Bug 1572633 - Add other ACL rules and features to Route Ip_Whitelist
Summary: Add other ACL rules and features to Route Ip_Whitelist
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.6.1
Hardware: All
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-27 13:07 UTC by Andre Costa
Modified: 2019-04-18 22:27 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-18 22:27:44 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Andre Costa 2018-04-27 13:07:12 UTC
Current scenario:

    - They have a F5 BIG-IP as the external loadbalancer for their OCP cluster and HAProxy router as the default infrastructure router inside the Openshift cluster.
    - They wanted to limit the client access on some applications so they have implemented the haproxy.router.openshift.io/ip_whitelist, which is working as this is supposed to work. The IP that arrives at the OCP router, it looks at it and applies the acl rule posted by this annotation and in this case the IP address/range from the F5 BIG-IP (which in my opinion makes sense??).

 https://github.com/openshift/ose/blob/a522829e8bdb88e7708577ac28775d4aba7bb1c9/images/router/haproxy/conf/haproxy-config.template

# Secure backend, pass through
backend be_tcp:{{$cfgIdx}}
{{- if ne (env "ROUTER_SYSLOG_ADDRESS") ""}}
option tcplog
{{- end }}
{{- with $balanceAlgo := firstMatch "roundrobin|leastconn|source" (index $cfg.Annotations "haproxy.router.openshift.io/balance") (env "ROUTER_LOAD_BALANCE_ALGORITHM") }}
balance {{ $balanceAlgo }}
{{- else }}
balance {{ if gt $cfg.ActiveServiceUnits 1 }}roundrobin{{ else }}source{{ end }}
{{- end }}
{{- with $ip_whiteList := firstMatch $cidrListPattern (index $cfg.Annotations "haproxy.router.openshift.io/ip_whitelist") }}
acl whitelist src {{$ip_whiteList}}
tcp-request content reject if !whitelist
{{- end }}
{{- with $value := firstMatch $timeSpecPattern (index $cfg.Annotations "haproxy.router.openshift.io/timeout")}}
timeout tunnel {{$value}}
{{- end }}
    
   Request (issue) from the customer:

    - They were trying to use only the IP from the client trying to access the application on Openshift and the access was denied. When using the IP coming from the F5 on the annotation it started to work again. I've explained that this is the normal taking in consideration the code above.

    - They tried to use the XFF header to carry the IP of the client and enabled this feature on the F5 as well, but still doesn't work, which I assume is normal because the ACL implemented listens to source CIDR addresses, so it always takes in consideration the address space coming from the F5.

Comment 4 Ben Bennett 2018-05-29 16:43:00 UTC
Would it make sense to enable proxy protocol support in the F5 and the router so that the source IP address is sent that way and then haproxy will view the IP address that was passed over the proxy protocol as the source?


Note You need to log in before you can comment on or make changes to this bug.