Skip to content

Commit

Permalink
address comments
Browse files Browse the repository at this point in the history
Signed-off-by: huabing zhao <[email protected]>
  • Loading branch information
zhaohuabing committed May 23, 2024
1 parent 471a4d3 commit 9a366b8
Show file tree
Hide file tree
Showing 8 changed files with 25 additions and 10 deletions.
2 changes: 1 addition & 1 deletion api/v1alpha1/authorization_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ type Principal struct {
// or the proxy protocol.
// You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
// the `ClientTrafficPolicy` to configure how the client IP is detected.
ClientCIDRs []string `json:"clientCIDRs,omitempty"`
ClientCIDRs []CIDR `json:"clientCIDRs,omitempty"`
}

// AuthorizationAction defines the action to be taken if a rule matches.
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/shared_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -446,3 +446,8 @@ type BackendRef struct {
// Only service Kind is supported for now.
gwapiv1.BackendObjectReference `json:",inline"`
}

// CIDR defines a CIDR Address range.
// A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
// +kubebuilder:validation:Pattern=`((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))`
type CIDR string
2 changes: 1 addition & 1 deletion api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,10 @@ spec:
You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
the `ClientTrafficPolicy` to configure how the client IP is detected.
items:
description: |-
CIDR defines a CIDR Address range.
A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
type: string
type: array
type: object
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -879,7 +879,7 @@ func (t *Translator) buildAuthorization(policy *egv1a1.SecurityPolicy) (*ir.Auth
principal := ir.Principal{}

for _, cidr := range rule.Principal.ClientCIDRs {
cidrMatch, err := parseCIDR(cidr)
cidrMatch, err := parseCIDR(string(cidr))
if err != nil {
return nil, fmt.Errorf("unable to translate authorization rule: %w", err)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,6 @@ securityPolicies:
metadata:
namespace: envoy-gateway
name: policy-for-gateway # This policy should attach httproute-2
uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
spec:
targetRef:
group: gateway.networking.k8s.io
Expand All @@ -96,7 +95,6 @@ securityPolicies:
metadata:
namespace: default
name: policy-for-http-route-1 # This policy should attach httproute-1
uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
spec:
targetRef:
group: gateway.networking.k8s.io
Expand All @@ -122,7 +120,6 @@ securityPolicies:
metadata:
namespace: default
name: policy-for-http-route-3 # This policy should attach httproute-3
uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
spec:
targetRef:
group: gateway.networking.k8s.io
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,6 @@ securityPolicies:
creationTimestamp: null
name: policy-for-http-route-1
namespace: default
uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
spec:
authorization:
defaultAction: Allow
Expand Down Expand Up @@ -219,7 +218,6 @@ securityPolicies:
creationTimestamp: null
name: policy-for-http-route-3
namespace: default
uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
spec:
authorization:
defaultAction: null
Expand Down Expand Up @@ -248,7 +246,6 @@ securityPolicies:
creationTimestamp: null
name: policy-for-gateway
namespace: envoy-gateway
uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
spec:
authorization:
defaultAction: Deny
Expand Down
14 changes: 13 additions & 1 deletion site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,18 @@ _Appears in:_
| `Replace` | Replace replaces the default bootstrap with the provided one.<br /> |


#### CIDR

_Underlying type:_ _string_

CIDR defines a CIDR Address range.
A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".

_Appears in:_
- [Principal](#principal)



#### CORS


Expand Down Expand Up @@ -2444,7 +2456,7 @@ _Appears in:_

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `clientCIDRs` | _string array_ | true | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the x-forwarder-for header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the x-forwarder-for header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |


#### ProcessingModeOptions
Expand Down

0 comments on commit 9a366b8

Please sign in to comment.