You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/nw-route-specific-annotations.adoc
+7-7Lines changed: 7 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ The Ingress Controller can set the default options for all the routes it exposes
9
9
10
10
[IMPORTANT]
11
11
====
12
-
To create a whitelist with multiple source IPs or subnets, use a space-delimited list. Any other delimiter type causes the list to be ignored without a warning or error message.
12
+
To create an allow list with multiple source IPs or subnets, use a space-delimited list. Any other delimiter type causes the list to be ignored without a warning or error message.
13
13
====
14
14
15
15
//For all the variables outlined in this section, you can set annotations on the
@@ -38,7 +38,7 @@ Note: Using this annotation provides basic protection against denial-of-service
38
38
|`haproxy.router.openshift.io/timeout-tunnel` | This timeout applies to a tunnel connection, for example, WebSocket over cleartext, edge, reencrypt, or passthrough routes. With cleartext, edge, or reencrypt route types, this annotation is applied as a timeout tunnel with the existing timeout value. For the passthrough route types, the annotation takes precedence over any existing timeout value set. | `ROUTER_DEFAULT_TUNNEL_TIMEOUT`
39
39
|`ingresses.config/cluster ingress.operator.openshift.io/hard-stop-after` | You can set either an IngressController or the ingress config . This annotation redeploys the router and configures the HA proxy to emit the haproxy `hard-stop-after` global option, which defines the maximum time allowed to perform a clean soft-stop. | `ROUTER_HARD_STOP_AFTER`
40
40
|`router.openshift.io/haproxy.health.check.interval`| Sets the interval for the back-end health checks. (TimeUnits) | `ROUTER_BACKEND_CHECK_INTERVAL`
41
-
|`haproxy.router.openshift.io/ip_whitelist`
41
+
|`haproxy.router.openshift.io/ip_allowlist`
42
42
| Sets an allowlist for the route. The allowlist is a space-separated list of IP addresses and CIDR ranges for the approved source addresses. Requests from IP addresses that are not in the allowlist are dropped.
43
43
44
44
The maximum number of IP addresses and CIDR ranges directly visible in the `haproxy.config` file is 61. [^1^] |
@@ -68,7 +68,7 @@ This value is applicable to re-encrypt and edge routes only. For more informatio
68
68
|===
69
69
[.small]
70
70
--
71
-
1. If the number of IP addresses and CIDR ranges in an allowlist exceeds 61, they are written into a separate file that is then referenced from `haproxy.config`. This file is stored in the `var/lib/haproxy/router/whitelists` folder.
71
+
1. If the number of IP addresses and CIDR ranges in an allowlist exceeds 61, they are written into a separate file that is then referenced from `haproxy.config`. This file is stored in the `var/lib/haproxy/router/allowlists` folder.
72
72
+
73
73
[NOTE]
74
74
====
@@ -128,31 +128,31 @@ WebSocket connections to timeout frequently on that route.
Copy file name to clipboardExpand all lines: modules/security-network-egress.adoc
+1-2Lines changed: 1 addition & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -6,8 +6,7 @@
6
6
= Securing egress traffic
7
7
8
8
{product-title} provides the ability to control egress traffic using either
9
-
a router or firewall method. For example, you can use IP whitelisting to control
10
-
database access.
9
+
a router or firewall method. For example, you can use the IP allow list to control database access.
11
10
A cluster administrator can assign one or more egress IP addresses to a project by xref:../../networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.adoc#configuring-egress-ips-ovn[configuring an egress IP address].
12
11
Likewise, a cluster administrator can prevent egress traffic from
13
12
going outside of an {product-title} cluster using an egress firewall.
0 commit comments