F5BigFwRulelist¶

Overview¶

The F5BigFwRulelist Custom Resource (CR) consists an array of ACL rules. Rulelist has the same features as standard ACL rules.

This document guides you through understanding, configuring and installing a simple F5BigFwRulelist CR.

CR parameters¶

The tables below describe the F5BigFwRulelist CR parameters.

metadata¶

Parameter	Description
`name`	The name of the F5BigFwRuleList.
`namespace`	The namespace of Kubernetes in which the firewall rule list is installed.

spec¶

Parameter	Description
`rule.name`	The name of the firewall rule.
`rule.ipProtocol`	Specifies the IP protocol against which the packet will be compared. The default value is "any". The F5BigFwRulelist IP Protocols document contains the full list of supported protocols.
`rule.source.addresses`	Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
`rule.source.addressLists`	Specifies the F5BigCneAddressList by `metadata.name` against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address
`rule.source.ports`	Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, *not as a wildcard*.
`rule.source.portLists`	Specifies the F5BigCnePortList by `metadata.name` against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port
`rule.source.vlans`	Specifies a list of F5BigNetVlans in an array.
`rule.source.zones`	Specifies an array of VLAN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more zones and - All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs
`rule.destination.addresses`	Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20.
`rule.destination.ports`	Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, *not as a wildcard*.
`rule.destination.zones`	Specifies an array of VLAN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more zones and - All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs
`rule.destination.addressLists`	Specifies the F5BigCneAddressList by `metadata.name` against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address
`rule.destination.portLists`	Specifies the F5BigCnePortList by `metadata.name` against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port
`rule.action`	Specifies the action that will be applied to packet that matches ACL rule: "accept-decisively", "accept", "drop", or "reject".
`rule.logging`	Enables ACL rule match logging: true or false (default).
`servicePolicy`	Specifies the Service Policy applied.

Sample CR¶

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwRulelist
metadata:
  name: "rulelist2"
  namespace: "cnf-gateway"
spec:
  rule:
    - name: rule1
      ipProtocol: tcp
      source:
        addresses:
          - "11.45.43.22.102"
        zones:
          - "zone1"
          - "zone2"
      destination:
        ports:
          - "80"
        zones:
          - “zone3“
          - “zone4“
        addresses:
          - "22.55.44.44.102"
      action: "accept"  
      logging: true
      servicePolicy: "service-policy1"
     
    - name: rule2
      ipProtocol: tcp
      source:
        addresses:
          - "11.45.43.22.103"
        zones:
          - "zone1"
          - "zone2"
      destination:
        ports:
          - "80"
        zones:
          - “zone3“
          - “zone4“
        addresses:
          - "22.55.44.44.103"
      action: "accept"  
      logging: true

Maximum rule size¶

When F5BigFwRulelist CRs are installed into the cluster, the firewall rule list set is declared in the metadata.annotations section of the installed CR. It is important to note that Kubernetes does not allow the metadata.annotations section to exceed 262144 bytes of data, and will log an error message stating this size limitation.

Creating Firewall Rule List¶

To create a firewall rule list using the F5BigFwRulelist CR, you must specify the firewall rule list name within the F5BigFwPolicy CR. For additional details, refer to the F5BigFwPolicy CR.

Previous Next