ingress-whitelister

command module
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2023 License: GPL-3.0 Imports: 12 Imported by: 0

README

Ingress Whitelister

Go Report Card Build status Release Software License Go Report card Go Doc Docker Pulls

What is Ingress Whitelister?

Ingress Whitelister adds annotations to your ingress objects based on labels. It is a very simple operator whose current sole purpose is to compile a list of ip addresses and add it as an given annotation

This operator is built using Kubebuilder.

Input

The operator takes IPWhitelistConfig as input. For every ingress resource, it will check the label and compile the set of IP addresses which should be whitelisted for the ingress

Installation

make install will generate and apply the CRDs required to your cluster

make deploy will generate and deploy the operator to your cluster

Or take a look at the Makefile for more advances use cases

The docker image can be found on dockerhub moulick/ingress-whitelister

Examples

A fully defined sample of IPWhitelistConfig and Ingress is given in the config/samples

Considerations

  1. Multiple matching labels can cause hot looping and cause flip flopping of the whitelist. Please ensure that there is only one label on the ingress that matches configuration in the IPWhitelistConfig
  2. Currently the operator reconciles only on ingress object
  3. If the IPWhitelistConfig is changed, the whitelist will be updated in roughly 5 mins

Features

CDN/WAF Bypass Protection

You can provide configurations for the following providers.

  1. Cloudflare
  2. Akamai

These can be used to automatically fetch and add the IP ranges to your Ingress resources.

CloudFlare

Cloudflare does not need much configuration. It only needs to be given the API where cloudflare provides a list of IP ranges. This url is https://api.cloudflare.com/client/v4/ips

Limitations
  1. Currently IPv6 is not supported
  2. Currently China CIDRs are not supported
Akamai

Akamai provider protection for bypassing WAF/CDN via a service called Site-Shield. This is essentially a list of CIDRs that belong to akamai. All traffic to your site can be exepcted to originate only from these CIDRs. For more infromation please refer to https://techdocs.akamai.com/site-shield/docs

Config Requirements

You need to provide the following configuration to Akamai provider. The API keys can be generated by following the instructions in https://techdocs.akamai.com/developer/docs/set-up-authentication-credentials

  1. Host
  2. Client Secret
  3. Access Token
  4. Client Token
  5. Map ID
Limitations
  1. Currently IPv6 is not supported
  2. There may be plans in the future to support auto acknowledgement of Site-Shield Maps

Development

Prerequisites
  • golang environment
  • docker (used for creating container images, etc.)
  • jq

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
v1beta1
Package v1beta1 contains API Schema definitions for the ingress.security v1beta1 API group +kubebuilder:object:generate=true +groupName=ingress.security.moulick
 Package v1beta1 contains API Schema definitions for the ingress.security v1beta1 API group +kubebuilder:object:generate=true +groupName=ingress.security.moulick

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.