1572633 – Add other ACL rules and features to Route Ip_Whitelist

Bug 1572633 - Add other ACL rules and features to Route Ip_Whitelist

Summary: Add other ACL rules and features to Route Ip_Whitelist

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RFE
Sub Component:
Version:	3.6.1
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Ben Bennett
QA Contact:	Xiaoli Tian
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-27 13:07 UTC by Andre Costa
Modified:	2021-09-09 13:53 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-18 22:27:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Andre Costa 2018-04-27 13:07:12 UTC

Current scenario:

    - They have a F5 BIG-IP as the external loadbalancer for their OCP cluster and HAProxy router as the default infrastructure router inside the Openshift cluster.
    - They wanted to limit the client access on some applications so they have implemented the haproxy.router.openshift.io/ip_whitelist, which is working as this is supposed to work. The IP that arrives at the OCP router, it looks at it and applies the acl rule posted by this annotation and in this case the IP address/range from the F5 BIG-IP (which in my opinion makes sense??).

 https://github.com/openshift/ose/blob/a522829e8bdb88e7708577ac28775d4aba7bb1c9/images/router/haproxy/conf/haproxy-config.template

# Secure backend, pass through
backend be_tcp:{{$cfgIdx}}
{{- if ne (env "ROUTER_SYSLOG_ADDRESS") ""}}
option tcplog
{{- end }}
{{- with $balanceAlgo := firstMatch "roundrobin|leastconn|source" (index $cfg.Annotations "haproxy.router.openshift.io/balance") (env "ROUTER_LOAD_BALANCE_ALGORITHM") }}
balance {{ $balanceAlgo }}
{{- else }}
balance {{ if gt $cfg.ActiveServiceUnits 1 }}roundrobin{{ else }}source{{ end }}
{{- end }}
{{- with $ip_whiteList := firstMatch $cidrListPattern (index $cfg.Annotations "haproxy.router.openshift.io/ip_whitelist") }}
acl whitelist src {{$ip_whiteList}}
tcp-request content reject if !whitelist
{{- end }}
{{- with $value := firstMatch $timeSpecPattern (index $cfg.Annotations "haproxy.router.openshift.io/timeout")}}
timeout tunnel {{$value}}
{{- end }}
    
   Request (issue) from the customer:

    - They were trying to use only the IP from the client trying to access the application on Openshift and the access was denied. When using the IP coming from the F5 on the annotation it started to work again. I've explained that this is the normal taking in consideration the code above.

    - They tried to use the XFF header to carry the IP of the client and enabled this feature on the F5 as well, but still doesn't work, which I assume is normal because the ACL implemented listens to source CIDR addresses, so it always takes in consideration the address space coming from the F5.

Comment 4 Ben Bennett 2018-05-29 16:43:00 UTC

Would it make sense to enable proxy protocol support in the F5 and the router so that the source IP address is sent that way and then haproxy will view the IP address that was passed over the proxy protocol as the source?

Note You need to log in before you can comment on or make changes to this bug.