Filter incoming traffic with annotations about kubernetes-ingress HOT 3 OPEN

Hi Patrick

Just to make this feature request more generic, here we want to:

• "allow" or "deny" traffic based on source IP address
• provide the list of IPs
• apply this matching either to the source IP address of the TCP connection or in any HTTP header provided by configuration

I do propose the following annotations:

• ip-list: name of a configmap where a list of IP can be found
• ip-list-action: action to be perfomed: either 'allow' or 'deny'
• ip-list-header: (optional) name of the HTTP header where to find the source IP address. Default is to be use the source IP from the TCP client connection

the ip-list configmap should look like:

data:
  ip-list:
    - a.b.c.d
    - e.f.g.h

The idea behind the config map is that we can use the list of IPs for multiple ingresses / controllers and also we can watch it and once updated, the controller can replicate the change in HAProxy at runtime (when the client-native lib will support this)

With this, we should be able to meet your needs and many other use cases.

from kubernetes-ingress.

That would be perfect, two things I forgot to specify though :

• I need to specify IP ranges ( a.b.c.d/24 for example );
• I need to specify both IPv4 & IPv6 IP addresses.

from kubernetes-ingress.

both will be supported out of the box.

I wonder one thing, I don't like the naming propositon: ip-list but would like to rename it to filter or filtering. What do you think? It is closer to what it does exactly

from kubernetes-ingress.