 | ||
---- | ||
|
||
Several ip's: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IP addresses
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12 | ||
---- | ||
|
||
Ip ranges: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IP CIDR network
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
haproxy.router.openshift.io/ip_whitelist: 192.168.1.0/24 | ||
---- | ||
|
||
Ip's and ranges: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mixed IP addresses and networks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
separated list of IP addresses and/or CIDRs for the approved users. Requests from | ||
IP addresses that are not in the whitelist are dropped. | ||
|
||
When the annotation is present for a route, an acl is set up in the route's haproxy backend with the whitelist. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/acl/ACL
What is an ACL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deleted 841. It is a level of detail that won't be interesting to the reader. The discussion is found in the haproxy 1.5 documentation. FYI haproxy includes addess control lists (acl). A list can be created and later used in the backend for different purposes. This PR uses the acl as a source of white list source IP addresses.
Some examples: | ||
|
||
When editing a route add the following annotation to define the desired | ||
source ip's. Alternatively, oc annotate route <name> may be used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/ip's/IPs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed.
Openshift 3.6 Add a new route annotation "haproxy.router.openshift.io/ip_whitelist" that specifies a space separated list of white listed source IP addresses and/or CIDRs. Requests from IP addresses that are not in the whitelist are dropped. origin PR 14536 openshift/origin#14536 Trello: TbZPhHKE Route security management by end user https://trello.com/c/TbZPhHKE/ Bug: 1426562 https://bugzilla.redhat.com/show_bug.cgi?id=1426562
@knobunc @ahardin-rh PTAL |
LGTM |
[rev_history] |
Openshift 3.6
Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.
origin PR 14536
openshift/origin#14536
Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/
Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562