Red Hat Bugzilla – Bug 1473152
[free-stg][free-int][starter-us-west/east] User should be able to control access whitelist for routes
Last modified: 2017-11-09 13:46:33 EST
Description of problem:
Related OCP feature: https://trello.com/c/TbZPhHKE/21-3-route-security-management-by-end-user-ingress
User cannot control the access for route in free online env.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create route
2. Set the access control by the env
oc annotate route route1 --overwrite haproxy.router.openshift.io/ip_whitelist='10.66.140.100'
3. Access the route with client IP which is not in the whitelist
Can access the route.
Should not be able to access.
This is probably because the haproxy template is out of sync.
Starter tier clusters now use the same default router template that ships with OCP. This issue should now be resolved.
Found free-int still using the custom template
- name: TEMPLATE_FILE
So please move this bug to ON_QA once it's upgrade, thanks
If we use the same template with the OCP one, how do we limit the function for some of the route like before? Eg, cannot create custom domain for some kind of routes.
We will restrict custom domains by removing the policy rule that grants create access to the routes/custom-host resource.
free-int and free-stg now should have the standard router template.
verified this bug on free-int (v3.7.0-0.104.0), free-stg(v18.104.22.168.5)