Filter incoming traffic with annotations

[andy-b-84]

Hello,

I need to implement whitelist filters using annotations. I do not need to implement blacklist filters right now. I need to match the client ip at connection layer (src), not in the HTTP headers (X-Forwarded-For or any customizable header). IMHO, this issue is linked with the issue https://github.com/haproxytech/kubernetes-ingress/issues/50 , as I think the header I need would be named whitelist , but the existing whitelist header does not do what I need.

[bedis]

Hi Patrick

Just to make this feature request more generic, here we want to:

• "allow" or "deny" traffic based on source IP address
• provide the list of IPs
• apply this matching either to the source IP address of the TCP connection or in any HTTP header provided by configuration

I do propose the following annotations:

• ip-list: name of a configmap where a list of IP can be found
• ip-list-action: action to be perfomed: either 'allow' or 'deny'
• ip-list-header: (optional) name of the HTTP header where to find the source IP address. Default is to be use the source IP from the TCP client connection

the ip-list configmap should look like:

data:
  ip-list:
    - a.b.c.d
    - e.f.g.h

The idea behind the config map is that we can use the list of IPs for multiple ingresses / controllers and also we can watch it and once updated, the controller can replicate the change in HAProxy at runtime (when the client-native lib will support this)

With this, we should be able to meet your needs and many other use cases.

[andy-b-84]

That would be perfect, two things I forgot to specify though :

• I need to specify IP ranges ( a.b.c.d/24 for example );
• I need to specify both IPv4 & IPv6 IP addresses.

[bedis]

both will be supported out of the box.

I wonder one thing, I don't like the naming propositon: ip-list but would like to rename it to filter or filtering. What do you think? It is closer to what it does exactly