From 7af7bee85328cc39ec20e4e6c7fd630acc627ee0 Mon Sep 17 00:00:00 2001 From: Jesse Dohmann Date: Mon, 16 Oct 2023 12:28:05 -0500 Subject: [PATCH] OCPBUGS-21751: update ip_whitelist entry --- modules/nw-route-specific-annotations.adoc | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/nw-route-specific-annotations.adoc b/modules/nw-route-specific-annotations.adoc index 24d4b645f282..41b7db290410 100644 --- a/modules/nw-route-specific-annotations.adoc +++ b/modules/nw-route-specific-annotations.adoc @@ -39,9 +39,10 @@ Note: Using this annotation provides basic protection against distributed denial |`ingresses.config/cluster ingress.operator.openshift.io/hard-stop-after` | You can set either an IngressController or the ingress config . This annotation redeploys the router and configures the HA proxy to emit the haproxy `hard-stop-after` global option, which defines the maximum time allowed to perform a clean soft-stop. | `ROUTER_HARD_STOP_AFTER` |`router.openshift.io/haproxy.health.check.interval`| Sets the interval for the back-end health checks. (TimeUnits) | `ROUTER_BACKEND_CHECK_INTERVAL` |`haproxy.router.openshift.io/ip_whitelist` -| Sets a whitelist for the route. The whitelist is a space-separated list of IP addresses and CIDR ranges for the approved source addresses. Requests from IP addresses that are not in the whitelist are dropped. +| Sets an allowlist for the route. The allowlist is a space-separated list of IP addresses and CIDR ranges for the approved source addresses. Requests from IP addresses that are not in the allowlist are dropped. + +The maximum number of IP addresses and CIDR ranges in an allowlist that can be written to `haproxy.config` is 64. [^1^] | -The maximum number of IP addresses and CIDR ranges allowed in a whitelist is 61.| |`haproxy.router.openshift.io/hsts_header` | Sets a Strict-Transport-Security header for the edge terminated or re-encrypt route. | |`haproxy.router.openshift.io/log-send-hostname` | Sets the `hostname` field in the Syslog header. Uses the hostname of the system. `log-send-hostname` is enabled by default if any Ingress API logging method, such as sidecar or Syslog facility, is enabled for the router. | |`haproxy.router.openshift.io/rewrite-target` | Sets the rewrite path of the request on the backend. | @@ -66,6 +67,15 @@ This value is applicable to re-encrypt and edge routes only. For more informatio `if-none`: sets the header if it is not already set.| `ROUTER_SET_FORWARDED_HEADERS` |=== +[.small] +-- +1. If the number of IP addresses and CIDR ranges in an allowlist exceeds 64, they are written into a separate file that is then referenced from `haproxy.config`. ++ +[NOTE] +==== +To ensure that the addresses are written to the allowlist, check that the full list of CIDR ranges are listed in the Ingress Controller configuration file. The etcd object size limit restricts how large a route annotation can be. Because of this, it creates a threshold for the maximum number of IP addresses and CIDR ranges that you can include in an allowlist. +==== +-- [NOTE] ====