ptrk
Reputation: 1840
How to apply IP whitelisting to Openshift routes/services
Say there are two domains, one public, the other restricted to a few selected source IPs:
public.example.com 10.0.0.1
private.example.com 10.0.0.2
Now, the whitelisting is applied on an external firewall, which then passes the requests on to Openshift router. I have discovered, that it's enough to send the "private" domain name in the "host" header of the public request to actually get the contents from the "private" service:
curl https://public.example.com --header "host: private.example.com"
got me the contents I was not expecting to see.
What options do I have to actually secure it on the networking level?
Upvotes: 1
Views: 5139
Answers (1)
Will Gordon
Reputation: 3573
You can add an annotation to the route to enforce IP whitelisting.
metadata:
annotations:
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12
https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#whitelist
Upvotes: 5
Related Questions
- Is it possible to expose TCP Openshift Service using routes with SNI?
- How to configure exposed svc hostname IP address in Openshift 4.5
- Adding IP whitelisting security to API gateway
- Securing path based routing on Openshift
- Securing the route on OPENSHIFT
- OpenShift Online v3+ - Adding new route gives forbidden error
- Whitelisting IP addresses for network traffic through Istio gateways
- Configure multiple paths for an Openshift Route
- How to configure openshift route & router to expose public service
- OpenShift route accessible from outside the PAAS but not from a client inside the PAAS