Restrict access to OpenShift routes by IP address
In this post I will show you how can restrict access to the routes by source IP address.
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
Restricting access to a route
After creating and exposing a route, you can add an annotation to the route specifying the IP address(es) that you would like to whitelist. Whitelisting a IP address automatically blacklists everything else.
oc annotate route test-route haproxy.router.openshift.io/ip_whitelist=192.168.0.0/24
To allow several IP addresses through to the route, separate each IP with a space:
oc annotate route test-route haproxy.router.openshift.io/ip_whitelist=192.168.1.10 180.5.61.153 192.168.1.0/24 192.168.0.0/24
To delete the IPs from the annotation, you can run the command:
oc annotate route test-route haproxy.router.openshift.io/ip_whitelist-