1426562 – [RFE] Limit access to particular routes to a set of source IPs

Bug 1426562 - [RFE] Limit access to particular routes to a set of source IPs

Summary: [RFE] Limit access to particular routes to a set of source IPs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Phil Cameron
QA Contact:	Yan Du
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-24 10:16 UTC by Sergi Jimenez Romero
Modified:	2020-12-14 08:15 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: Add whitelist to haproxy Reason: Need to limit source of request to a route to a set of CIDRs Result:
Clone Of:
Environment:
Last Closed:	2017-08-16 19:38:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Origin (Github)	14536	0	None	None	None	2017-06-14 18:00:35 UTC

Description Sergi Jimenez Romero 2017-02-24 10:16:21 UTC

From the RFE template:

> 3. What is the nature and description of the request?  

Some production environments with high security constraints require the ability to limit/control the access to published services.

The RFE is to have the ability to specify a source IP or range of IPs (CIDR format) for limiting access at route level.

> 4. Why does the customer need this? (List the business requirements here)  

Customer needs to meet their IT security policies.

> 5. How would the customer like to achieve this? (List the functional requirements here)  

As a user, I want to be able to restrict access to a given route so that only a set of source IPs can access it. 

With "a set of source IPs", I mean a list of one or more CIDR prefixes.


> 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

* Example scenario: An application pod is created with a route which limits access to a given set of IPs.

* Example use case: Running some portals on OpenShift that only a CDN (e.g. Akamai) would have access to. Limiting the route to only allow requests from the CDN's range of IPs.

> 10. List any affected packages or components.  
Router

Comment 5 Phil Cameron 2017-06-12 17:13:40 UTC

origin PR 14536

Comment 6 Phil Cameron 2017-06-16 13:06:25 UTC

https://github.com/openshift/origin/pull/14536 MERGED

Comment 7 openshift-github-bot 2017-06-20 14:46:12 UTC

Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/4e2929b48545cc156fb78a91a08545d1ea5a65bc
Route security management by end user

Openshift 3.6

Add a new route annotation "haproxy.router.openshift.io/ip_whitelist"
that specifies a space separated list of white listed source IP
addresses and/or CIDRs. Requests from IP addresses that are not in
the whitelist are dropped.

origin PR 14536
https://github.com/openshift/origin/pull/14536

Trello: TbZPhHKE Route security management by end user
https://trello.com/c/TbZPhHKE/

Bug: 1426562
https://bugzilla.redhat.com/show_bug.cgi?id=1426562

Comment 9 Yan Du 2017-07-13 02:58:10 UTC

Test on lastest OCP env
openshift v3.6.140
kubernetes v1.6.1+5115d708d7

"haproxy.router.openshift.io/ip_whitelist" works well for route, after set IPs or IP range in the annotation, and only the host in whitelist could have the permission to access the route.

Note You need to log in before you can comment on or make changes to this bug.