F5BigFwPolicy¶
The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Pod to begin inspecting and filtering network packets.
CR parameters¶
The tables below describe the F5BigFwPolicy CR parameters
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the Firewall Policy. This value is referenced by BIG-IP Next for Kubernetes Traffic Management CRs. |
namespace |
The namespace of Kubernetes in with firewall policy is installed. |
spec¶
| Parameter | Description | Default |
|---|---|---|
rule.name |
The name of the firewall rule. A policy can contain multiple firewall rules. Note: You must specify this field. | |
rule.ipProtocol |
Specifies the IP protocol against which the packet will be compared. The F5BigFwPolicy IP Protocols document contains the full list of supported protocols. | any |
rule.action |
Specifies the action that will be applied to packet that matches ACL rule: "accept", "drop", or "reject". | |
rule.logging boolean |
Enables ACL rule match logging | false |
rule.source.addresses |
Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. | |
rule.source.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address |
|
rule.source.ports |
Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. | |
rule.source.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port |
|
rule.source.vlans |
Specifies a list of F5BigNetVlans in an array. | [] |
rule.destination.addresses |
Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. | |
rule.destination.ports |
Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. | |
rule.destination.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section below. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute specifies one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address |
|
rule.destination.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute specifies one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port |
|
rule.ruleList |
Specifies the firewall rule list name this rule references. |
To add, modify, or delete the firewall rules easily, you need to break the firewall rules list into multiple smaller units and store them in F5BigFwRulelist CR.
CR Example¶
This section provides the sample CRs of F5BigFwPolicy use cases. For more details to apply the CRs, see Firewall policy in Gateway API
F5BigFwPolicy CR with ACLs attached to GatewayClass¶
Following is an example F5BigFwPolicy CR with ACLs attached to GatewayClass:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: fwpolicy-global-1
namespace: alpha
spec:
rule:
- name: sc-rule-1
ipProtocol: any
source:
addresses:
- 11.19.10.9
logging: true
action: drop
apiVersion: "gateway.k8s.f5net.com/v1alpha1"
kind: BNKSecPolicy
metadata:
name: secpolicy-global
namespace: alpha
spec:
extensionRefs:
- name: fwpolicy-global-1
group: k8s.f5net.com
kind: F5BigFwPolicy
F5BigFwPolicy with ACLs attached to Gateway¶
Following is an example F5BigFwPolicy CR with ACLs attached to Gateway:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: fwpolicy-virtual-1
namespace: gateway-ns
spec:
rule:
- name: sc-rule-1
ipProtocol: any
source:
addresses:
- 11.19.10.8
logging: true
action: drop
apiVersion: "gateway.k8s.f5net.com/v1alpha1"
kind: BNKSecPolicy
metadata:
name: secpolicy-virtual-1
namespace: gateway-ns
spec:
extensionRefs:
- name: fwpolicy-virtual-1
group: k8s.f5net.com
kind: F5BigFwPolicy
F5BigFwPolicy with ACLs attached to Listeners
Following is an example F5BigFwPolicy CR with ACLs attached to Listeners:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: fwpolicy-virtual-1
namespace: gateway-ns
spec:
rule:
- name: sc-rule-1
ipProtocol: any
source:
addresses:
- 11.19.10.8
logging: true
action: drop
apiVersion: "gateway.k8s.f5net.com/v1alpha1"
kind: BNKSecPolicy
metadata:
name: secpolicy-virtual-1
namespace: gateway-ns
spec:
extensionRefs:
- name: fwpolicy-virtual-1
group: k8s.f5net.com
kind: F5BigFwPolicy