Skip to content

Controller that automatically adds annotations to Kubernetes ingress resources for CIDR/IP whitelisting based on labels

License

Notifications You must be signed in to change notification settings

Moulick/ingress-whitelister

Repository files navigation

Ingress Whitelister

Go Report Card Build status Release Software License Go Report card Go Doc Docker Pulls Powered By: GoReleaser

What is Ingress Whitelister?

Ingress Whitelister adds annotations to your ingress objects based on labels. It is a very simple operator whose current sole purpose is to compile a list of ip addresses and add it as an given annotation

This operator is built using Kubebuilder.

Input

The operator takes IPWhitelistConfig as input. For every ingress resource, it will check the label and compile the set of IP addresses which should be whitelisted for the ingress

Installation

make install will generate and apply the CRDs required to your cluster

make deploy will generate and deploy the operator to your cluster

Or take a look at the Makefile for more advances use cases

The docker image can be found on dockerhub moulick/ingress-whitelister

Examples

A fully defined sample of IPWhitelistConfig and Ingress is given in the config/samples

Considerations

  1. Multiple matching labels can cause hot looping and cause flip flopping of the whitelist. Please ensure that there is only one label on the ingress that matches configuration in the IPWhitelistConfig
  2. Currently the operator reconciles only on ingress object
  3. If the IPWhitelistConfig is changed, the whitelist will be updated in roughly 5 mins

Features

CDN/WAF Bypass Protection

You can provide configurations for the following providers.

  1. Cloudflare
  2. Akamai

These can be used to automatically fetch and add the IP ranges to your Ingress resources.

CloudFlare

Cloudflare does not need much configuration. It only needs to be given the API where cloudflare provides a list of IP ranges. This url is https://api.cloudflare.com/client/v4/ips

Limitations

  1. Currently IPv6 is not supported
  2. Currently China CIDRs are not supported

Akamai

Akamai provider protection for bypassing WAF/CDN via a service called Site-Shield. This is essentially a list of CIDRs that belong to akamai. All traffic to your site can be exepcted to originate only from these CIDRs. For more infromation please refer to https://techdocs.akamai.com/site-shield/docs

Config Requirements

You need to provide the following configuration to Akamai provider. The API keys can be generated by following the instructions in https://techdocs.akamai.com/developer/docs/set-up-authentication-credentials

  1. Host
  2. Client Secret
  3. Access Token
  4. Client Token
  5. Map ID

Limitations

  1. Currently IPv6 is not supported
  2. There may be plans in the future to support auto acknowledgement of Site-Shield Maps

Development

Prerequisites

  • golang environment
  • docker (used for creating container images, etc.)
  • jq