Skip to content

Added support for IP range blocking rules#9833

Open
tomjankovec wants to merge 17 commits into
kubernetes-sigs:masterfrom
fkrestan:tomjankovec/blocked-ip-ranges
Open

Added support for IP range blocking rules#9833
tomjankovec wants to merge 17 commits into
kubernetes-sigs:masterfrom
fkrestan:tomjankovec/blocked-ip-ranges

Conversation

@tomjankovec
Copy link
Copy Markdown

@tomjankovec tomjankovec commented Jan 13, 2026
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

The PR adds support for IP range blocking, which is needed to facilitate network traffic denial on a load balancer level.
This contribution adds a new service.beta.kubernetes.io/azure-blocked-ip-ranges annotation for denying traffic from specific IP ranges to Azure Load Balancer services.

Blocked IP deny rules use a dedicated priority range (400-499), ensuring they're evaluated before allow rules (500+). The implementation supports both IPv4 and IPv6, and includes comprehensive tests—including a test confirming that exceeding 100 blocking rules returns a priority exhaustion error.

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/contains-merge-commits do-not-merge/needs-kind labels Jan 13, 2026
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Jan 13, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

Welcome @tomjankovec!

It looks like this is your first PR to kubernetes-sigs/cloud-provider-azure 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cloud-provider-azure has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@github-actions github-actions Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jan 13, 2026
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jan 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

Hi @tomjankovec. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tomjankovec
Once this PR has been reviewed and has the lgtm label, please assign andyzhangx for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jan 13, 2026
@tomjankovec tomjankovec force-pushed the tomjankovec/blocked-ip-ranges branch from ada6797 to a6248f1 Compare January 13, 2026 17:05
tomjankovec
tomjankovec commented Jan 14, 2026
View reviewed changes
Comment thread pkg/provider/securitygroup/securityrule.go
@tomjankovec tomjankovec marked this pull request as ready for review January 14, 2026 12:36
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 14, 2026
@tomjankovec tomjankovec force-pushed the tomjankovec/blocked-ip-ranges branch from 5d8b710 to 3a4993b Compare January 14, 2026 15:28
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jan 14, 2026
@elmiko
Copy link
Copy Markdown
Contributor

elmiko commented Jan 15, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 15, 2026
@nilo19
Copy link
Copy Markdown
Contributor

nilo19 commented Jan 15, 2026

/kind feature

Liunardy
Liunardy reviewed Feb 3, 2026
View reviewed changes
Comment thread pkg/provider/securitygroup/securitygroup_test.go Outdated
Liunardy
Liunardy reviewed Feb 3, 2026
View reviewed changes
Comment thread pkg/provider/securitygroup/securitygroup_test.go Outdated
Liunardy
Liunardy reviewed Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Liunardy Liunardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the PR description since it seems outdated, looking at how it says:

The implementation validates that allowed-ip-ranges and blocked-ip-ranges cannot be used together

Liunardy
Liunardy reviewed Feb 3, 2026
View reviewed changes
Comment thread pkg/provider/securitygroup/securitygroup_test.go Outdated
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Feb 3, 2026
@tomjankovec
Copy link
Copy Markdown
Author

tomjankovec commented Feb 16, 2026

@Liunardy @nilo19 Can I please request a re-review? Thanks

Liunardy
Liunardy reviewed Feb 19, 2026
View reviewed changes
Comment thread pkg/provider/loadbalancer/accesscontrol_test.go
Liunardy
Liunardy reviewed Feb 19, 2026
View reviewed changes
Comment thread pkg/provider/loadbalancer/accesscontrol_test.go Outdated
Liunardy
Liunardy reviewed Feb 19, 2026
View reviewed changes
Comment thread pkg/provider/securitygroup/securityrule_test.go Outdated
Liunardy
Liunardy reviewed Feb 19, 2026
View reviewed changes
Comment thread pkg/provider/securitygroup/securityrule.go
Liunardy
Liunardy reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Liunardy Liunardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add E2E test(s) for the block IP ranges functionality?

@tomjankovec
Copy link
Copy Markdown
Author

tomjankovec commented Feb 20, 2026

Could you add E2E test(s) for the block IP ranges functionality?

added

@tomjankovec
Copy link
Copy Markdown
Author

tomjankovec commented Feb 20, 2026

Please update the PR description since it seems outdated, looking at how it says:

The implementation validates that allowed-ip-ranges and blocked-ip-ranges cannot be used together

fixed

@tomjankovec
Copy link
Copy Markdown
Author

tomjankovec commented Feb 24, 2026

@Liunardy @nilo19 Can I please request a re-review again? Thanks

nilo19
nilo19 reviewed Feb 25, 2026
View reviewed changes
Comment thread tests/e2e/network/network_security_group.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nilo19 nilo19 nilo19 left review comments

@Liunardy Liunardy Liunardy left review comments

Copilot code review Copilot Copilot left review comments

@elmiko elmiko Awaiting requested review from elmiko

@feiskyer feiskyer Awaiting requested review from feiskyer

@cheftako cheftako Awaiting requested review from cheftako

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tomjankovec @k8s-ci-robot @elmiko @nilo19 @Liunardy