Provide possibility to block IPs, User-Agents and Referers globally

[spa-87]

Current PR implements possibility to block requests globally based on:

• Source IP addresses and subnets
• User-Agent header
• Referer header

It can be useful for many use-cases:

• Block unauthorized SEO and vulnerability scanners
• An additional way to fight with DDoS
• Protect services from other malicious requests

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[aledbf]

@spa-87 please add e2e tests

[aledbf]

@spa-87 also, please sign the CLA :)

[codecov-io]

Codecov Report

Merging #2997 into master will increase coverage by 0.01%.
The diff coverage is 52.63%.

@@            Coverage Diff             @@
##           master    #2997      +/-   ##
==========================================
+ Coverage   47.54%   47.56%   +0.01%     
==========================================
  Files          77       77              
  Lines        5639     5658      +19     
==========================================
+ Hits         2681     2691      +10     
- Misses       2605     2611       +6     
- Partials      353      356       +3

Impacted Files	Coverage Δ
internal/ingress/controller/template/template.go	64.97% <ø> (ø)	⬆️
internal/ingress/controller/config/config.go	98.36% <100%> (+0.05%)	⬆️
internal/ingress/controller/template/configmap.go	73.07% <40%> (-4.32%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 355b793...d8b60ce. Read the comment docs.

[ElvinEfendi]

All of these are already possible using https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#lua-resty-waf specifically nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules.

I know the rule language is not the best but IMO we should not be introducing yet another logic to do the same thing.

UPDATE: spoke too early. lua-resty-waf is only per location, not global.

[aledbf]

I know the rule language is not the best but IMO we should not be introducing yet another logic to do the same thing.

While I share this, I think we cannot say learn this new thing to "just" add a deny section. If we don't merge this then we need to provide such examples using the lua waf module

[ElvinEfendi]

@aledbf that makes sense. Also updated my PR, I overlooked the fact that this PR is providing a way to block globally.

[spa-87]

Hey @aledbf, e2e tests are added and CLA is signed.

[spa-87]

@ElvinEfendi yep, the main difference of the current PR is to provide a possibility to block requests globally for the whole cluster.
Our use-case: we have one product implemented by multiple components (microservices architecture). Configuration for components (including annotations) is managed by component developers whereas an infrastructure (my) team is responsible for the whole platform. Thus we need a central place to control access for all components running in the cluster. ConfigMap is the best option.
So it isn't just an additional place to block requests, it's a matter of setting boundaries of responsibility.

[Globegitter]

@spa-87 We are doing something quite similar and that should already be possible utilizing the global http-snippet and server-snippet configs together. Or is there something I am missing here?

And a further alternative might be the modsecurity integration - do not have too much experience with it but it is on our roadmap to experiment with it a bit more.

[antoineco]

This doesn't print the content of the returned error(s), making it hard to troubleshoot from my experience.
Expect(errs).To(BeNil()) does print the content of the errors and is equally valid.

I know we have been abusing this in other tests, but it's never too late to start improving our tests :)

[spa-87]

Hey @antoineco , done

[spa-87]

@Globegitter yeah, you're right. I missed those configs initially. But now I'm able to achieve the same behavior using http-snippet and server-snippet parameters. Many thanks!
On another hand, the parameters I proposed, are obvious and easy to use. Thus they can be kept for the convenience.
@aledbf it's your call. Feel free to close the PR unless you want to add these parameters. :)

[aledbf]

Feel free to close the PR unless you want to add these parameters. :)

@spa-87 these new parameters makes sense. Let me test this

[aledbf]

Please change to

BlockCIDRs []string `json:"block-cidrs"`

[aledbf]

BlockUserAgents

[aledbf]

BlockReferers

[aledbf]

@spa-87 first, apologies for the delay. Just some comments about the naming. If you change that we are ok to merge

[spa-87]

Hey @aledbf, no problem with the delay :)
The parameters are renamed according to your recommendations.

[aledbf]

/lgtm
/approve

[aledbf]

@spa-87 thanks!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, spa-87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [aledbf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dz0ny]

Suggested change

	A comma-separated list of Referers, requestst from which have to be blocked globally.
	A comma-separated list of Referers, requests from which have to be blocked globally.