F5BigContextGlobal¶
The F5BigContextGlobal Custom Resource (CR) installs with the BIG-IP Controller to configure the default behavior for the installed F5BigFwPolicy CRs. The F5BigContextGlobal CR provides options that enable modifications to the default F5BigFwPolicy CR packet handling behavior.
This document guides you through configuring and installing a simple F5BigFwPolicy CR.
CR Parameters¶
The tables below describe the F5BigContextGlobal CR parameters
Parameter | Description |
---|---|
logProfile |
Specifies the F5BigLogProfile CR using the metadata.name parameter. |
firewall.enforcedPolicy |
References and applies a F5BigFwPolicy globally. This applies prior to F5BigFwPolicy CRs that may be referenced by F5BigContextSecure CRs. |
firewall.defaultAction |
The default action to apply on traffic not matching any firewall rule: accept (default), reject, or drop. |
firewall.defaultActionLog |
Whether an HSL message should be generated when applying the defaultAction. |
CR Example¶
apiVersion: k8s.f5net.com/v1
kind: F5BigContextGlobal
metadata:
name: global-context
spec:
firewall:
defaultAction: "drop"
defaultActionLog: false
CR updates¶
The F5BigContextGlobal CR behaves differently than the other CNFs CRs: When you install the BIG-IP Controller to a namespace, a copy of the F5BigContextGlobal is applied to namespace with the default values. Because only a single CR of this type can exist in the namespace, you must use the same name, global-context, when modifying the F5BigContextGlobal CR.
Firewall mode¶
CNFs default firewall mode controls how network packets are handled when either of these conditions are met:
- None of the installed CNFs CRs reference a F5BigFwPolicy.
- A CNFs CR does reference a F5BigFwPolicy, however, packets do not match any of the rules.
Installation¶
Use the steps below to modify the default values of the F5BigContextGlobal CR.
View the currently installed F5BigContextGlobal CR:
In this example, the F5BigContextGlobal CR is installed in the cnf-gateway namespace.
kubectl get f5-big-context-global -n cnf-gateway
In this example, the F5BigContextGlobal CR named global-context is installed.
NAME STATUS MESSAGE global-context SUCCESS CR config sent to all grpc endpoints
View the configuration of the currently installed F5BigContextGlobal CR:
kubectl get f5-big-context-global -n cnf-gateway -o yaml | grep firewall: -A2
In this example, the F5BigContextGlobal CR is set to the default values.
firewall: defaultAction: accept defaultActionLog: false
Copy the example F5BigContextGlobal CR into a YAML file:
In this example, the example F5BigContextGlobal CR changes the
defaultAction
to drop.apiVersion: k8s.f5net.com/v1 kind: F5BigContextGlobal metadata: name: global-context namespace: cnf-gateway spec: firewall: defaultAction: "drop" defaultActionLog: false
Replace the F5BigContextGlobal CR:
Note: Validation will not allow the F5BigContextGlobal CR to be deleted.
kubectl replace -f cnf-context-globals.yaml
View the updated configuration:
kubectl get f5-big-context-global -n cnf-gateway -o yaml | grep firewall: -A2
In this example, the
defaultAction
is now drop.firewall: defaultAction: drop defaultActionLog: false
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.