From e792e940b27e96ffd3e4ada5b9a593ac3c0552e5 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Mon, 6 Jun 2016 14:31:40 -0400 Subject: [PATCH 1/2] Add ip/cidr white list support --- controllers/nginx/controller.go | 9 ++ controllers/nginx/nginx.tmpl | 6 ++ controllers/nginx/nginx/config/config.go | 5 ++ controllers/nginx/nginx/ipwhitelist/main.go | 79 +++++++++++++++++ .../nginx/nginx/ipwhitelist/main_test.go | 86 +++++++++++++++++++ controllers/nginx/nginx/nginx.go | 2 + 6 files changed, 187 insertions(+) create mode 100644 controllers/nginx/nginx/ipwhitelist/main.go create mode 100644 controllers/nginx/nginx/ipwhitelist/main_test.go diff --git a/controllers/nginx/controller.go b/controllers/nginx/controller.go index e93185bd2..c449949c7 100644 --- a/controllers/nginx/controller.go +++ b/controllers/nginx/controller.go @@ -44,6 +44,7 @@ import ( "k8s.io/contrib/ingress/controllers/nginx/nginx/auth" "k8s.io/contrib/ingress/controllers/nginx/nginx/config" "k8s.io/contrib/ingress/controllers/nginx/nginx/healthcheck" + "k8s.io/contrib/ingress/controllers/nginx/nginx/ipwhitelist" "k8s.io/contrib/ingress/controllers/nginx/nginx/ratelimit" "k8s.io/contrib/ingress/controllers/nginx/nginx/rewrite" "k8s.io/contrib/ingress/controllers/nginx/nginx/secureupstream" @@ -697,6 +698,12 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuratio glog.V(3).Infof("error parsing rewrite annotations for Ingress rule %v/%v: %v", ing.GetNamespace(), ing.GetName(), err) } + wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhiteList, ing) + glog.V(3).Infof("nginx white list %v", wl) + if err != nil { + glog.V(3).Infof("error reading white list annotation in Ingress %v/%v: %v", ing.GetNamespace(), ing.GetName(), err) + } + host := rule.Host if host == "" { host = defServerName @@ -728,6 +735,7 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuratio loc.RateLimit = *rl loc.Redirect = *locRew loc.SecureUpstream = secUpstream + loc.Whitelist = *wl addLoc = false continue @@ -750,6 +758,7 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuratio RateLimit: *rl, Redirect: *locRew, SecureUpstream: secUpstream, + Whitelist: *wl, }) } } diff --git a/controllers/nginx/nginx.tmpl b/controllers/nginx/nginx.tmpl index 8edc3d9be..013c090ab 100644 --- a/controllers/nginx/nginx.tmpl +++ b/controllers/nginx/nginx.tmpl @@ -180,6 +180,12 @@ http { {{- range $location := $server.Locations }} {{ $path := buildLocation $location }} location {{ $path }} { + {{ if gt (len $location.Whitelist.CIDR) 0 }} + {{- range $ip := $location.Whitelist.CIDR }} + allow {{ $ip }};{{ end }} + deny all; + {{ end -}} + {{ if (and $server.SSL $location.Redirect.SSLRedirect) -}} # enforce ssl on server side if ($scheme = http) { diff --git a/controllers/nginx/nginx/config/config.go b/controllers/nginx/nginx/config/config.go index 83bfc9f6a..b629e85b1 100644 --- a/controllers/nginx/nginx/config/config.go +++ b/controllers/nginx/nginx/config/config.go @@ -233,6 +233,10 @@ type Configuration struct { // Responses with the “text/html” type are always compressed if UseGzip is enabled GzipTypes string `structs:"gzip-types,omitempty"` + // WhiteList allows limiting access to certain client addresses. + // http://nginx.org/en/docs/http/ngx_http_access_module.html + WhiteList []string `structs:"whitelist,omitempty"` + // Defines the number of worker processes. By default auto means number of available CPU cores // http://nginx.org/en/docs/ngx_core_module.html#worker_processes WorkerProcesses string `structs:"worker-processes,omitempty"` @@ -270,6 +274,7 @@ func NewDefault() Configuration { VtsStatusZoneSize: "10m", UseHTTP2: true, CustomHTTPErrors: make([]int, 0), + WhiteList: make([]string, 0), } if glog.V(5) { diff --git a/controllers/nginx/nginx/ipwhitelist/main.go b/controllers/nginx/nginx/ipwhitelist/main.go new file mode 100644 index 000000000..ea97765d7 --- /dev/null +++ b/controllers/nginx/nginx/ipwhitelist/main.go @@ -0,0 +1,79 @@ +/* +Copyright 2016 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipwhitelist + +import ( + "errors" + + "k8s.io/kubernetes/pkg/apis/extensions" + "k8s.io/kubernetes/pkg/util/net/sets" +) + +const ( + whitelist = "ingress.kubernetes.io/whitelist" +) + +var ( + // ErrMissingWhitelist returned error when the ingress does not contains the + // whitelist annotation + ErrMissingWhitelist = errors.New("whitelist annotation is missing") + + // ErrInvalidCIDR returned error when the whitelist annotation does not + // contains a valid IP or network address + ErrInvalidCIDR = errors.New("the annotation does not contains a valid IP address or network") +) + +// Whitelist returns the CIDR +type Whitelist struct { + CIDR []string +} + +type ingAnnotations map[string]string + +func (a ingAnnotations) whitelist() ([]string, error) { + val, ok := a[whitelist] + if !ok { + return nil, ErrMissingWhitelist + } + + ipnet, err := sets.ParseIPNets(val) + if err != nil { + return nil, ErrInvalidCIDR + } + + nets := make([]string, 0) + for k := range ipnet { + nets = append(nets, k) + } + + return nets, nil +} + +// ParseAnnotations parses the annotations contained in the ingress +// rule used to configure upstream check parameters +func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist, error) { + if ing.GetAnnotations() == nil { + return &Whitelist{whiteList}, ErrMissingWhitelist + } + + wl, err := ingAnnotations(ing.GetAnnotations()).whitelist() + if err != nil { + wl = whiteList + } + + return &Whitelist{wl}, err +} diff --git a/controllers/nginx/nginx/ipwhitelist/main_test.go b/controllers/nginx/nginx/ipwhitelist/main_test.go new file mode 100644 index 000000000..29d6d456b --- /dev/null +++ b/controllers/nginx/nginx/ipwhitelist/main_test.go @@ -0,0 +1,86 @@ +/* +Copyright 2016 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipwhitelist + +import ( + "reflect" + "testing" + + "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/apis/extensions" + "k8s.io/kubernetes/pkg/util/intstr" +) + +func buildIngress() *extensions.Ingress { + defaultBackend := extensions.IngressBackend{ + ServiceName: "default-backend", + ServicePort: intstr.FromInt(80), + } + + return &extensions.Ingress{ + ObjectMeta: api.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + }, + Spec: extensions.IngressSpec{ + Backend: &extensions.IngressBackend{ + ServiceName: "default-backend", + ServicePort: intstr.FromInt(80), + }, + Rules: []extensions.IngressRule{ + { + Host: "foo.bar.com", + IngressRuleValue: extensions.IngressRuleValue{ + HTTP: &extensions.HTTPIngressRuleValue{ + Paths: []extensions.HTTPIngressPath{ + { + Path: "/foo", + Backend: defaultBackend, + }, + }, + }, + }, + }, + }, + }, + } +} + +func TestAnnotations(t *testing.T) { + ing := buildIngress() + + _, err := ingAnnotations(ing.GetAnnotations()).whitelist() + if err == nil { + t.Error("Expected a validation error") + } + + testNet := "10.0.0.0/24" + enet := []string{testNet} + + data := map[string]string{} + data[whitelist] = testNet + ing.SetAnnotations(data) + + wl, err := ingAnnotations(ing.GetAnnotations()).whitelist() + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + + if !reflect.DeepEqual(wl, enet) { + t.Errorf("Expected %v but returned %s", enet, wl) + } +} diff --git a/controllers/nginx/nginx/nginx.go b/controllers/nginx/nginx/nginx.go index b39a245bc..7270dc211 100644 --- a/controllers/nginx/nginx/nginx.go +++ b/controllers/nginx/nginx/nginx.go @@ -18,6 +18,7 @@ package nginx import ( "k8s.io/contrib/ingress/controllers/nginx/nginx/auth" + "k8s.io/contrib/ingress/controllers/nginx/nginx/ipwhitelist" "k8s.io/contrib/ingress/controllers/nginx/nginx/ratelimit" "k8s.io/contrib/ingress/controllers/nginx/nginx/rewrite" ) @@ -99,6 +100,7 @@ type Location struct { RateLimit ratelimit.RateLimit Redirect rewrite.Redirect SecureUpstream bool + Whitelist ipwhitelist.Whitelist } // LocationByPath sorts location by path From 17e42ed9022aff8446fdda20522bfff0fc965fa8 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Thu, 9 Jun 2016 18:00:05 -0400 Subject: [PATCH 2/2] Add example --- controllers/nginx/controller.go | 2 +- .../nginx/examples/whitelist/README.md | 122 ++++++++++++++++++ controllers/nginx/nginx/config/config.go | 6 +- controllers/nginx/nginx/ipwhitelist/main.go | 28 ++-- .../nginx/nginx/ipwhitelist/main_test.go | 12 ++ controllers/nginx/nginx/nginx.go | 2 +- 6 files changed, 155 insertions(+), 17 deletions(-) create mode 100644 controllers/nginx/examples/whitelist/README.md diff --git a/controllers/nginx/controller.go b/controllers/nginx/controller.go index c449949c7..e8a8b378f 100644 --- a/controllers/nginx/controller.go +++ b/controllers/nginx/controller.go @@ -698,7 +698,7 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuratio glog.V(3).Infof("error parsing rewrite annotations for Ingress rule %v/%v: %v", ing.GetNamespace(), ing.GetName(), err) } - wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhiteList, ing) + wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhitelistSourceRange, ing) glog.V(3).Infof("nginx white list %v", wl) if err != nil { glog.V(3).Infof("error reading white list annotation in Ingress %v/%v: %v", ing.GetNamespace(), ing.GetName(), err) diff --git a/controllers/nginx/examples/whitelist/README.md b/controllers/nginx/examples/whitelist/README.md new file mode 100644 index 000000000..125b879d6 --- /dev/null +++ b/controllers/nginx/examples/whitelist/README.md @@ -0,0 +1,122 @@ + +This example shows how is possible to restrict access + +echo " +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: whitelist + annotations: + ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/24" +spec: + rules: + - host: foo.bar.com + http: + paths: + - path: / + backend: + serviceName: echoheaders + servicePort: 80 +" | kubectl create -f - + + +Check the annotation is present in the Ingress rule: +``` +$ kubectl get ingress whitelist -o yaml +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24 + creationTimestamp: 2016-06-09T21:39:06Z + generation: 2 + name: whitelist + namespace: default + resourceVersion: "419363" + selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/whitelist + uid: 97b74737-2e8a-11e6-90db-080027d2dc94 +spec: + rules: + - host: whitelist.bar.com + http: + paths: + - backend: + serviceName: echoheaders + servicePort: 80 + path: / +status: + loadBalancer: + ingress: + - ip: 172.17.4.99 +`` + +Finally test is not possible to access the URL + +``` +$ curl -v http://172.17.4.99/ -H 'Host: whitelist.bar.com' +* Trying 172.17.4.99... +* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0) +> GET / HTTP/1.1 +> Host: whitelist.bar.com +> User-Agent: curl/7.43.0 +> Accept: */* +> +< HTTP/1.1 403 Forbidden +< Server: nginx/1.11.1 +< Date: Thu, 09 Jun 2016 21:56:17 GMT +< Content-Type: text/html +< Content-Length: 169 +< Connection: keep-alive +< + +403 Forbidden + +

403 Forbidden

+
nginx/1.11.1
+ + +* Connection #0 to host 172.17.4.99 left intact +``` + +Removing the annotation removes the restriction + +``` +* Trying 172.17.4.99... +* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0) +> GET / HTTP/1.1 +> Host: whitelist.bar.com +> User-Agent: curl/7.43.0 +> Accept: */* +> +< HTTP/1.1 200 OK +< Server: nginx/1.11.1 +< Date: Thu, 09 Jun 2016 21:57:44 GMT +< Content-Type: text/plain +< Transfer-Encoding: chunked +< Connection: keep-alive +< +CLIENT VALUES: +client_address=10.2.89.7 +command=GET +real path=/ +query=nil +request_version=1.1 +request_uri=http://whitelist.bar.com:8080/ + +SERVER VALUES: +server_version=nginx: 1.9.11 - lua: 10001 + +HEADERS RECEIVED: +accept=*/* +connection=close +host=whitelist.bar.com +user-agent=curl/7.43.0 +x-forwarded-for=10.2.89.1 +x-forwarded-host=whitelist.bar.com +x-forwarded-port=80 +x-forwarded-proto=http +x-real-ip=10.2.89.1 +BODY: +* Connection #0 to host 172.17.4.99 left intact +``` + diff --git a/controllers/nginx/nginx/config/config.go b/controllers/nginx/nginx/config/config.go index b629e85b1..76d8a2a2d 100644 --- a/controllers/nginx/nginx/config/config.go +++ b/controllers/nginx/nginx/config/config.go @@ -233,9 +233,9 @@ type Configuration struct { // Responses with the “text/html” type are always compressed if UseGzip is enabled GzipTypes string `structs:"gzip-types,omitempty"` - // WhiteList allows limiting access to certain client addresses. + // WhitelistSourceRange allows limiting access to certain client addresses // http://nginx.org/en/docs/http/ngx_http_access_module.html - WhiteList []string `structs:"whitelist,omitempty"` + WhitelistSourceRange []string `structs:"whitelist-source-range,omitempty"` // Defines the number of worker processes. By default auto means number of available CPU cores // http://nginx.org/en/docs/ngx_core_module.html#worker_processes @@ -274,7 +274,7 @@ func NewDefault() Configuration { VtsStatusZoneSize: "10m", UseHTTP2: true, CustomHTTPErrors: make([]int, 0), - WhiteList: make([]string, 0), + WhitelistSourceRange: make([]string, 0), } if glog.V(5) { diff --git a/controllers/nginx/nginx/ipwhitelist/main.go b/controllers/nginx/nginx/ipwhitelist/main.go index ea97765d7..d533d9c08 100644 --- a/controllers/nginx/nginx/ipwhitelist/main.go +++ b/controllers/nginx/nginx/ipwhitelist/main.go @@ -18,13 +18,14 @@ package ipwhitelist import ( "errors" + "strings" "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/util/net/sets" ) const ( - whitelist = "ingress.kubernetes.io/whitelist" + whitelist = "ingress.kubernetes.io/whitelist-source-range" ) var ( @@ -37,8 +38,8 @@ var ( ErrInvalidCIDR = errors.New("the annotation does not contains a valid IP address or network") ) -// Whitelist returns the CIDR -type Whitelist struct { +// SourceRange returns the CIDR +type SourceRange struct { CIDR []string } @@ -50,24 +51,27 @@ func (a ingAnnotations) whitelist() ([]string, error) { return nil, ErrMissingWhitelist } - ipnet, err := sets.ParseIPNets(val) + values := strings.Split(val, ",") + ipnets, err := sets.ParseIPNets(values...) if err != nil { return nil, ErrInvalidCIDR } - nets := make([]string, 0) - for k := range ipnet { - nets = append(nets, k) + cidrs := make([]string, 0) + for k := range ipnets { + cidrs = append(cidrs, k) } - return nets, nil + return cidrs, nil } // ParseAnnotations parses the annotations contained in the ingress -// rule used to configure upstream check parameters -func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist, error) { +// rule used to limit access to certain client addresses or networks. +// Multiple ranges can specified using commas as separator +// e.g. `18.0.0.0/8,56.0.0.0/8` +func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*SourceRange, error) { if ing.GetAnnotations() == nil { - return &Whitelist{whiteList}, ErrMissingWhitelist + return &SourceRange{whiteList}, ErrMissingWhitelist } wl, err := ingAnnotations(ing.GetAnnotations()).whitelist() @@ -75,5 +79,5 @@ func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist, wl = whiteList } - return &Whitelist{wl}, err + return &SourceRange{wl}, err } diff --git a/controllers/nginx/nginx/ipwhitelist/main_test.go b/controllers/nginx/nginx/ipwhitelist/main_test.go index 29d6d456b..9a13c9da7 100644 --- a/controllers/nginx/nginx/ipwhitelist/main_test.go +++ b/controllers/nginx/nginx/ipwhitelist/main_test.go @@ -83,4 +83,16 @@ func TestAnnotations(t *testing.T) { if !reflect.DeepEqual(wl, enet) { t.Errorf("Expected %v but returned %s", enet, wl) } + + data[whitelist] = "10.0.0.0/24,10.0.1.0/25" + ing.SetAnnotations(data) + + wl, err = ingAnnotations(ing.GetAnnotations()).whitelist() + if err != nil { + t.Errorf("Unexpected error: %v", err) + } + + if len(wl) != 2 { + t.Errorf("Expected 2 netwotks but %v was returned", len(wl)) + } } diff --git a/controllers/nginx/nginx/nginx.go b/controllers/nginx/nginx/nginx.go index 7270dc211..31986d9b9 100644 --- a/controllers/nginx/nginx/nginx.go +++ b/controllers/nginx/nginx/nginx.go @@ -100,7 +100,7 @@ type Location struct { RateLimit ratelimit.RateLimit Redirect rewrite.Redirect SecureUpstream bool - Whitelist ipwhitelist.Whitelist + Whitelist ipwhitelist.SourceRange } // LocationByPath sorts location by path