F5BigIpiPolicy¶
Overview¶
IPI policy can be configured on Global context and/or applied at per virtual server context as well. Each policy contains a list of categories and actions that can be customized, with IPRep database being common. Feedlist based policies can also customize the IP addresses configured.
CR Parameters¶
metadata¶
| Parameter | Description |
|---|---|
| name | Specifies the name of the IpiFeedlist. |
spec.feeds¶
| Parameter | Description |
|---|---|
| defaultAction | Specifies the default action that the policy takes on denylist items, for which no action is specified. The value can be Drop (default) or Accept. |
| logCategoryMatches | Specifies the default log action for denylist matches, when the category does not have a log action specified. The value can be yes or no (default). |
| logAllowlistMatches | Specifies the default log action for allowlist matches. The value can be yes or no (default). |
| feedList | References a feedlist name which is used in this IPI policy. |
| categories | Specifies the list of all categories for a policy. Note: Each category name must be unique within the list to avoid duplicate entries. Duplicate category names will be caught and rejected through schema validation. |
| category | Specifies the category for which settings are configured in this policy. |
| action | Specifies action type for category. Select policydefault to use the default action for this policy. Select Drop or Accept to override the default action. The value can be policydefault (default), Drop or Accept. |
| logCategoryMatch | Specifies the log action for denylist category matches. The value can be policydefault (default), Drop or Accept.
|
| logAllowlistOverrides | Specifies settings for logallowlistoverrides matches for a category. LogAllowlistOverrides parameter logs only allowlist matches that override a category match (Allowlist matches always override category matches). If traffic matches both an Allowlist entry and a category configured, this overriding action allows the traffic, and this action gets logged (when this setting is enabled). The value can be policydefault (default), drop, accept.
|
| match | Specifies the option to select the matching criteria that overrides a denylist match. The value can be source, destination or source and destination. You can select a source match, a destination match, or both a source and destination match to override a denylist match with a allowlist. |
CR Example¶
Following is an example F5BigIpiPolicy CR:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigIpiPolicy
metadata:
name: "ipi1"
spec:
description: "ipi policy"
categories:
- category: "botnets"
action: "drop"
logCategoryMatch: "yes"
match: "source"
- category: "spam_sources"
action: "drop"
logCategoryMatch: "yes"
match: "source
CR shortName¶
CR shortName provides an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The shortName for F5BigIpiPolicy CR is ipipolicy.
View CR instance:
kubectl get ipipolicy -n <namespace>
View CR configuration:
kubectl get ipipolicy -n <namespace> -o yaml
Installation¶
Apply the
F5BigIpiPolicyCR, run the following command to apply:oc apply ipi-policy.yaml -n <namespace>
Verify the
F5BigIpiPolicyCR is applied by checking the f5ingress logs.Sample output:
f5bigipipolicy.k8s.f5net.com/ipi1 created
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.