{"id":23599810,"url":"https://github.com/adevinta/ingress-allowlisting-controller","last_synced_at":"2026-05-01T19:31:52.686Z","repository":{"id":263795320,"uuid":"861765510","full_name":"adevinta/ingress-allowlisting-controller","owner":"adevinta","description":"A k8s controller that configures ingress whitelisting based on a custom CRD","archived":false,"fork":false,"pushed_at":"2026-01-14T08:43:21.000Z","size":201,"stargazers_count":0,"open_issues_count":1,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-01-14T11:28:23.860Z","etag":null,"topics":["allowlist","allowlisting","gateway-api","ingress","k8s","kubernetes","operator","whitelist","whitelisting"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adevinta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-23T13:31:43.000Z","updated_at":"2026-01-14T08:43:23.000Z","dependencies_parsed_at":"2025-11-28T01:06:43.238Z","dependency_job_id":null,"html_url":"https://github.com/adevinta/ingress-allowlisting-controller","commit_stats":null,"previous_names":["adevinta/ingress-allowlisting-controller"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/adevinta/ingress-allowlisting-controller","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adevinta%2Fingress-allowlisting-controller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adevinta%2Fingress-allowlisting-controller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adevinta%2Fingress-allowlisting-controller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adevinta%2Fingress-allowlisting-controller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adevinta","download_url":"https://codeload.github.com/adevinta/ingress-allowlisting-controller/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adevinta%2Fingress-allowlisting-controller/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32510627,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["allowlist","allowlisting","gateway-api","ingress","k8s","kubernetes","operator","whitelist","whitelisting"],"created_at":"2024-12-27T11:26:14.654Z","updated_at":"2026-05-01T19:31:52.679Z","avatar_url":"https://github.com/adevinta.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ingress Allowlisting Controller\nThe Ingress Allowlisting Controller is a Kubernetes controller designed to manage allowlisting rules for Kubernetes Ingress resources. It ensures that only trusted IPs or ranges can access specific ingress endpoints, enhancing security and compliance.\nThis k8s controller configures ingress allowlisting based on a custom CRD\n\n## Installation \n\n### Helm Installation (Using Local Chart)\nTo install the ingress-allowlisting-controller using the Helm chart provided in the repository, follow these steps:\n\n1. Clone the Repository\nClone the repository to your local machine:\n```bash\ngit clone https://github.com/adevinta/ingress-allowlisting-controller.git\ncd ingress-allowlisting-controller/helm-charts/ingress-allowlisting-controller\n```\n2. Install the Chart\nInstall the controller using the local Helm chart. Customize the installation by specifying the namespace and configuration if needed:\n\n```bash\nhelm install ingress-allowlisting-controller ./ --namespace ingress-allowlisting --create-namespace\n```\n3. Verify the Installation\nEnsure the controller is running in your cluster:\n\n```bash\nkubectl get pods -n ingress-allowlisting\n```\nYou should see a pod named ingress-allowlisting-controller running.\n\n## Usage\n\nOnce installed, the ingress-allowlisting-controller will monitor and apply allowlisting rules to Kubernetes Ingress resources.\n\n### Example Ingress Resource\nBelow are examples of an Ingress resource with allowlisting annotations, using both the namespace level CIDR CRD as well\nas the cluster level CRD\n\nNamespaced version of CIDRs object\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  annotations:\n    ipam.adevinta.com/allowlist-group: MyCidrsObject\n```\n\nCluster version of the CIDRs object\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: Ingress\nmetadata:\n  annotations:\n    ipam.adevinta.com/cluster-allowlist-group: MyCidrsObject\n```\n\nThe content of the annotations can be a comma-separated list: \n\n`MyCidrsObject,MyCidrsObject2,MyCidrsObject3`\n\n### Example NetworkPolicy Resource\nBelow are examples of NetworkPolicy resources with different `policyTypes` (Ingress or Egress).\n\nNetworkPolicy with `ingress` with namespaced version of CIDRs object\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: ingress-allow-myips\n  annotations:\n    ipam.adevinta.com/allowlist-group: MyCidrsObject\nspec:\n  podSelector: {} # Applies to all pods in namespace\n  policyTypes:\n  - Ingress\n# Controller will populate spec.ingress[0] with ipBlock rules here\n```\nNetworkPolicy with `egress` using a cluster-scoped CIDRs object and predefined ports:\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: egress-allow-http\n  annotations:\n    ipam.adevinta.com/cluster-allowlist-group: http-allowed\nspec:\n  podSelector: {} # Applies to all pods in namespace\n  policyTypes:\n  - Egress\n# Controller will populate spec.egress[0] with ipBlock rules here respecting the ports\n  egress:\n  - ports:\n    - port: 443\n    - port: 80\n```\n\n##### Key Points:\n\n* You define: `podSelector` and `policyTypes`\n* Controller manages: Automatically populates and maintains the `spec.ingress` or `spec.egress` sections with `ipBlock` rules\n* Overwrite behavior: Any existing `ipBlock` rules in these sections will be overwritten by the controller\n* Dual policyTypes: If both `Ingress` and `Egress` are specified, the controller will populate both sections\n\n```yaml\nspec:\n  ingress:        # For Ingress policies\n  - from:\n    - ipBlock:\n        cidr: x.x.x.x/y\n  egress:         # For Egress policies  \n  - to:\n    - ipBlock:\n        cidr: x.x.x.x/y\n```\n\n### Example CIDR and ClusterCIDR CRDs\n\n```yaml\napiVersion: ipam.adevinta.com/v1alpha1\nkind: CIDRs\nmetadata:\n    name: MyCidrsObject\nspec:\n    cidrs:\n    - 1.1.1.1/32\n    - 2.2.2.2/32\n```\n\n```yaml\napiVersion: ipam.adevinta.com/v1alpha1\nkind: ClusterCIDRs\nmetadata:\n    name: Cloudfront\nspec:\n    cidrs:\n    - 120.52.22.96/27\n    - 205.251.249.0/24\n    - 180.163.57.128/26\n```\n\n### Fetching CIDRs from remote sources\n\nIngress-allowlister supports synchronizing CIDRs from remote http sources.\nTo use this feature, configure the CIDRs or ClusterCIDRs object as follows\n\n```yaml\napiVersion: ipam.adevinta.com/v1alpha1\nkind: CIDRs\nmetadata:\n  name: ec2\n  namespace: test\nspec:\n  requeueAfter: 30m # Re-evaluate the remote URL every 30 minutes\n  location:\n    cel: 'data.prefixes.filter(p, p.service == \"EC2\" \u0026\u0026 has(p.ip_prefix)).map(p, p.ip_prefix)' # transform the AWS response into a list of strings using CEL expression\n    uri: https://ip-ranges.amazonaws.com/ip-ranges.json # the remote URL responding all IPs\n    headersFrom: # optional: inject CIDRs to the HTTP request (if the request needs to be authenticated)\n      secretRef: # optional: inject all keys\n        name: aws-authentication-headers # all aws-authentication-headers data will be used as http headers in the http request\n        namespace: test # optional. For CIDRs, it must match the CIDRs namespace when not empty.\n      configMapRef:\n        name: aws-headers # all aws-headers data will be used as http headers in the http request\n        namespace: test # optional. For CIDRs, it must match the CIDRs namespace when not empty.\n---\n# optional\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: aws-headers\n  namespace: test\ndata:\n  My-Header: some-value\n---\n# optional\napiVersion: v1\nkind: Secret\nmetadata:\n  name: aws-authentication-headers\n  namespace: test\ndata:\n  Authentication: $(echo \"Bearer $token\" | base64)\n```\n\n#### Fetching CIDRs from github\n\nTo fetch CIDRs stored in github repositories, you can use the github API endpoint:\n\n```yaml\napiVersion: ipam.adevinta.com/v1alpha1\nkind: CIDRs\nmetadata:\n  name: my-cidrs\n  namespace: test\nspec:\n  requeueAfter: 30m\n  location:\n    uri: https://api.github.com/repos/my-org/my-repo/contents/path/to/cidrs/file.json\n```\n\n## Metrics\nThe operator exposes a single metric `namespace_ingress_IpAllowlistingGroup_missing` that, when operated appropiately, it offer several information:\n\n```\n# HELP namespace_ingress_IpAllowlistingGroup_missing Number of missing IpAllowlistingGroup objects. \u003e0 implies expected objects were not found\n# TYPE namespace_ingress_IpAllowlistingGroup_missing gauge\nnamespace_ingress_IpAllowlistingGroup_missing{cidrs_name=\"alvarocidr\",ingress=\"kube-nurse-kubenurse\",namespace=\"cre-system\"} 0\n```\nWhen the metric exists and equals 0, it means that there are no errors; the given object in the given namespace associated to the given ingress exists and has been resolved adequately.\n\nWhen the metric exists and equals 1 means that there was an error resolving the `cidr_name`, probably, because the object didn't exist in the namespace. \n\n### Common operations:\n#### number of ingresses with allowlistGroup annotations: \n  `count(sum(namespace_ingress_IpAllowlistingGroup_missing) by (ingress))`\n#### number of ingresses with failed annotations: \n  `count(sum(namespace_ingress_IpAllowlistingGroup_missing) by (ingress) \u003e 0)`\n  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadevinta%2Fingress-allowlisting-controller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadevinta%2Fingress-allowlisting-controller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadevinta%2Fingress-allowlisting-controller/lists"}