Skip to content

feat: ip range control#345

Merged
k8s-ci-robot merged 6 commits intokubernetes-sigs:mainfrom
kkk777-7:feat-iprange-control
Feb 17, 2026
Merged

feat: ip range control#345
k8s-ci-robot merged 6 commits intokubernetes-sigs:mainfrom
kkk777-7:feat-iprange-control

Conversation

@kkk777-7
Copy link
Copy Markdown
Member

@kkk777-7 kkk777-7 commented Feb 12, 2026

What type of PR is this?

/kind feature

What this PR does / why we need it:
Support IP Range Control annotation in ingress nginx.

  • nginx.ingress.kubernetes.io/whitelist-source-range
  • nginx.ingress.kubernetes.io/denylist-source-range

currently, Envoy Gateway GA supports IP allowlist/denylist.
https://gateway.envoyproxy.io/docs/tasks/security/restrict-ip-access/

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

Implemented support for Nginx IP source range annotations (whitelist-source-range, denylist-source-range) and Envoy Gateway SecurityPolicy output.

@kkk777-7
feat: ip source range in ingress nginx provider
9a492f6 
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
@kkk777-7
feat: ip source range in envoy gateway emitter
42050c2 
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
@kkk777-7
tweak: buffer ir handling
fb13a09 
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
@kkk777-7
fix: security policy spec
bad9fc9 
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 12, 2026
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 12, 2026
Stevenjin8
Stevenjin8 reviewed Feb 12, 2026
View reviewed changes
Comment thread pkg/i2gw/emitters/envoygateway/iprange.go Outdated
Stevenjin8
Stevenjin8 reviewed Feb 12, 2026
View reviewed changes
Comment thread pkg/i2gw/emitters/envoygateway/iprange.go Outdated

securityPolicy := e.getOrBuildSecurityPolicy(ctx, sectionName, idx)

if len(ipCon.AllowList) > 0 && len(ipCon.DenyList) > 0 {
Copy link
Copy Markdown
Contributor

@Stevenjin8 Stevenjin8 Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we worry about conflicts here?

Copy link
Copy Markdown
Member Author

@kkk777-7 kkk777-7 Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe, If both deny lists and allow lists exist, they can be able to coexist, with the deny list being evaluated first.
https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1206-L1214

Stevenjin8
Stevenjin8 reviewed Feb 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Stevenjin8 Stevenjin8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kkk777-7 seems good at a high level. Do you think you could add eg to the integration test framework? Doesn't have to be in this PR, but I think it would be good to have integration tests for every feature.

@kkk777-7
update: simplify auth logic
a7b34c8 
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
@kkk777-7
Copy link
Copy Markdown
Member Author

kkk777-7 commented Feb 15, 2026

@Stevenjin8 thanks for review!
I'll add EG integration test in follow-up PRs.

@kkk777-7
Merge branch 'main' into feat-iprange-control
22cb659 
Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
@Stevenjin8
Copy link
Copy Markdown
Contributor

Stevenjin8 commented Feb 17, 2026

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 17, 2026
@Stevenjin8
Copy link
Copy Markdown
Contributor

Stevenjin8 commented Feb 17, 2026

/approve cancel
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 17, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 17, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kkk777-7, Stevenjin8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 60c1659 into kubernetes-sigs:main Feb 17, 2026
5 checks passed
chakravardhan pushed a commit to chakravardhan/ingress2gateway that referenced this pull request Feb 19, 2026
@kkk777-7 @chakravardhan
feat: ip range control (kubernetes-sigs#345)
4dca4bd 
* feat: ip source range in ingress nginx provider

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* feat: ip source range in envoy gateway emitter

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* tweak: buffer ir handling

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* fix: security policy spec

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* update: simplify auth logic

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

---------

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
rajashish pushed a commit to rajashish/ingress2gateway1 that referenced this pull request Feb 21, 2026
@kkk777-7
feat: ip range control (kubernetes-sigs#345)
de290ac 
* feat: ip source range in ingress nginx provider

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* feat: ip source range in envoy gateway emitter

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* tweak: buffer ir handling

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* fix: security policy spec

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

* update: simplify auth logic

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>

---------

Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Stevenjin8 Stevenjin8 Stevenjin8 left review comments

@LiorLieberman LiorLieberman Awaiting requested review from LiorLieberman LiorLieberman is a code owner

@robscott robscott Awaiting requested review from robscott robscott is a code owner

@youngnick youngnick Awaiting requested review from youngnick youngnick is a code owner

@johananl johananl Awaiting requested review from johananl

Assignees

@Stevenjin8 Stevenjin8

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kkk777-7 @Stevenjin8 @k8s-ci-robot