OCP4 - ip_whitelist via ingress-operator

Latest response

Hey folks,

we have an ocp4-cluster with an external loadbalancer. For security-reasons, i only want to allow that the loadbalancer can communicate with all exposed services, so that no direct access is possible.
I already found a solution by simple configure an ip_whitelist via a route annotation.

see:
https://docs.openshift.com/container-platform/4.5/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration

But i want to have this configuration set as default. I found the following sentence in the documentation:

The Ingress Controller can set the default options for all the routes it exposes. An individual route can override some of these defaults by providing specific configurations in its annotations.

So, if the Ingress Controller really can set the default options for all the routes it exposes, how could i achieve my goals?

kind regards
Sascha

Responses

Hi All,

I understand you'd like a default ip_whitelist set on all created routes.

According to https://www.haproxy.com/documentation/kubernetes/latest/configuration/ :

These options can be stored in a ConfigMap, Ingress or Service definition. A ConfigMap affects the behavior of all routes, an Ingress affects a particular route, and a Service affects all routes for a particular service.

It may be the answer to your requirement.

The question is : is it supported in OpenShit and how to proceed to set this up ?

I couldn't find the Openshift documentation, yet.

Best regards.