kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard
verified publisher icon haproxytech

When using deny-list with a file, there is no no reaction to file content changes

Open oekarlsson opened this issue 1 year ago • 4 comments

I'm using version 3.02 and have a global deny-list set in configmap to patterns/blacklist.ips

The config is created correctly and all IPs in the list is denied. But when the content in the deny-list file is changed, new IPs are not blocked. If an ingress is removed or added and the config must be rebuilt and haproxy reloaded the new IPs are denied as it should be.

I want to block new IPs as fast as possible, and as a user of this feature in the controller I expect new IPs in the list to be denied. It seems that a reload is needed for that to work.

oekarlsson avatar Sep 30 '24 17:09 oekarlsson

Looking at this issue.

hdurand0710 avatar Oct 24 '24 07:10 hdurand0710

Hello @oekarlsson ,

I was not able to reproduce this issue with 3.0.2.

Here are my steps:

  • I have a deny-list set in CM patterns/ips
  • Everything works well in terms in ip denial
  • I update the CM to add an IP to the list
  • In IC logs:
2024/10/24 10:55:01 INFO    handler/pattern-files.go:55 [transactionID=c5cbdc1e-ffc6-4f95-8071-3de8011be465] reload required : patternfile 'ips' updated: reload required
  • haproxy reloads and the new IP is blocked.

The only way I could have haproxy not reloading is by manually updating the pattern file in the Ingress Controller POD, but this is not supported.

Could you confirm that those were your steps ? If yes, please send us the IC logs ?

Thanks

hdurand0710 avatar Oct 24 '24 09:10 hdurand0710

This was discussed on Slack and I forgot this issue. I should have closed it. Sorry.

My scenario is that my blacklist is too large to be able to fit in a configmap (> 1MB). My patterns/ips come from a filesystem and not a mounted configmap. That is why reload does not work for me.

I have solved it doing a exec to the haproxy pods and running "/bin/kill -HUP $(cat /var/run/haproxy.pid)" after the file in the filesystem is updated.

It would of course be good if there were some kind of option to use regular files instead of configmaps and still have automatic reloads.

oekarlsson avatar Oct 24 '24 09:10 oekarlsson

hi @oekarlsson we will keep this in mind, since there are potentially some plans to improve experience with allow/deny lists

I'll leave this open and labeled so we can notify you if we do some changes

oktalz avatar Oct 24 '24 12:10 oktalz