Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
False
-
False
-
0
-
0%
-
Undefined
Description
1. Proposed title of this feature request: using/setting spec.loadbalancersourceranges
2. What is the nature and description of the request?
This RFE should be a tracker for https://github.com/openshift/api/pull/822
Earlier versions of OpenShift failed to revert users' changes to load balancer services that the ingress operator manages. We fixed this gap, so the operator reverts external changes to the service. However, some users took advantage of this earlier gap on OpenShift 4.6 by directly modifying services and setting the spec.loadBalancerSourceRanges field or the service.beta.kubernetes.io/load-balancer-source-ranges annotation to restrict access to specific source addresses. Given that users could and did configure the allowed source ranges on OpenShift 4.6, we need to provide a supported API for the same on OpenShift 4.8
For OpenShift 4.6, the operator allows using the annotation, but we plan to make it block upgrades if other external changes to the service are detected.
For OpenShift 4.7, we need to continue allowing using the annotation, but block upgrades if the annotation is set, and provide a supported API for configuring allowed source ranges.
These changes will enable users to configure the allowed source ranges using the annotation on 4.6, upgrade to 4.7, and then switch to a supported API on 4.8.
3. Why does the customer need this? (List the business requirements here)
Article related: https://access.redhat.com/solutions/5158751
4. List any affected packages or components.
Ingress & API.
Related:
https://bugzilla.redhat.com/show_bug.cgi?id=1906560
https://bugzilla.redhat.com/show_bug.cgi?id=1905490
https://github.com/openshift/cluster-ingress-operator/pull/507
https://github.com/openshift/cluster-ingress-operator/pull/514
https://github.com/openshift/cluster-ingress-operator/pull/472
