For security reason we need to tune up the OpenShift router. OpenShift router uses the HAProxy. HAProxy has this settings:

acl network_allowed src 20.30.40.50 20.30.40.40
http-request deny if !network_allowed

If there would be any possibility to update the HAProxy configuration it should be working. But how to update the configuration?

The solution is to update the Docker image with the router.

Download the OpenShift proxy from https://github.com/openshift/origin/tree/master/images/router/haproxy and update file conf/haproxy-config.template like this (find the section backend and add those 4 lines):

backend be_edge_http_{{$cfgIdx}}
...
  {{ if (index $cfg.Annotations "rohlik.cz/acl") }}
        acl network_allowed src {{ index $cfg.Annotations "rohlik.cz/acl" }}
        http-request deny if !network_allowed
  {{ end }}  
...

After updating the file you have to build docker image and update the router definition. 

docker build -t rohlik-haproxy:v1.3.1 .

And update the router definition (dc/router in namespace default):

spec:
  strategy:
    type: Rolling
    rollingParams:
      updatePeriodSeconds: 1
      intervalSeconds: 1
      timeoutSeconds: 600
      maxUnavailable: 25%
      maxSurge: 0
      updatePercent: -25
    resources:
  triggers:
    -
      type: ConfigChange
  replicas: 1
  test: false
  selector:
    router: router
  template:
    metadata:
      creationTimestamp: null
      labels:
        router: router
    spec:
      volumes:
        -
          name: server-certificate
          secret:
            secretName: router-certs
      containers:
        -
          name: router
          image: 'rohlik-haproxy:v1.3.1'

Now you are able to use the annotations section in your route definition:

apiVersion: v1
kind: Route
metadata:
  name: rohlik
  namespace: rohlik
  selfLink: /oapi/v1/namespaces/rohlik/routes/rohlik
  labels:
    app: rohlik
  annotations:
    rohlik.cz/acl: 22.22.22.22

Finished :) I hope this article helps you.