Policy CRD is used to apply existing BIG-IP profiles and policy with Virtual Server and Transport server. The Policy CRD resource defines the profile configuration for a virtual server in BIG-IP. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource if the respective feature is supported. Examples of features supported in all resource CRD (i.e. VirtualServer, TransportServer, and Policy) are waf and persistenceProfile.
apiVersion:cis.f5.com/v1kind:Policymetadata:labels:f5cr:"true"name:sample-policynamespace:defaultspec:snat:autol7Policies:waf:/Common/WAF_Policyl3Policies:firewallPolicy:/Common/AFM_Policydos:/Common/dosbotDefense:/Common/bot-defenseallowSourceRange:-1.1.1.0/24-2.2.2.0/24profiles:tcp:client:/Common/f5-tcp-lanserver:/Common/f5-tcp-wanudp:/Common/udphttp:/Common/httphttp2:/Common/http2persistenceProfile:noneprofileL4:/Common/security-fastL4profileMultiplex:/Common/oneconnectlogProfiles:-/Common/Log all requests-/Common/local-dosiRules:secure:/Common/irule1insecure:/Common/irule1priority:high
Note
CIS will only process custom resources with f5cr label set as true. See lines 4-5 above.
Using Policy with a Virtual Server, Transport Server, and ServiceTypeLB¶
You can attach the policy with VS and TS with policyName field in spec and for ServiceTypeLB with cis.f5.com/policyName as an annotation in metadata.
apiVersion:"cis.f5.com/v1"kind:VirtualServermetadata:name:my-virtual-serverlabels:f5cr:"true"spec:# This is an insecure virtual, Please use TLSProfile to secure the virtual# check out tls examples to understand more.host:cafe.example.comvirtualServerAddress:"172.16.3.4"policyName:sample-policypools:-path:/coffeeservice:svc-1servicePort:80
BIG-IP TCP client and server profiles in Policy CR.
snat
String
Optional
auto
Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
autoLastHop
String
Optional
N/A
Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
Pathname of the existing BIG-IP botDefense policy.
dos
String
Optional
N/A
Pathname of existing BIG-IP DOS policy.
firewallPolicy
String
Optional
N/A
Pathname of existing BIG-IP firewall(AFM) policy.
allowSourceRange
String
Optional
N/A
Comma-separated list of CIDR addresses to allow inbound to services corresponding to VirtualServer CRD. Allowed values are comma-separated, CIDR formatted, IP addresses. For example: 1.2.3.4/32,2.2.2.0/24
allowVlans
List of Vlans
Optional
N/A
List of Vlan objects to allow traffic from towards virtual in BIGIP. Object configured in VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
ipIntelligencePolicy
String
Optional
N/A
Pathname of existing BIG-IP ipIntelligence Policy.
CIS uses the AS3 default persistence profile. VirtualServer or TransportServer CRD resource takes
precedence over Policy CRD resource. Allowed values are existing BIG-IP Persistence profiles.
profileMultiplex
String
Optional
N/A
CIS uses the AS3 default profileMultiplex profile. Allowed values are existing BIG-IP profileMultiplex profiles.
profileL4
String
Optional
basic
The default value is basic but it is not configurable if the profileL4 spec is not included in TS or Policy CR. Transport CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP profileL4 profiles.
httpMrfRoutingEnabled
String
Optional
N/A
Reference to Http mrf router on BIGIP.
sslProfiles
String
Optional
N/A
Reference to existing ssl profiles on BIGIP. Policy sslProfiles will have the highest precedence and will override route level profiles
analyticsProfiles
String
Optional
N/A
Configures different analytics profiles on BIGIP virtual server.