CIDR: Restricting access to Platform and registry components

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. Overview

To ensure secure access to OpenShift 4.x cluster components, you can restrict access to components used on the Platform.

There are three main types of components in the system:

  • Platform

  • Registry

  • Infrastructure

The Platform provides an option to block access to each route at the HAProxy[1] level.

Technically, restricting access to a route means allowing it only for the selected IP addresses using CIDR[2]-based routing rules.

Allowed (whitelisted) IP addresses must be specified together with the subnet mask.

In other words, the administrator can specify either a single IP address (192.168.1.1/32) or an entire subnet that contains a pool of IP addresses (for example, a pool of 512 addresses — 192.168.0.0/23 ).

For more information about subnet masks and IPv4 addressing, refer to Subnetwork article on Wikipedia.

2. Restricting access to registry components

2.1. Adding a CIDR when creating a registry

When creating a registry, an administrator can specify the IP addresses from which access to the registry components will be allowed. This is done in the Control Plane interface.

An administrator can specify a list of IP addresses separately for the officer portal, citizen portal, and administrative components.

Each component must contain the cluster’s public IP address. Keycloak, in turn, must contain all CIDRs from other operational zones, or be accessible to all if the citizen portal is not restricted.
To configure CIDR for registry components, follow these steps:

  1. Sign in to the Control Plane admin console interface.

    update cluster mgmt 01
    Figure 1. Admin console sign-in page

  2. Open the Registries section and create a new registry by clicking the + Create new button.

    To learn more about creating registries, see Deploying a registry.
    cp registry deploy 1
    Figure 2. Registries management section

  3. Go through the registry creation steps and stop at the Access restrictions section.

    cp cidr 1
    Figure 3. CIDR management interface

    Here you can add CIDRs for user portals and administrative components.

  4. Click the + (Add) button in a corresponding field.

  5. In the Add CIDR window, enter the IP addresses and their subnet masks.

  6. Click Confirm.

    Allowed characters are digits (0-9), periods (.), and a forward slash (/). For example: 172.16.0.0/12.
    cp cidr 2
    Figure 4. Adding an IP address and subnet mask

    If the IP address and subnet mask do not follow the a.b.c.d/x format, the system will return an error:

    Check the IP address format

    cp cidr 3

  7. Add the required number of CIDRs. Here is an example of adding CIDRs for the user portals:

    cp cidr 4 1
    Figure 5. Added CIDRs example

  8. Click Next to finish creating the registry.

    As a result, the system generates a registry configuration update request. You can view request details in the Registries > Update requests section.

    For details about viewing and confirming requests in Control Plane, see Approving registry configuration update requests.
    cp cidr 8

  9. In the Update requests section, click the view icon 👁 to open your request.

  10. Compare the changes between the two versions that open in a new window and make sure the data you entered is correct. Click Approve.

    cp cidr 8 1
    The proposed changes are applied to the deploy-templates/values.yaml configuration file upon confirmation.

    The IP addresses you entered are added to the values.yaml configuration file in the following format:

    Example 1. Adding allowed IP addresses and subnets to the registry configuration in values.yaml
    global:
  whiteListIP:
    adminRoutes: "192.168.1.64/26 172.16.0.192/27"
    officerPortal: "192.168.1.240/29"
    citizenPortal: "0.0.0.0/0"

  11. Wait until Jenkins completes the MASTER-Build-<registry-name> build. This may take a few minutes.

2.2. Adding or removing CIDRs when editing a registry

An administrator can add or remove whitelisted IP addresses when editing an existing registry. Admin console updates the corresponding IP addresses in the values.yaml file in the registry configuration repository.

To learn more about editing registries, see registry-management/control-plane-view-registry.adoc.
Adding CIDRs works the same way whether you create or edit a registry. For details, jump to Adding a CIDR when creating a registry.

You can also remove current CIDRs from the list when editing a registry. To do this, open the Access restrictions section, click the delete icon 🗑 next to the CIDR you wish to delete, and confirm your action.

cp cidr 4

3. Restricting access to Platform, infrastructure, and other components

In the Platform management section, an administrator can specify CIDRs to restrict external access to the Platform and infrastructure components (routes). Admin console creates an update request for the values.yaml file. Once an administrator approves the request, the Master-Build-cluster-mgmt pipeline adds the necessary records.

Registry CIDRs should automatically be added for the Platform components as well.

  1. Open the Platform management section.

  2. Click Edit in the upper-right corner.

    update cluster mgmt 1

  3. On the Registry settings page, find the List of allowed CIDRs section.

    cp cidr 5

  4. Click the + (Add) button in the CIDR for administrative components field.

  5. In the Add CIDR window, enter the IP addresses and their subnet masks.

  6. Click Confirm.

    Allowed characters are digits (0-9), periods (.), and a forward slash (/). For example: 172.16.0.0/12.

  7. Add the required number of CIDRs and click Confirm.

    cp cidr 6
    Figure 6. Adding an IP address and subnet mask

    As a result, the system generates a Platform configuration update request. You can view request details in the Platform > Update requests section.

    For details about viewing and confirming requests in Control Plane, see Approving registry configuration update requests.
    cp cidr 7

  8. In the Update requests section, click the view icon 👁 to open your request.

  9. Compare the changes between the two versions that open in a new window and make sure the data you entered is correct. Click Approve.

    cp cidr 7 1
    The proposed changes are applied to the deploy-templates/values.yaml configuration file upon confirmation.

    The IP addresses you entered are added to the values.yaml Platform configuration file in the following format:

    Example 2. Adding allowed IP addresses and subnets to the Platform configuration in values.yaml
    global:
  whiteListIP:
    adminRoutes: "192.168.1.64/26 172.16.0.192/27"

  10. Wait until Jenkins completes the Master-Build-cluster-mgmt build. This may take a few minutes.

1. HAProxy is a load balancer and proxy server. In an OpenShift cluster, a router receives an application-associated URL route and forwards requests to the corresponding module to return data to the user making the request.
2. CIDR (Classless Inter-Domain Routing) is a method of assigning IP addresses that improves the efficiency of address distribution using classless routing.