Beispiel #1
0
// GetLoadBalancerSourceRanges first try to parse and verify LoadBalancerSourceRanges field from a service.
// If the field is not specified, turn to parse and verify the AnnotationLoadBalancerSourceRangesKey annotation from a service,
// extracting the source ranges to allow, and if not present returns a default (allow-all) value.
func GetLoadBalancerSourceRanges(service *api.Service) (netsets.IPNet, error) {
	var ipnets netsets.IPNet
	var err error
	// if SourceRange field is specified, ignore sourceRange annotation
	if len(service.Spec.LoadBalancerSourceRanges) > 0 {
		specs := service.Spec.LoadBalancerSourceRanges
		ipnets, err = netsets.ParseIPNets(specs...)

		if err != nil {
			return nil, fmt.Errorf("service.Spec.LoadBalancerSourceRanges: %v is not valid. Expecting a list of IP ranges. For example, 10.0.0.0/24. Error msg: %v", specs, err)
		}
	} else {
		val := service.Annotations[AnnotationLoadBalancerSourceRangesKey]
		val = strings.TrimSpace(val)
		if val == "" {
			val = defaultLoadBalancerSourceRanges
		}
		specs := strings.Split(val, ",")
		ipnets, err = netsets.ParseIPNets(specs...)
		if err != nil {
			return nil, fmt.Errorf("%s: %s is not valid. Expecting a comma-separated list of source IP ranges. For example, 10.0.0.0/24,192.168.2.0/24", AnnotationLoadBalancerSourceRangesKey, val)
		}
	}
	return ipnets, nil
}
Beispiel #2
0
// NewFirewallPool creates a new firewall rule manager.
// cloud: the cloud object implementing Firewall.
// namer: cluster namer.
func NewFirewallPool(cloud Firewall, namer *utils.Namer) SingleFirewallPool {
	srcNetSet, err := netset.ParseIPNets(l7SrcRange)
	if err != nil {
		glog.Fatalf("Could not parse L7 src range %v for firewall rule: %v", l7SrcRange, err)
	}
	return &FirewallRules{cloud: cloud, namer: namer, srcRange: srcNetSet}
}
Beispiel #3
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to limit access to certain client addresses or networks.
// Multiple ranges can specified using commas as separator
// e.g. `18.0.0.0/8,56.0.0.0/8`
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) {
	sort.Strings(cfg.WhitelistSourceRange)
	if ing.GetAnnotations() == nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations
	}

	val, err := parser.GetStringAnnotation(whitelist, ing)
	if err != nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err
	}

	values := strings.Split(val, ",")
	ipnets, err := sets.ParseIPNets(values...)
	if err != nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR
	}

	cidrs := []string{}
	for k := range ipnets {
		cidrs = append(cidrs, k)
	}

	sort.Strings(cidrs)

	return &SourceRange{cidrs}, nil
}
Beispiel #4
0
// GetLoadBalancerSourceRanges verifies and parses the AnnotationLoadBalancerSourceRangesKey annotation from a service,
// extracting the source ranges to allow, and if not present returns a default (allow-all) value.
func GetLoadBalancerSourceRanges(annotations map[string]string) (netsets.IPNet, error) {
	val := annotations[AnnotationLoadBalancerSourceRangesKey]
	val = strings.TrimSpace(val)
	if val == "" {
		val = defaultLoadBalancerSourceRanges
	}
	specs := strings.Split(val, ",")
	ipnets, err := netsets.ParseIPNets(specs...)
	if err != nil {
		return nil, fmt.Errorf("Service annotation %s:%s is not valid. Expecting a comma-separated list of source IP ranges. For example, 10.0.0.0/24,192.168.2.0/24", AnnotationLoadBalancerSourceRangesKey, val)
	}
	return ipnets, nil
}
Beispiel #5
0
func TestAllowAll(t *testing.T) {
	checkAllowAll := func(allowAll bool, cidrs ...string) {
		ipnets, err := netsets.ParseIPNets(cidrs...)
		if err != nil {
			t.Errorf("Unexpected error parsing cidrs: %v", cidrs)
		}
		if allowAll != IsAllowAll(ipnets) {
			t.Errorf("IsAllowAll did not return expected value for %v", cidrs)
		}
	}
	checkAllowAll(false, "10.0.0.1/32")
	checkAllowAll(false, "10.0.0.1/32", "10.0.0.2/32")
	checkAllowAll(false, "10.0.0.1/32", "10.0.0.1/32")

	checkAllowAll(true, "0.0.0.0/0")
	checkAllowAll(true, "192.168.0.0/0")
	checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0")
}
Beispiel #6
0
func (a ingAnnotations) whitelist() ([]string, error) {
	val, ok := a[whitelist]
	if !ok {
		return nil, ErrMissingWhitelist
	}

	values := strings.Split(val, ",")
	ipnets, err := sets.ParseIPNets(values...)
	if err != nil {
		return nil, ErrInvalidCIDR
	}

	cidrs := make([]string, 0)
	for k := range ipnets {
		cidrs = append(cidrs, k)
	}

	return cidrs, nil
}