Updating HAProxy Configurations in OpenShift
A quick tutorial on how to fine tune the OpenShift router to make it more secure.
Join the DZone community and get the full member experience.
Join For FreeFor security reason we need to tune up the OpenShift router. OpenShift router uses the HAProxy. HAProxy has this settings:
acl network_allowed src 20.30.40.50 20.30.40.40
http-request deny if !network_allowedIf there would be any possibility to update the HAProxy configuration it should be working. But how to update the configuration?
The solution is to update the Docker image with the router.
Download the OpenShift proxy from https://github.com/openshift/origin/tree/master/images/router/haproxy and update file conf/haproxy-config.template like this (find the section backend and add those 4 lines):
backend be_edge_http_{{$cfgIdx}}
...
{{ if (index $cfg.Annotations "rohlik.cz/acl") }}
acl network_allowed src {{ index $cfg.Annotations "rohlik.cz/acl" }}
http-request deny if !network_allowed
{{ end }}
...After updating the file you have to build docker image and update the router definition.
docker build -t rohlik-haproxy:v1.3.1 .And update the router definition (dc/router in namespace default):
spec:
strategy:
type: Rolling
rollingParams:
updatePeriodSeconds: 1
intervalSeconds: 1
timeoutSeconds: 600
maxUnavailable: 25%
maxSurge: 0
updatePercent: -25
resources:
triggers:
-
type: ConfigChange
replicas: 1
test: false
selector:
router: router
template:
metadata:
creationTimestamp: null
labels:
router: router
spec:
volumes:
-
name: server-certificate
secret:
secretName: router-certs
containers:
-
name: router
image: 'rohlik-haproxy:v1.3.1'
Now you are able to use the annotations section in your route definition:
apiVersion: v1
kind: Route
metadata:
name: rohlik
namespace: rohlik
selfLink: /oapi/v1/namespaces/rohlik/routes/rohlik
labels:
app: rohlik
annotations:
rohlik.cz/acl: 22.22.22.22Finished :) I hope this article helps you.
Opinions expressed by DZone contributors are their own.
Comments