feat: blocklist-source-range annotation (#446)

apache · May 14, 2021 · 5d479ae · 5d479ae
1 parent 8824bbd
commit 5d479ae
Show file tree

Hide file tree

Showing 8 changed files with 285 additions and 15 deletions.
diff --git a/docs/en/latest/concepts/annotations.md b/docs/en/latest/concepts/annotations.md
@@ -51,5 +51,11 @@ Default is `"*"`, which means all HTTP methods are accepted.
 Allowlist Source Range
 -----------------------
 
-You can specify the allowed client IP addresses or nets by the annotation `k8s.apisix.apache.org/allowlist-source-range`, multiple IP adddresses or nets join together with `,`,
-for instance, `k8s.apisix.apache.org/allowlist-source-range: 10.0.5.0/16,127.0.0.1,192.168.3.98`. Default value is *empty*, which means the sources are unlimited.
+You can specify the allowed client IP addresses or nets by the annotation `k8s.apisix.apache.org/allowlist-source-range`, multiple IP addresses or nets join together with `,`,
+for instance, `k8s.apisix.apache.org/allowlist-source-range: 10.0.5.0/16,127.0.0.1,192.168.3.98`. Default value is *empty*, which means the sources are not limited.
+
+Blocklist Source Range
+----------------------
+
+You can specify the denied client IP addresses or nets by the annotation `k8s.apisix.apache.org/blocklist-source-range`, multiple IP addresses or nets join together with `,`,
+for instance, `k8s.apisix.apache.org/blocklist-source-range: 127.0.0.1,172.17.0.0/16`. Default value is *empty*, which means the sources are not limited.
diff --git a/go.sum b/go.sum
diff --git a/pkg/kube/translation/annotations/cors.go b/pkg/kube/translation/annotations/cors.go
@@ -28,7 +28,7 @@ const (
 type cors struct{}
 
 // NewCorsHandler creates a handler to convert annotations about
-// cors to APISIX cors plugin.
+// CORS to APISIX cors plugin.
 func NewCorsHandler() Handler {
 	return &cors{}
 }

diff --git a/pkg/kube/translation/annotations/iprestriction.go b/pkg/kube/translation/annotations/iprestriction.go
@@ -20,6 +20,7 @@ import (
 
 const (
 	_allowlistSourceRange = "k8s.apisix.apache.org/allowlist-source-range"
+	_blocklistSourceRange = "k8s.apisix.apache.org/blocklist-source-range"
 )
 
 type ipRestriction struct{}
@@ -36,10 +37,12 @@ func (i *ipRestriction) PluginName() string {
 
 func (i *ipRestriction) Handle(e Extractor) (interface{}, error) {
 	var plugin apisixv1.IPRestrictConfig
-	if allowlist := e.GetStringsAnnotation(_allowlistSourceRange); len(allowlist) > 0 {
-		plugin.Whitelist = allowlist
-	} else {
-		return nil, nil
+	allowlist := e.GetStringsAnnotation(_allowlistSourceRange)
+	blocklist := e.GetStringsAnnotation(_blocklistSourceRange)
+	if allowlist != nil || blocklist != nil {
+		plugin.Allowlist = allowlist
+		plugin.Blocklist = blocklist
+		return &plugin, nil
 	}
-	return &plugin, nil
+	return nil, nil
 }
diff --git a/pkg/kube/translation/annotations/iprestriction_test.go b/pkg/kube/translation/annotations/iprestriction_test.go
@@ -30,13 +30,24 @@ func TestIPRestrictionHandler(t *testing.T) {
 	out, err := p.Handle(NewExtractor(annotations))
 	assert.Nil(t, err, "checking given error")
 	config := out.(*apisixv1.IPRestrictConfig)
-	assert.Len(t, config.Whitelist, 2, "checking size of white list")
-	assert.Equal(t, config.Whitelist[0], "10.2.2.2")
-	assert.Equal(t, config.Whitelist[1], "192.168.0.0/16")
-
+	assert.Len(t, config.Allowlist, 2, "checking size of white list")
+	assert.Equal(t, config.Allowlist[0], "10.2.2.2")
+	assert.Equal(t, config.Allowlist[1], "192.168.0.0/16")
 	assert.Equal(t, p.PluginName(), "ip-restriction")
 
+	annotations[_blocklistSourceRange] = "172.17.0.0/16,127.0.0.1"
+	out, err = p.Handle(NewExtractor(annotations))
+	assert.Nil(t, err, "checking given error")
+	config = out.(*apisixv1.IPRestrictConfig)
+	assert.Len(t, config.Allowlist, 2, "checking size of white list")
+	assert.Equal(t, config.Allowlist[0], "10.2.2.2")
+	assert.Equal(t, config.Allowlist[1], "192.168.0.0/16")
+	assert.Len(t, config.Blocklist, 2, "checking size of black list")
+	assert.Equal(t, config.Blocklist[0], "172.17.0.0/16")
+	assert.Equal(t, config.Blocklist[1], "127.0.0.1")
+
 	delete(annotations, _allowlistSourceRange)
+	delete(annotations, _blocklistSourceRange)
 	out, err = p.Handle(NewExtractor(annotations))
 	assert.Nil(t, err, "checking given error")
 	assert.Nil(t, out, "checking the given ip-restrction plugin config")

diff --git a/pkg/types/apisix/v1/plugin_types.go b/pkg/types/apisix/v1/plugin_types.go
@@ -37,7 +37,8 @@ type TrafficSplitConfigRuleWeightedUpstream struct {
 // IPRestrictConfig is the rule config for ip-restriction plugin.
 // +k8s:deepcopy-gen=true
 type IPRestrictConfig struct {
-	Whitelist []string `json:"whitelist,omitempty"`
+	Allowlist []string `json:"whitelist,omitempty"`
+	Blocklist []string `json:"blacklist,omitempty"`
 }
 
 // CorsConfig is the rule config for cors plugin.

diff --git a/pkg/types/apisix/v1/zz_generated.deepcopy.go b/pkg/types/apisix/v1/zz_generated.deepcopy.go
diff --git a/test/e2e/annotations/iprestriction.go b/test/e2e/annotations/iprestriction.go
@@ -117,3 +117,96 @@ spec:
 		resp.Status(http.StatusForbidden)
 	})
 })
+
+var _ = ginkgo.Describe("blocklist-source-range annotations", func() {
+	s := scaffold.NewDefaultScaffold()
+
+	ginkgo.It("enable in ingress networking/v1", func() {
+		backendSvc, backendPort := s.DefaultHTTPBackend()
+		ing := fmt.Sprintf(`
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: apisix
+    k8s.apisix.apache.org/blocklist-source-range: "127.0.0.1"
+  name: ingress-v1
+spec:
+  rules:
+  - host: httpbin.org
+    http:
+      paths:
+      - path: /ip
+        pathType: Exact
+        backend:
+          service:
+            name: %s
+            port:
+              number: %d
+`, backendSvc, backendPort[0])
+		err := s.CreateResourceFromString(ing)
+		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress")
+		time.Sleep(5 * time.Second)
+
+		resp := s.NewAPISIXClient().GET("/ip").WithHeader("Host", "httpbin.org").Expect()
+		resp.Status(http.StatusForbidden)
+	})
+
+	ginkgo.It("enable in ingress networking/v1beta1", func() {
+		backendSvc, backendPort := s.DefaultHTTPBackend()
+		ing := fmt.Sprintf(`
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: apisix
+    k8s.apisix.apache.org/blocklist-source-range: "127.0.0.1"
+  name: ingress-v1beta1
+spec:
+  rules:
+  - host: httpbin.org
+    http:
+      paths:
+      - path: /ip
+        pathType: Exact
+        backend:
+          serviceName: %s
+          servicePort: %d
+`, backendSvc, backendPort[0])
+		err := s.CreateResourceFromString(ing)
+		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress")
+		time.Sleep(5 * time.Second)
+
+		resp := s.NewAPISIXClient().GET("/ip").WithHeader("Host", "httpbin.org").Expect()
+		resp.Status(http.StatusForbidden)
+	})
+
+	ginkgo.It("enable in ingress extensions/v1beta1", func() {
+		backendSvc, backendPort := s.DefaultHTTPBackend()
+		ing := fmt.Sprintf(`
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: apisix
+    k8s.apisix.apache.org/blocklist-source-range: "127.0.0.1"
+  name: ingress-extensions-v1beta1
+spec:
+  rules:
+  - host: httpbin.org
+    http:
+      paths:
+      - path: /ip
+        pathType: Exact
+        backend:
+          serviceName: %s
+          servicePort: %d
+`, backendSvc, backendPort[0])
+		err := s.CreateResourceFromString(ing)
+		assert.Nil(ginkgo.GinkgoT(), err, "creating ingress")
+		time.Sleep(5 * time.Second)
+
+		resp := s.NewAPISIXClient().GET("/ip").WithHeader("Host", "httpbin.org").Expect()
+		resp.Status(http.StatusForbidden)
+	})
+})