Description of problem: Related OCP feature: https://trello.com/c/TbZPhHKE/21-3-route-security-management-by-end-user-ingress User cannot control the access for route in free online env. Version-Release number of selected component (if applicable): v3.6.152.0 How reproducible: always Steps to Reproduce: 1. Create route 2. Set the access control by the env oc annotate route route1 --overwrite haproxy.router.openshift.io/ip_whitelist='10.66.140.100' 3. Access the route with client IP which is not in the whitelist Actual results: Can access the route. Expected results: Should not be able to access. Additional info:
This is probably because the haproxy template is out of sync.
Starter tier clusters now use the same default router template that ships with OCP. This issue should now be resolved.
Found free-int still using the custom template - name: TEMPLATE_FILE value: /var/lib/haproxy/conf/custom/haproxy-config.template So please move this bug to ON_QA once it's upgrade, thanks
Hi Abhishek, If we use the same template with the OCP one, how do we limit the function for some of the route like before? Eg, cannot create custom domain for some kind of routes. Thanks.
Hi Bo, We will restrict custom domains by removing the policy rule that grants create access to the routes/custom-host resource.
free-int and free-stg now should have the standard router template.
verified this bug on free-int (v3.7.0-0.104.0), free-stg(v3.6.173.0.5)