Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit access to particular routes to a set of source IPs #13709

Closed
fbac opened this issue Apr 11, 2017 · 3 comments
Closed

Limit access to particular routes to a set of source IPs #13709

fbac opened this issue Apr 11, 2017 · 3 comments
Assignees
@knobunc
Labels
component/routing lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/P2

Comments

@fbac
Copy link
Contributor

fbac commented Apr 11, 2017

Through a route annotation I want to be able to restrict the access to a route so that only a set of source IPs can access it.
Some use cases:

  • As a project admin, I want to publish a service in the internet to be accessed through an external CDN. Thus, I want that only sources from that CDN can access my service through the public routers of my provider (which are shared amongst many projects).
  • As a project admin, I want to publish a service in the internet that interacts with other third-party services. I want it not to be publicly accessible but only by other services that need to connect to it, through the public routers of my provider (which are shared amongst many projects).
@fbac fbac mentioned this issue Apr 11, 2017
Closed
@fbac fbac mentioned this issue Apr 12, 2017
Closed
pecameron added a commit to pecameron/origin that referenced this issue Jun 8, 2017
@pecameron
Route security management by end user
d6f1db8 
Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.

When the annotation is present for a route a acl is set up in the
backend with the whitelist.

This PR addresses issue openshift#13709

Some examples:

When editing a route add the following annotation to define the desired
source ip's.

1) allow only one ip

haproxy.router.openshift.io/whitelist:
192.168.1.10

2) several ip's

haproxy.router.openshift.io/whitelist:
192.168.1.10 192.168.1.11 192.168.1.12

3) ip ranges

haproxy.router.openshift.io/whitelist:
192.168.1.0/24

4) ip's and ranges

haproxy.router.openshift.io/whitelist:
180.5.61.153 192.168.1.0/24 10.0.0.0/8

Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/

Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562

Committer: pcameron@redhat.com
Author: aranda@redhat.com
@pecameron pecameron mentioned this issue Jun 8, 2017
Merged
pecameron added a commit to pecameron/origin that referenced this issue Jun 9, 2017
@pecameron
Route security management by end user
838abdf 
Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.

When the annotation is present for a route a acl is set up in the
backend with the whitelist.

This PR addresses issue openshift#13709

Some examples:

When editing a route add the following annotation to define the desired
source ip's.

1) allow only one ip

haproxy.router.openshift.io/whitelist:
192.168.1.10

2) several ip's

haproxy.router.openshift.io/whitelist:
192.168.1.10 192.168.1.11 192.168.1.12

3) ip ranges

haproxy.router.openshift.io/whitelist:
192.168.1.0/24

4) ip's and ranges

haproxy.router.openshift.io/whitelist:
180.5.61.153 192.168.1.0/24 10.0.0.0/8

Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/

Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562

Committer: pcameron@redhat.com
Author: aranda@redhat.com
pecameron added a commit to pecameron/origin that referenced this issue Jun 9, 2017
@pecameron
Route security management by end user
74c592d 
Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.

When the annotation is present for a route a acl is set up in the
backend with the whitelist.

This PR addresses issue openshift#13709

Some examples:

When editing a route add the following annotation to define the desired
source ip's.

1) allow only one ip

haproxy.router.openshift.io/whitelist:
192.168.1.10

2) several ip's

haproxy.router.openshift.io/whitelist:
192.168.1.10 192.168.1.11 192.168.1.12

3) ip ranges

haproxy.router.openshift.io/whitelist:
192.168.1.0/24

4) ip's and ranges

haproxy.router.openshift.io/whitelist:
180.5.61.153 192.168.1.0/24 10.0.0.0/8

Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/

Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562

Committer: pcameron@redhat.com
Author: aranda@redhat.com
pecameron added a commit to pecameron/origin that referenced this issue Jun 12, 2017
@pecameron
Route security management by end user
7c4719f 
Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.

When the annotation is present for a route a acl is set up in the
backend with the whitelist.

This PR addresses issue openshift#13709

Some examples:

When editing a route add the following annotation to define the desired
source ip's.

1) allow only one ip

haproxy.router.openshift.io/whitelist:
192.168.1.10

2) several ip's

haproxy.router.openshift.io/whitelist:
192.168.1.10 192.168.1.11 192.168.1.12

3) ip ranges

haproxy.router.openshift.io/whitelist:
192.168.1.0/24

4) ip's and ranges

haproxy.router.openshift.io/whitelist:
180.5.61.153 192.168.1.0/24 10.0.0.0/8

Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/

Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562

Committer: pcameron@redhat.com
Author: aranda@redhat.com
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 10, 2018
@openshift-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci-robot openshift-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 14, 2018
@fbac
Copy link
Contributor Author

fbac commented Mar 14, 2018

This can be closed, it was implemented back in 3.3

/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@knobunc knobunc

Labels
component/routing lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@openshift-bot @pweil- @knobunc @fbac @openshift-ci-robot