Re: Restricting access to some Routes

[Ahmed Ossama]

Hi Peter,

We have the same case in one of our OpenShift deployments. We decided to 
experiment with router sharding.


https://blog.openshift.com/openshift-router-sharding-for-production-and-development-traffic/

On 8/30/18 3:07 PM, David Conde wrote:

Hi Peter,

Hopefully 
https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#whitelist 
will sort you out.


Dave

On Thu, Aug 30, 2018 at 1:54 PM Peter Heitman > wrote:


In my deployment there are 5 routes - two of them are from
OpenShift (docker-registry and registry-console) and three of them
are specific to my application. Of the 5, 4 of them are
administrative and shouldn't be accessed by just anyone on the
Internet. One of my application's route is required to be accessed
by 'anyone' on the Internet.

My question is, what is the best practice to achieve this
restriction? Is there a way to set IP address or subnet
restrictions on a route? Do I need to set up separate nodes and
separate routers so that I can use a firewall to restrict access
to the 4 routes and allow access to the Internet service? Any
suggestions?

Peter

___
users mailing list
users@lists.openshift.redhat.com

http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


--
Regards,
Ahmed Ossama

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Restricting access to some Routes

[David Conde]

Hi Peter,

Hopefully
https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#whitelist
will sort you out.

Dave

On Thu, Aug 30, 2018 at 1:54 PM Peter Heitman  wrote:

> In my deployment there are 5 routes - two of them are from OpenShift
> (docker-registry and registry-console) and three of them are specific to my
> application. Of the 5, 4 of them are administrative and shouldn't be
> accessed by just anyone on the Internet. One of my application's route is
> required to be accessed by 'anyone' on the Internet.
>
> My question is, what is the best practice to achieve this restriction? Is
> there a way to set IP address or subnet restrictions on a route? Do I need
> to set up separate nodes and separate routers so that I can use a firewall
> to restrict access to the 4 routes and allow access to the Internet
> service? Any suggestions?
>
> Peter
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: Restricting access to some Routes

[François VILLAIN]

Hi

From this documentation : 
https://docs.openshift.com/container-platform/3.10/architecture/networking/routes.html#route-specific-annotations

You can annotate a route with : haproxy.router.openshift.io/ip_whitelist to set 
a whitelist for the route.

Never tried though, let me know if this works 

François


De : users-boun...@lists.openshift.redhat.com 
 De la part de Peter Heitman
Envoyé : jeudi 30 août 2018 14:54
À : users@lists.openshift.redhat.com
Objet : Restricting access to some Routes

In my deployment there are 5 routes - two of them are from OpenShift 
(docker-registry and registry-console) and three of them are specific to my 
application. Of the 5, 4 of them are administrative and shouldn't be accessed 
by just anyone on the Internet. One of my application's route is required to be 
accessed by 'anyone' on the Internet.

My question is, what is the best practice to achieve this restriction? Is there 
a way to set IP address or subnet restrictions on a route? Do I need to set up 
separate nodes and separate routers so that I can use a firewall to restrict 
access to the 4 routes and allow access to the Internet service? Any 
suggestions?

Peter

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users