Many customers have a requirement to block or restrict access to OpenShift routes from specific CIDR ranges while allowing traffic from all other CIDRs.

Currently, OpenShift provides the haproxy.router.openshift.io/ip_whitelist route annotation, which allows administrators to explicitly permit traffic from specified CIDRs while denying all other sources. However, this approach effectively enforces an allowlist model rather than a denylist.

Several customers prefer a denylist-based approach, as it is operationally simpler for their use cases. With the current allowlist mechanism, customers must continuously maintain and update the ip_whitelist annotation to include all permitted CIDRs, which can be cumbersome and error-prone, especially in dynamic or frequently changing network environments.

Providing native support for blacklisting or restricting traffic from specific CIDR ranges at the route level would significantly simplify access control management and better align with customer expectations and operational workflows.