F5BigFwPolicy¶
The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Pod to begin inspecting and filtering network packets.
CR parameters¶
The tables below describe the F5BigFwPolicy CR parameters
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the Firewall Policy. This value is referenced by BIG-IP Next for Kubernetes Traffic Management CRs. |
namespace |
The namespace of Kubernetes in with firewall policy is installed. |
spec¶
| Parameter | Description | Default |
|---|---|---|
targetRefs.group string |
Specifies the group of referent. The maximum length of the string is 255 and the allowed pattern is "^[0-9a-zA-Z._-]+$". | gateway.networking.k8s.io |
targetRefs.name string |
Specifies the name of the resource. The maximum length of the string is 255 and the allowed pattern is "^[0-9a-zA-Z._-]+$". Note: You must specify this field. |
|
targetRefs.kind string |
Specifies the kind of reference. Possible enum values are [GatewayClass, Gateway]. Note: You must specify this field. |
|
targetRefs.sectionName _string |
Specifies the sectionName. The maximum length of the string is 255 and the allowed pattern is "^$ | ^[0-9a-zA-Z._-]+$". |
rule.name |
The name of the firewall rule. A policy can contain multiple firewall rules. Note: You must specify this field. | |
rule.ipProtocol |
Specifies the IP protocol against which the packet will be compared. The F5BigFwPolicy IP Protocols document contains the full list of supported protocols. | any |
rule.action |
Specifies the action that will be applied to packet that matches ACL rule: "accept", "drop", or "reject". | |
rule.logging boolean |
Enables ACL rule match logging | false |
rule.source.addresses |
Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. | |
rule.source.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address |
|
rule.source.ports |
Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. | |
rule.source.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port |
|
rule.source.vlans |
Specifies a list of F5BigNetVlans in an array. | [] |
rule.destination.addresses |
Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. | |
rule.destination.ports |
Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. | |
rule.destination.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section below. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute specifies one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address |
|
rule.destination.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute specifies one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port |
|
rule.ruleList |
Specifies the firewall rule list name this rule references. |
To add, modify, or delete the firewall rules easily, you need to break the firewall rules list into multiple smaller units and store them in F5BigFwRulelist CR.
CR Example¶
This section provides the sample CRs of F5BigFwPolicy use cases. For more details to apply the CRs, see Firewall policy in Gateway API
F5BigFwPolicy CR with ACLs attached to GatewayClass¶
Following is an example F5BigFwPolicy CR with ACLs attached to GatewayClass:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: firewallpolicy-gateway-class
namespace: alpha
spec:
targetRefs:
- group: gateway.networking.k8s.io
name: f5-gateway-class
kind: GatewayClass
rule:
- name: sc-rule-tcp-inress-1
ipProtocol: any
source:
addresses:
- 11.19.10.9
logging: true
action: drop
F5BigFwPolicy with ACLs attached to Gateway¶
Following is an example F5BigFwPolicy CR with ACLs attached to Gateway:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: firewallpolicy-gateway
namespace: app-ns
spec:
targetRefs:
- group: gateway.networking.k8s.io
name: my-l4route-tcp-gateway
kind: Gateway
rule:
- name: sc-rule-tcp-inress-1
ipProtocol: any
source:
addresses:
- 11.19.10.9
logging: true
action: drop
F5BigFwPolicy with ACLs attached to Listeners
Following is an example F5BigFwPolicy CR with ACLs attached to Listeners:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: firewallpolicy-listener
namespace: app-ns
spec:
targetRefs:
- group: gateway.networking.k8s.io
name: my-l4route-tcp-gateway
kind: Gateway
sectionName: l4-nginx-tcp
rule:
- name: sc-rule-tcp-inress-1
ipProtocol: any
source:
addresses:
- 11.19.10.9
logging: true
action: drop