From the RFE template: > 3. What is the nature and description of the request? Some production environments with high security constraints require the ability to limit/control the access to published services. The RFE is to have the ability to specify a source IP or range of IPs (CIDR format) for limiting access at route level. > 4. Why does the customer need this? (List the business requirements here) Customer needs to meet their IT security policies. > 5. How would the customer like to achieve this? (List the functional requirements here) As a user, I want to be able to restrict access to a given route so that only a set of source IPs can access it. With "a set of source IPs", I mean a list of one or more CIDR prefixes. > 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. * Example scenario: An application pod is created with a route which limits access to a given set of IPs. * Example use case: Running some portals on OpenShift that only a CDN (e.g. Akamai) would have access to. Limiting the route to only allow requests from the CDN's range of IPs. > 10. List any affected packages or components. Router
origin PR 14536
https://github.com/openshift/origin/pull/14536 MERGED
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/4e2929b48545cc156fb78a91a08545d1ea5a65bc Route security management by end user Openshift 3.6 Add a new route annotation "haproxy.router.openshift.io/ip_whitelist" that specifies a space separated list of white listed source IP addresses and/or CIDRs. Requests from IP addresses that are not in the whitelist are dropped. origin PR 14536 https://github.com/openshift/origin/pull/14536 Trello: TbZPhHKE Route security management by end user https://trello.com/c/TbZPhHKE/ Bug: 1426562 https://bugzilla.redhat.com/show_bug.cgi?id=1426562
Test on lastest OCP env openshift v3.6.140 kubernetes v1.6.1+5115d708d7 "haproxy.router.openshift.io/ip_whitelist" works well for route, after set IPs or IP range in the annotation, and only the host in whitelist could have the permission to access the route.