// GetLoadBalancerSourceRanges first try to parse and verify LoadBalancerSourceRanges field from a service. // If the field is not specified, turn to parse and verify the AnnotationLoadBalancerSourceRangesKey annotation from a service, // extracting the source ranges to allow, and if not present returns a default (allow-all) value. func GetLoadBalancerSourceRanges(service *api.Service) (netsets.IPNet, error) { var ipnets netsets.IPNet var err error // if SourceRange field is specified, ignore sourceRange annotation if len(service.Spec.LoadBalancerSourceRanges) > 0 { specs := service.Spec.LoadBalancerSourceRanges ipnets, err = netsets.ParseIPNets(specs...) if err != nil { return nil, fmt.Errorf("service.Spec.LoadBalancerSourceRanges: %v is not valid. Expecting a list of IP ranges. For example, 10.0.0.0/24. Error msg: %v", specs, err) } } else { val := service.Annotations[AnnotationLoadBalancerSourceRangesKey] val = strings.TrimSpace(val) if val == "" { val = defaultLoadBalancerSourceRanges } specs := strings.Split(val, ",") ipnets, err = netsets.ParseIPNets(specs...) if err != nil { return nil, fmt.Errorf("%s: %s is not valid. Expecting a comma-separated list of source IP ranges. For example, 10.0.0.0/24,192.168.2.0/24", AnnotationLoadBalancerSourceRangesKey, val) } } return ipnets, nil }
// NewFirewallPool creates a new firewall rule manager. // cloud: the cloud object implementing Firewall. // namer: cluster namer. func NewFirewallPool(cloud Firewall, namer *utils.Namer) SingleFirewallPool { srcNetSet, err := netset.ParseIPNets(l7SrcRange) if err != nil { glog.Fatalf("Could not parse L7 src range %v for firewall rule: %v", l7SrcRange, err) } return &FirewallRules{cloud: cloud, namer: namer, srcRange: srcNetSet} }
// ParseAnnotations parses the annotations contained in the ingress // rule used to limit access to certain client addresses or networks. // Multiple ranges can specified using commas as separator // e.g. `18.0.0.0/8,56.0.0.0/8` func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) { sort.Strings(cfg.WhitelistSourceRange) if ing.GetAnnotations() == nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations } val, err := parser.GetStringAnnotation(whitelist, ing) if err != nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err } values := strings.Split(val, ",") ipnets, err := sets.ParseIPNets(values...) if err != nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR } cidrs := []string{} for k := range ipnets { cidrs = append(cidrs, k) } sort.Strings(cidrs) return &SourceRange{cidrs}, nil }
// GetLoadBalancerSourceRanges verifies and parses the AnnotationLoadBalancerSourceRangesKey annotation from a service, // extracting the source ranges to allow, and if not present returns a default (allow-all) value. func GetLoadBalancerSourceRanges(annotations map[string]string) (netsets.IPNet, error) { val := annotations[AnnotationLoadBalancerSourceRangesKey] val = strings.TrimSpace(val) if val == "" { val = defaultLoadBalancerSourceRanges } specs := strings.Split(val, ",") ipnets, err := netsets.ParseIPNets(specs...) if err != nil { return nil, fmt.Errorf("Service annotation %s:%s is not valid. Expecting a comma-separated list of source IP ranges. For example, 10.0.0.0/24,192.168.2.0/24", AnnotationLoadBalancerSourceRangesKey, val) } return ipnets, nil }
func TestAllowAll(t *testing.T) { checkAllowAll := func(allowAll bool, cidrs ...string) { ipnets, err := netsets.ParseIPNets(cidrs...) if err != nil { t.Errorf("Unexpected error parsing cidrs: %v", cidrs) } if allowAll != IsAllowAll(ipnets) { t.Errorf("IsAllowAll did not return expected value for %v", cidrs) } } checkAllowAll(false, "10.0.0.1/32") checkAllowAll(false, "10.0.0.1/32", "10.0.0.2/32") checkAllowAll(false, "10.0.0.1/32", "10.0.0.1/32") checkAllowAll(true, "0.0.0.0/0") checkAllowAll(true, "192.168.0.0/0") checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0") }
func (a ingAnnotations) whitelist() ([]string, error) { val, ok := a[whitelist] if !ok { return nil, ErrMissingWhitelist } values := strings.Split(val, ",") ipnets, err := sets.ParseIPNets(values...) if err != nil { return nil, ErrInvalidCIDR } cidrs := make([]string, 0) for k := range ipnets { cidrs = append(cidrs, k) } return cidrs, nil }