NE-986: Add the information about allowedsourceranges

xenolinux · xenolinux · commit e9a05998db2a · 2022-10-27T14:33:08.000+05:30
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1226,6 +1226,9 @@ Topics:
   - Name: Configuring ingress cluster traffic using a NodePort
     File: configuring-ingress-cluster-traffic-nodeport
     Distros: openshift-enterprise,openshift-origin
+  - Name: Configuring ingress cluster traffic using load balancer allowed source ranges
+    File: configuring-ingress-cluster-traffic-load-balancer-allowed-source-ranges
+    Distros: openshift-enterprise,openshift-origin
   # Kubernetes NMState (TECHNOLOGY PREVIEW)
 - Name: Kubernetes NMState
   Dir: k8s_nmstate
diff --git a/modules/nw-configuring-lb-allowed-source-ranges-migration.adoc b/modules/nw-configuring-lb-allowed-source-ranges-migration.adoc
@@ -0,0 +1,66 @@
+// Modules included in the following assemblies:
+//
+// * networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-load-balancer-allowed-source-ranges.adoc
+
+:_content-type: PROCEDURE
+[id="nw-configuring-lb-allowed-source-ranges-migration_{context}"]
+= Migrating to load balancer allowed source ranges
+
+If you have already set the annotation `service.beta.kubernetes.io/load-balancer-source-ranges`, you can migrate to load balancer allowed source ranges. When you set the `AllowedSourceRanges`, the Ingress Controller sets the `spec.loadBalancerSourceRanges` field based on the `AllowedSourceRanges` value and unsets the `service.beta.kubernetes.io/load-balancer-source-ranges` annotation.
+
+[NOTE]
+====
+If you have already set the `spec.loadBalancerSourceRanges` field or the load balancer service anotation `service.beta.kubernetes.io/load-balancer-source-ranges` in a previous version of {product-title}, the Ingress Controller starts reporting `Progressing=True` after an upgrade. To fix this, set `AllowedSourceRanges` that overwrites the `spec.loadBalancerSourceRanges` field and clears the `service.beta.kubernetes.io/load-balancer-source-ranges` annotation. The Ingress Controller starts reporting `Progressing=False` again.
+====
+
+.Prerequisites
+
+* You have set the `service.beta.kubernetes.io/load-balancer-source-ranges` annotation.
+
+.Procedure
+
+. Ensure that the `service.beta.kubernetes.io/load-balancer-source-ranges` is set:
++
+[source,terminal]
+----
+$ oc get svc router-default -n openshift-ingress -o yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/load-balancer-source-ranges: 192.168.0.1/32
+----
+
+. Ensure that the `spec.loadBalancerSourceRanges` field is unset:
++
+[source,terminal]
+----
+$ oc get svc router-default -n openshift-ingress -o yaml
+----
++
+.Example output
+[source,yaml]
+----
+...
+spec:
+  loadBalancerSourceRanges:
+  - 0.0.0.0/0
+...
+----
+
+. Update your cluster to {product-title} 4.12.
+
+. Set the allowed source ranges API for the `ingresscontroller` by running the following command:
++
+[source,terminal]
+----
+$ oc -n openshift-ingress-operator patch ingresscontroller/default \
+    --type=merge --patch='{"spec":{"endpointPublishingStrategy": \
+    {"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}' <1>
+----
+<1> The example value `0.0.0.0/0` specifies the allowed source range.
diff --git a/modules/nw-configuring-lb-allowed-source-ranges.adoc b/modules/nw-configuring-lb-allowed-source-ranges.adoc
@@ -0,0 +1,30 @@
+// Modules included in the following assemblies:
+//
+// * networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-load-balancer-allowed-source-ranges.adoc
+
+:_content-type: PROCEDURE
+[id="nw-configuring-lb-allowed-source-ranges_{context}"]
+= Configuring load balancer allowed source ranges
+
+You can enable and configure the `spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges` field. By configuring load balancer allowed source ranges, you can limit the access to the load balancer for the Ingress Controller to a specified list of IP address ranges. The Ingress Operator reconciles the load balancer Service and sets the `spec.loadBalancerSourceRanges` field based on `AllowedSourceRanges`.
+
+[NOTE]
+====
+If you have already set the `spec.loadBalancerSourceRanges` field or the load balancer service anotation `service.beta.kubernetes.io/load-balancer-source-ranges` in a previous version of {product-title}, Ingress Controller starts reporting `Progressing=True` after an upgrade. To fix this, set `AllowedSourceRanges` that overwrites the `spec.loadBalancerSourceRanges` field and clears the `service.beta.kubernetes.io/load-balancer-source-ranges` annotation. Ingress Controller starts reporting `Progressing=False` again.
+====
+
+.Prerequisites
+
+* You have a deployed Ingress Controller on a running cluster.
+
+.Procedure
+
+* Set the allowed source ranges API for the Ingress Controller by running the following command:
++
+[source,terminal]
+----
+$ oc -n openshift-ingress-operator patch ingresscontroller/default \
+    --type=merge --patch='{"spec":{"endpointPublishingStrategy": \
+    {"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}' <1>
+----
+<1> The example value `0.0.0.0/0` specifies the allowed source range.
diff --git a/modules/nw-create-load-balancer-service.adoc b/modules/nw-create-load-balancer-service.adoc
@@ -54,8 +54,7 @@ spec:
 +
 [NOTE]
 ====
-To restrict traffic through the load balancer to specific IP addresses, it is recommended to use the `service.beta.kubernetes.io/load-balancer-source-ranges` annotation rather than setting the `loadBalancerSourceRanges` field.
-With the annotation, you can more easily migrate to the OpenShift API, which will be implemented in a future release.
+To restrict the traffic through the load balancer to specific IP addresses, it is recommended to use the Ingress Controller field `spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges`. Do not set the `loadBalancerSourceRanges` field.
 ====
 . Save and exit the file.
 
diff --git a/modules/nw-ingress-controller-configuration-parameters.adoc b/modules/nw-ingress-controller-configuration-parameters.adoc
@@ -31,6 +31,11 @@ If empty, the default value is `ingress.config.openshift.io/cluster` `.spec.doma
 |`endpointPublishingStrategy`
 |`endpointPublishingStrategy` is used to publish the Ingress Controller endpoints to other networks, enable load balancer integrations, and provide access to other systems.
 
+On GCP, AWS, and Azure you can configure the following `endpointPublishingStrategy` fields:
+
+* `loadBalancer.scope`
+* `loadBalancer.allowedSourceRanges`
+
 If not set, the default value is based on `infrastructure.config.openshift.io/cluster` `.status.platform`:
 
 * Amazon Web Services (AWS): `LoadBalancerService` (with External scope)
@@ -225,7 +230,7 @@ supports up to `64` threads. If this field is empty, the Ingress Controller uses
 
 * `tunnelTimeout` specifies how long a tunnel connection, including websockets, remains open while the tunnel is idle. The default timeout is `1h`.
 
-* `maxConnections` specifies the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod to handle more connections at the cost of additional system resources. Permitted values are `0`, `-1`, any value within the range `2000` and `2000000`, or the field can be left empty. 
+* `maxConnections` specifies the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod to handle more connections at the cost of additional system resources. Permitted values are `0`, `-1`, any value within the range `2000` and `2000000`, or the field can be left empty.
 
 ** If this field is left empty or has the value `0`, the Ingress Controller will use the default value of `50000`. This value is subject to change in future releases.
 
diff --git a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-load-balancer-allowed-source-ranges.adoc b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-load-balancer-allowed-source-ranges.adoc
@@ -0,0 +1,16 @@
+:_content-type: ASSEMBLY
+[id="configuring-ingress-cluster-traffic-lb-allowed-source-ranges"]
+= Configuring ingress cluster traffic using load balancer allowed source ranges
+include::_attributes/common-attributes.adoc[]
+:context: configuring-ingress-cluster-traffic-lb-allowed-source-ranges
+
+toc::[]
+
+You can specify a list of IP address ranges for the `IngressController`. This restricts access to the load balancer service when the `endpointPublishingStrategy` is `LoadBalancerService`.
+
+include::modules/nw-configuring-lb-allowed-source-ranges.adoc[leveloffset=+1]
+include::modules/nw-configuring-lb-allowed-source-ranges-migration.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+== Additional resources
+* xref:../../updating/index.adoc#index[Updating your cluster]

Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,7 @@ spec:`
`54`	`54`	`+`
`55`	`55`	`[NOTE]`
`56`	`56`	`====`
`57`		-To restrict traffic through the load balancer to specific IP addresses, it is recommended to use the `service.beta.kubernetes.io/load-balancer-source-ranges` annotation rather than setting the `loadBalancerSourceRanges` field.
`58`		`-With the annotation, you can more easily migrate to the OpenShift API, which will be implemented in a future release.`
	`57`	+To restrict the traffic through the load balancer to specific IP addresses, it is recommended to use the Ingress Controller field `spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges`. Do not set the `loadBalancerSourceRanges` field.
`59`	`58`	`====`
`60`	`59`	`. Save and exit the file.`
`61`	`60`