F5BigContextGlobal

The F5BigContextGlobal Custom Resource (CR) installs with the BIG-IP Controller to configure the default behavior for the installed F5BigFwPolicy CRs. The F5BigContextGlobal CR provides options that enable modifications to the default F5BigFwPolicy CR packet handling behavior.

This document guides you through configuring and installing a simple F5BigFwPolicy CR.

CR Parameters

The tables below describe the F5BigContextGlobal CR parameters

Parameter Description
logProfile Specifies the F5BigLogProfile CR using the metadata.name parameter.
firewall.enforcedPolicy References and applies a F5BigFwPolicy globally. This applies prior to F5BigFwPolicy CRs that may be referenced by F5BigContextSecure CRs.
firewall.defaultAction The default action to apply on traffic not matching any firewall rule: accept (default), reject, or drop.
firewall.defaultActionLog Whether an HSL message should be generated when applying the defaultAction.

CR Example

apiVersion: k8s.f5net.com/v1
kind: F5BigContextGlobal
metadata:
  name: global-context
spec:
  firewall:
    defaultAction: "drop"
    defaultActionLog: false

CR updates

The F5BigContextGlobal CR behaves differently than the other CNFs CRs: When you install the BIG-IP Controller to a namespace, a copy of the F5BigContextGlobal is applied to namespace with the default values. Because only a single CR of this type can exist in the namespace, you must use the same name, global-context, when modifying the F5BigContextGlobal CR.

Firewall mode

CNFs default firewall mode controls how network packets are handled when either of these conditions are met:

  • None of the installed CNFs CRs reference a F5BigFwPolicy.
  • A CNFs CR does reference a F5BigFwPolicy, however, packets do not match any of the rules.

Requirements

Ensure you have:

Installation

Use the steps below to modify the default values of the F5BigContextGlobal CR.

  1. View the currently installed F5BigContextGlobal CR:

    In this example, the F5BigContextGlobal CR is installed in the cnf-gateway namespace.

    oc get f5-big-context-global -n cnf-gateway
    

    In this example, the F5BigContextGlobal CR named global-context is installed.

    NAME             STATUS    MESSAGE                            
    global-context   SUCCESS   CR config sent to all grpc endpoints
    
  2. View the configuration of the currently installed F5BigContextGlobal CR:

    oc get f5-big-context-global -n cnf-gateway -o yaml | grep firewall: -A2
    

    In this example, the F5BigContextGlobal CR is set to the default values.

     firewall:
       defaultAction: accept
       defaultActionLog: false
    
  3. Copy the example F5BigContextGlobal CR into a YAML file:

    In this example, the example F5BigContextGlobal CR changes the defaultAction to drop.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextGlobal
    metadata:
      name: global-context
      namespace: cnf-gateway
    spec:
      firewall:
        defaultAction: "drop"
        defaultActionLog: false
    
  4. Replace the F5BigContextGlobal CR:

    Note: Validation will not allow the F5BigContextGlobal CR to be deleted.

    oc replace -f cnf-context-globals.yaml
    
  5. View the updated configuration:

    oc get f5-big-context-global -n cnf-gateway -o yaml | grep firewall: -A2
    

    In this example, the defaultAction is now drop.

     firewall:
       defaultAction: drop
       defaultActionLog: false
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.