diff --git a/controllers/nginx/controller.go b/controllers/nginx/controller.go
index c449949c7..e8a8b378f 100644
--- a/controllers/nginx/controller.go
+++ b/controllers/nginx/controller.go
@@ -698,7 +698,7 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuratio
glog.V(3).Infof("error parsing rewrite annotations for Ingress rule %v/%v: %v", ing.GetNamespace(), ing.GetName(), err)
}
- wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhiteList, ing)
+ wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhitelistSourceRange, ing)
glog.V(3).Infof("nginx white list %v", wl)
if err != nil {
glog.V(3).Infof("error reading white list annotation in Ingress %v/%v: %v", ing.GetNamespace(), ing.GetName(), err)
diff --git a/controllers/nginx/examples/whitelist/README.md b/controllers/nginx/examples/whitelist/README.md
new file mode 100644
index 000000000..125b879d6
--- /dev/null
+++ b/controllers/nginx/examples/whitelist/README.md
@@ -0,0 +1,122 @@
+
+This example shows how is possible to restrict access
+
+echo "
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: whitelist
+ annotations:
+ ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/24"
+spec:
+ rules:
+ - host: foo.bar.com
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: echoheaders
+ servicePort: 80
+" | kubectl create -f -
+
+
+Check the annotation is present in the Ingress rule:
+```
+$ kubectl get ingress whitelist -o yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ annotations:
+ ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24
+ creationTimestamp: 2016-06-09T21:39:06Z
+ generation: 2
+ name: whitelist
+ namespace: default
+ resourceVersion: "419363"
+ selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/whitelist
+ uid: 97b74737-2e8a-11e6-90db-080027d2dc94
+spec:
+ rules:
+ - host: whitelist.bar.com
+ http:
+ paths:
+ - backend:
+ serviceName: echoheaders
+ servicePort: 80
+ path: /
+status:
+ loadBalancer:
+ ingress:
+ - ip: 172.17.4.99
+``
+
+Finally test is not possible to access the URL
+
+```
+$ curl -v http://172.17.4.99/ -H 'Host: whitelist.bar.com'
+* Trying 172.17.4.99...
+* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
+> GET / HTTP/1.1
+> Host: whitelist.bar.com
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+< HTTP/1.1 403 Forbidden
+< Server: nginx/1.11.1
+< Date: Thu, 09 Jun 2016 21:56:17 GMT
+< Content-Type: text/html
+< Content-Length: 169
+< Connection: keep-alive
+<
+
+403 Forbidden
+
+403 Forbidden
+
nginx/1.11.1
+
+
+* Connection #0 to host 172.17.4.99 left intact
+```
+
+Removing the annotation removes the restriction
+
+```
+* Trying 172.17.4.99...
+* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
+> GET / HTTP/1.1
+> Host: whitelist.bar.com
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+< HTTP/1.1 200 OK
+< Server: nginx/1.11.1
+< Date: Thu, 09 Jun 2016 21:57:44 GMT
+< Content-Type: text/plain
+< Transfer-Encoding: chunked
+< Connection: keep-alive
+<
+CLIENT VALUES:
+client_address=10.2.89.7
+command=GET
+real path=/
+query=nil
+request_version=1.1
+request_uri=http://whitelist.bar.com:8080/
+
+SERVER VALUES:
+server_version=nginx: 1.9.11 - lua: 10001
+
+HEADERS RECEIVED:
+accept=*/*
+connection=close
+host=whitelist.bar.com
+user-agent=curl/7.43.0
+x-forwarded-for=10.2.89.1
+x-forwarded-host=whitelist.bar.com
+x-forwarded-port=80
+x-forwarded-proto=http
+x-real-ip=10.2.89.1
+BODY:
+* Connection #0 to host 172.17.4.99 left intact
+```
+
diff --git a/controllers/nginx/nginx/config/config.go b/controllers/nginx/nginx/config/config.go
index b629e85b1..76d8a2a2d 100644
--- a/controllers/nginx/nginx/config/config.go
+++ b/controllers/nginx/nginx/config/config.go
@@ -233,9 +233,9 @@ type Configuration struct {
// Responses with the “text/html” type are always compressed if UseGzip is enabled
GzipTypes string `structs:"gzip-types,omitempty"`
- // WhiteList allows limiting access to certain client addresses.
+ // WhitelistSourceRange allows limiting access to certain client addresses
// http://nginx.org/en/docs/http/ngx_http_access_module.html
- WhiteList []string `structs:"whitelist,omitempty"`
+ WhitelistSourceRange []string `structs:"whitelist-source-range,omitempty"`
// Defines the number of worker processes. By default auto means number of available CPU cores
// http://nginx.org/en/docs/ngx_core_module.html#worker_processes
@@ -274,7 +274,7 @@ func NewDefault() Configuration {
VtsStatusZoneSize: "10m",
UseHTTP2: true,
CustomHTTPErrors: make([]int, 0),
- WhiteList: make([]string, 0),
+ WhitelistSourceRange: make([]string, 0),
}
if glog.V(5) {
diff --git a/controllers/nginx/nginx/ipwhitelist/main.go b/controllers/nginx/nginx/ipwhitelist/main.go
index ea97765d7..d533d9c08 100644
--- a/controllers/nginx/nginx/ipwhitelist/main.go
+++ b/controllers/nginx/nginx/ipwhitelist/main.go
@@ -18,13 +18,14 @@ package ipwhitelist
import (
"errors"
+ "strings"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/util/net/sets"
)
const (
- whitelist = "ingress.kubernetes.io/whitelist"
+ whitelist = "ingress.kubernetes.io/whitelist-source-range"
)
var (
@@ -37,8 +38,8 @@ var (
ErrInvalidCIDR = errors.New("the annotation does not contains a valid IP address or network")
)
-// Whitelist returns the CIDR
-type Whitelist struct {
+// SourceRange returns the CIDR
+type SourceRange struct {
CIDR []string
}
@@ -50,24 +51,27 @@ func (a ingAnnotations) whitelist() ([]string, error) {
return nil, ErrMissingWhitelist
}
- ipnet, err := sets.ParseIPNets(val)
+ values := strings.Split(val, ",")
+ ipnets, err := sets.ParseIPNets(values...)
if err != nil {
return nil, ErrInvalidCIDR
}
- nets := make([]string, 0)
- for k := range ipnet {
- nets = append(nets, k)
+ cidrs := make([]string, 0)
+ for k := range ipnets {
+ cidrs = append(cidrs, k)
}
- return nets, nil
+ return cidrs, nil
}
// ParseAnnotations parses the annotations contained in the ingress
-// rule used to configure upstream check parameters
-func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist, error) {
+// rule used to limit access to certain client addresses or networks.
+// Multiple ranges can specified using commas as separator
+// e.g. `18.0.0.0/8,56.0.0.0/8`
+func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*SourceRange, error) {
if ing.GetAnnotations() == nil {
- return &Whitelist{whiteList}, ErrMissingWhitelist
+ return &SourceRange{whiteList}, ErrMissingWhitelist
}
wl, err := ingAnnotations(ing.GetAnnotations()).whitelist()
@@ -75,5 +79,5 @@ func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist,
wl = whiteList
}
- return &Whitelist{wl}, err
+ return &SourceRange{wl}, err
}
diff --git a/controllers/nginx/nginx/ipwhitelist/main_test.go b/controllers/nginx/nginx/ipwhitelist/main_test.go
index 29d6d456b..9a13c9da7 100644
--- a/controllers/nginx/nginx/ipwhitelist/main_test.go
+++ b/controllers/nginx/nginx/ipwhitelist/main_test.go
@@ -83,4 +83,16 @@ func TestAnnotations(t *testing.T) {
if !reflect.DeepEqual(wl, enet) {
t.Errorf("Expected %v but returned %s", enet, wl)
}
+
+ data[whitelist] = "10.0.0.0/24,10.0.1.0/25"
+ ing.SetAnnotations(data)
+
+ wl, err = ingAnnotations(ing.GetAnnotations()).whitelist()
+ if err != nil {
+ t.Errorf("Unexpected error: %v", err)
+ }
+
+ if len(wl) != 2 {
+ t.Errorf("Expected 2 netwotks but %v was returned", len(wl))
+ }
}
diff --git a/controllers/nginx/nginx/nginx.go b/controllers/nginx/nginx/nginx.go
index 7270dc211..31986d9b9 100644
--- a/controllers/nginx/nginx/nginx.go
+++ b/controllers/nginx/nginx/nginx.go
@@ -100,7 +100,7 @@ type Location struct {
RateLimit ratelimit.RateLimit
Redirect rewrite.Redirect
SecureUpstream bool
- Whitelist ipwhitelist.Whitelist
+ Whitelist ipwhitelist.SourceRange
}
// LocationByPath sorts location by path