Skip to content
This repository was archived by the owner on Nov 30, 2021. It is now read-only.

feat(whitelist): Add docs for specifying application whitelist using deis client #477

Merged
kmala merged 1 commit into from
Aug 26, 2016
Merged

feat(whitelist): Add docs for specifying application whitelist using deis client #477

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions src/managing-workflow/security-considerations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,27 @@ that hosts applications intended for a limited audience-- e.g. applications for
an organization. You can enforce cluster-wide IP whitelisting by enabling whitelists, then
attaching an annotation to the router:

$ kubectl --namespace=deis annotate replicationcontroller deis-router router.deis.io/nginx.enforceWhitelists=true
$ kubectl --namespace=deis annotate replicationcontroller deis-router router.deis.io/nginx.defaultWhitelist="0.0.0.0/0"
$ kubectl --namespace=deis annotate deployments/deis-router router.deis.io/nginx.enforceWhitelists=true
$ kubectl --namespace=deis annotate deployments/deis-router router.deis.io/nginx.defaultWhitelist="0.0.0.0/0"

The format is the same for the controller whitelist but you need to specify the whitelist directly
to the controller's service. For example:

$ kubectl --namespace=deis annotate service deis-controller router.deis.io/whitelist="10.0.1.0/24,121.212.121.212"
$ kubectl --namespace=deis annotate service deis-controller router.deis.io/whitelist="10.0.1.0/24,121.212.121.212"

And the same applies to applications. For example, to apply a whitelist to an application named
`example`:

$ kubectl --namespace=example annotate service example-web router.deis.io/whitelist="10.0.1.0/24,121.212.121.212"
$ kubectl --namespace=example annotate service example-web router.deis.io/whitelist="10.0.1.0/24,121.212.121.212"

Application level whitelisting can also be done using the Deis client. To add/remove/list addresses of an application whitelist, use `deis whitelist`:

$ deis whitelist:add 10.0.1.0/24,121.212.121.212 -a drafty-zaniness
Adding 10.0.1.0/24,121.212.121.212 to drafty-zaniness whitelist...done

$ deis whitelist:remove 121.212.121.212 -a drafty-zaniness
Removing 121.212.121.212 from drafty-zaniness whitelist... done

$ deis whitelist -a drafty-zaniness
=== drafty-zaniness Whitelisted Addresses
10.0.1.0/24