F5BigSvcPolicy¶
Overview¶
The service policy (F5BigSvcPolicy) custom resource (CR) allows creation of Timer Policies and attaching them to the Firewall Rules. The F5BigSvcPolicy also allows modification of the Flow Idle Timeout with Firewall Rules. If a flow matches a firewall rule with a Timer Policy, then the Flow Idle Timeout should be set according to the Timer Policy. The Timer Policy allows specifying different Flow Idle Timeout values for different protocols and port combinations. It also allows keeping the default Idle Flow Timeout for some protocols and port combinations.
To support new types of policies in future and make the configuration similar to classic BIG-IP (CBIP), the Timer Policy will be defined as a part of Service Policy. The Service Policy is attached to the Firewall Rules or rulelists. The Firewall Policy with attached Service Policy and Timer Policy can be attached to the secure context or global context.
This document guides you through understanding, configuring, and installing a simple F5BigSvcPolicy CR.
CR Parameters¶
The following tables list the F5BigSvcPolicy CR parameters:
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the Service Policy. The CNF Traffic Management CRs reference this value. |
spec¶
| Parameter | Description |
|---|---|
timer.name |
Specifies the name of the timer rule |
timer.ipProtocol |
Specifies the IP protocol against which the packet will be compared. The timer.destinationPorts field should only be used only when the user has configured the ipProtocol as TCP, UDP, or SCTP. In case the user has not configured any port or port ranges, then this parameter takes default value as All ports. |
timer.timeoutOption |
Specifies the timeout option for the selected protocol. This parameter takes unspecified option as default. Following are the options that can be selected for the timeoutOption parameter: Specified: Select Specified to set an idle timeout, in seconds, for protocol and port pairs that match the timer policy rule. Immediate: Select Immediate to specify no flow creation for protocol and port pairs that match the timer policy rule. Infinite: Select Infinite to specify that this protocol and port pairs that match the timer policy rule never times out. Unspecified: Select Unspecified to specify that flowIdletimeout is not changed by this timer rule. This is the default timeout option used for the protocol and port pairs that match the timer policy rule. |
timer.idleTimeout |
Specifies the amount of idle time in seconds before the connection is terminated. Note: This parameter should be configured only when timer.timeoutOption parameter is configured as specified. |
timer.destinationPorts |
Specifies one or more ports to use. This parameter takes all ports as a default value. |
CR Example¶
An example F5BigSvcPolicy CR looks like the following:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigSvcPolicy
metadata:
name: "svcpolicy-http"
spec:
timer:
- name: TCP traffic
ipProtocol: "tcp"
destinationPorts:
- "80-8080"
timeoutOption: "specified"
idleTimeout: 30
- name: UDP traffic
ipProtocol: "udp"
timeoutOption: "immediate"
- name: Other traffic
ipProtocol: "tcp"
destinationPorts:
- “all-other”
timeoutOption: "unspecified"
- name: TCP traffic infinite
ipProtocol: "tcp"
destinationPorts:
- "9000-9010"
timeoutOption: "infinite"
Note: The Firewall rules IP Protocol Type and Service Policy Timer Rules Protocol type should match. Since there is no validation across firewall policy rules, the user is expected to configure these two values carefully.
Installation¶
Following are the steps to install the example F5BigSvcPolicy CR. Each step offers a brief description of the example CR.
The example F5BigSvcPolicy CR allows four rules. Copy and paste the following example Service Policy CR into a yaml file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigSvcPolicy metadata: name: "svcpolicy-http" spec: timer: - name: tcp-rule ipProtocol: "tcp" destinationPorts: - "80-8080" timeoutOption: "specified" idleTimeout: 30 - name: udp-rule ipProtocol: "udp" timeoutOption: "immediate" - name: Other-rule ipProtocol: "tcp" destinationPorts: - "all-other" timeoutOption: "unspecified"
The example
F5BigFwPolicyCR allows Service Policy. Copy and paste the example into a YAML file:Note: The F5BigContextSecure CR will reference the F5BigFwPolicy CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "fwpolicy" spec: rule: - name: allow-http action: "accept" logging: true ipProtocol: tcp servicePolicy: svcpolicy-http source: addresses: - "10.1.56.0/24"
The example
F5BigFwRulelistCR allows firewall rule list. Copy and paste the example into a YAML file:apiVersion: "k8s.f5net.com/v1" kind: F5BigFwRulelist metadata: name: "rulelist1" spec: rule: - name: rl1_rule1 ipProtocol: tcp source: addresses: - "20.20.20.0/24" addressLists: - "addrlist1" portLists: ['portlist1'] destination: addresses: - "40.40.40.0/24" addressLists: - "addrlist1" ports: ['123'] logging: true action: "accept" servicePolicy: svcpolicy-http
Install the
F5BigContextSecureCR. Copy and paste the following example F5BigContextSecure CR into a YAML file:apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: securecontex spec: destinationAddress: "10.1.76.80" destinationPort: 0 firewallEnforcedPolicy: "fwpolicy" logProfile: "logprofile-ns" ipProtocol: "tcp" profile: "tcp" tcpSettings: clientSide: "tcp1" serverSide: "tcp1"
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.
