Filtering traffic inbound from the outside of the cluster with Routes IP whitelists¶
In Kubernetes, the components responsible for allowing the outside world to access services hosted within the cluster are called "ingresses". Openshift historically developped its own ingress controller (called a "router") and with the standardization of ingresses in the Kubernetes ecosystem it became "openshift-ingress". The resource that configures ingresses is called a Route, by extension of the historic component name.
Note
The generic Ingress resource is also available in Kubernetes and Openshift but, in the context of the WoK platform, will only act as an "interface" for the Route resource. It may be completely overlooked and is mostly used unknowingly for compatibility reasons. When reading external documentations sources, you may usually use routes instead of ingresses.
Routes define how the Openshift-ingress controller will allow network traffic to flow into the cluster. It is of course dependant on preexisting NetworkPolicies to allow such a traffic in the first place.
Defining an IP Whitelist for a Route¶
An IP whitelist is a mechanism that allows for network traffic filtering at the Ingress Controller level. It is quite simple and works with IP addresses and CIDR ranges to segregate traffic. To define an IP whitelist on a Route you need to set the haproxy.router.openshift.io/ip_whitelist annotation with a whitespace separated list of IP addresses and/or CIDR ranges that you want to "whitelist" (ie. allow):
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: myroute
namespace: myns
[...]
annotations:
haproxy.router.openshift.io/ip_whitelist: 2.34.145.23 23.33.90.101 15.16.0.0/16
spec:
[...]
When this annotation is not present, all traffic is allowed to flow through the ingress. This is the default behavior.
Note
Writing 2.34.145.23 is the same as writing 2.34.145.23/32. Netmask based notations are not allowed here.
More help on Route specific annotations can be found in the documentation.