Policy¶
Policy CRD is used to apply existing BIG-IP profiles and policy with Virtual Server and Transport server. The Policy CRD resource defines the profile configuration for a virtual server in BIG-IP. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource if the respective feature is supported. Examples of features supported in all resource CRD (i.e. VirtualServer, TransportServer, and Policy) are waf and persistenceProfile.
sample-policy-crd.yaml¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | apiVersion: cis.f5.com/v1 kind: Policy metadata: labels: f5cr: "true" name: sample-policy namespace: default spec: snat: auto l7Policies: waf: /Common/WAF_Policy l3Policies: firewallPolicy: /Common/AFM_Policy dos: /Common/dos botDefense: /Common/bot-defense allowSourceRange: - 1.1.1.0/24 - 2.2.2.0/24 profiles: tcp: client: /Common/f5-tcp-lan server: /Common/f5-tcp-wan udp: /Common/udp http: /Common/http http2: /Common/http2 persistenceProfile: none profileL4: /Common/security-fastL4 profileMultiplex: /Common/oneconnect logProfiles: - /Common/Log all requests - /Common/local-dos htmlProfile: /Common/html iRules: secure: /Common/irule1 insecure: /Common/irule1 priority: high |
Note
CIS will only process custom resources with f5cr label set as true. See lines 4-5 above.
Using Policy with a Virtual Server, Transport Server, and ServiceTypeLB¶
You can attach the policy with VS and TS with policyName field in spec and for ServiceTypeLB with cis.f5.com/policyName as an annotation in metadata.
VirtualServer with Policy¶
sample-vs.yaml¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: my-virtual-server labels: f5cr: "true" spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out tls examples to understand more. host: cafe.example.com virtualServerAddress: "172.16.3.4" policyName: sample-policy pools: - path: /coffee service: svc-1 servicePort: 80 |
Transport Server with Policy¶
sample-ts.yaml¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | apiVersion: "cis.f5.com/v1" kind: TransportServer metadata: labels: f5cr: "true" name: my-transport-server namespace: default spec: virtualServerAddress: "172.16.3.9" virtualServerPort: 8544 virtualServerName: my-ts policyName: sample-policy mode: standard pool: service: svc-1 servicePort: 8181 monitor: type: tcp interval: 10 timeout: 10 |
ServiceTypeLB with Policy¶
sample-serviceTypeLB.yaml¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | apiVersion: v1 kind: Service metadata: annotations: cis.f5.com/ipamLabel: test cis.f5.com/health: '{"interval": 10, "timeout": 31}' cis.f5.com/policyName: policy1 labels: app: svc-lb1 name: svc-lb1 namespace: default spec: ports: - name: svc-lb1-80 port: 80 protocol: TCP targetPort: 80 - name: svc-lb1-8080 port: 8080 protocol: TCP targetPort: 8080 selector: app: svc-lb1 type: LoadBalancer |
Using Policy CR with NextGen Routes¶
You can define the Policy CRD in extended ConfigMap for NextGen Routes:
ConfigMap¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | apiVersion: v1 kind: ConfigMap metadata: name: default-extended-spec namespace: kube-system data: extendedSpec: | extendedRouteSpec: - namespace: foo vserverAddr: 10.8.3.11 vserverName: nextgenroutes allowOverride: true policyCR: default/sample-policy - namespace: bar vserverAddr: 10.8.3.12 allowOverride: true policyCR: default/sample-policy |
Components¶
Policy Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| l7Policies | Object | Optional | N/A | BIG-IP l7Policies in Policy CR. |
| l3Policies | Object | Optional | N/A | BIG-IP l3Policies in Policy CR. |
| ltmPolicies | Object | Optional | N/A | BIG-IP LTM Policies in Policy CR. |
| iRules | Object | Optional | N/A | BIG-IP iRules in Policy CR. |
| iRuleList | List | Optional | N/A | BIG-IP iRules in Policy CR. |
| profiles | Object | Optional | N/A | Various BIG-IP Profiles in Policy CR. |
| tcp | Object | Optional | N/A | BIG-IP TCP client and server profiles in Policy CR. |
| snat | String | Optional | auto | Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. |
| autoLastHop | String | Optional | N/A | Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. |
| poolSettings | Object | Optional | N/A | Default pool settings to set on virtuals via Policy CR. |
| defaultPool | Object | Optional | N/A | Default pool to set on virtuals via Policy CR. VirtualServer CRD resource takes precedence over Policy CRD resource |
L7 Policy Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| waf | String | Optional | N/A | Pathname of existing BIG-IP WAF policy. |
| profileAdapt | Object | Optional | N/A | BIG-IP Adapt profile for Virtual Server. |
L3 Policy Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| botDefense | String | Optional | N/A | Pathname of the existing BIG-IP botDefense policy. |
| dos | String | Optional | N/A | Pathname of existing BIG-IP DOS policy. |
| firewallPolicy | String | Optional | N/A | Pathname of existing BIG-IP firewall(AFM) policy. |
| allowSourceRange | String | Optional | N/A | Comma-separated list of CIDR addresses to allow inbound to services corresponding to VirtualServer CRD. Allowed values are comma-separated, CIDR formatted, IP addresses. For example: 1.2.3.4/32,2.2.2.0/24 |
| allowVlans | List of Vlans | Optional | N/A | List of Vlan objects to allow traffic from towards virtual in BIGIP. Object configured in VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. |
| ipIntelligencePolicy | String | Optional | N/A | Pathname of existing BIG-IP ipIntelligence Policy. |
LTM Policy Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| insecure | String | Optional | N/A | |
| secure | String | Optional | N/A | |
| priority | String | Optional | N/A | Defines the level of priority. Allowed values are low and high. |
iRules Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| insecure | String | Optional | N/A | Pathname of existing BIG-IP iRule. |
| secure | String | Optional | N/A | Pathname of existing BIG-IP iRule. |
| priority | String | Optional | N/A | Defines the level of priority. Allowed values are low and high. |
Profile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| tcp | Object | Optional | N/A | TCP Client & Server Profiles |
| udp | String | Optional | N/A | Pathname of existing BIG-IP UDP profile. |
| http | String | Optional | N/A | Pathname of existing BIG-IP HTTP profile. |
| https | String | Optional | N/A | Pathname of existing BIG-IP SSL profile. |
| http2 | String | Optional | N/A | Pathname of existing BIG-IP HTTP2 profile. |
| logProfiles | List of string | Optional | N/A | Pathname of existing BIG-IP log profile. |
| persistenceProfile | String | Optional | VirtualServer uses cookie
TransportServer uses source-address |
CIS uses the AS3 default persistence profile. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP Persistence profiles. |
| profileMultiplex | String | Optional | N/A | CIS uses the AS3 default profileMultiplex profile. Allowed values are existing BIG-IP profileMultiplex profiles. |
| profileL4 | String | Optional | basic | The default value is basic but it is not configurable if the profileL4 spec is not included in TS or Policy CR. Transport CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP profileL4 profiles. |
| httpMrfRoutingEnabled | String | Optional | N/A | Reference to Http mrf router on BIGIP. |
| sslProfiles | String | Optional | N/A | Reference to existing ssl profiles on BIGIP. Policy sslProfiles will have the highest precedence and will override route level profiles |
| analyticsProfiles | String | Optional | N/A | Configures different analytics profiles on BIGIP virtual server. |
| htmlProfile | String | Optional | N/A | Pathname of existing BIG-IP HTML profile. VirtualServer CRD resource takes precedence over Policy CRD. Allowed values are existing BIG-IP HTML profiles. |
| ftpProfile | String | Optional | N/A | Reference to existing BIG-IP FTP profile and is supported only for Transport Server |
| httpCompressionProfile | String | Optional | N/A | Reference to existing BIG-IP HTTP Compression Profile profile and is supported only for Virtual Server |
Note
- sslProfiles is only applicable to NextGen routes
TCP Profile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| client | String | Required | N/A Custom_TCP | CIS uses the AS3 default TCP client profile. Allowed values are existing BIG-IP TCP Client profiles. |
| server | String | Optional | N/A | Allowed values are existing BIG-IP TCP Server profiles. Note: Server TCP Profile can only be used along with Client profile. |
HTTP2 Profile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| client | String | Required | N/A | Reference to existing ingress HTTP2 profile on BIG-IP |
| server | String | Optional | N/A | Reference to existing egress HTTP2 profile on BIG-IP |
SSL Profile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| clientProfiles | Array | Required | N/A | Reference to list of existing client SSL profiles on BIGIP |
| serverProfiles | Array | Optional | N/A | Reference to list of existing server SSL profiles on BIGIP |
Note
- SSL profile components are only applicable to NextGen routes
Pool Settings Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| reselectTries | Integer | Optional | 0 | reselectTries specifies the maximum number of attempts to find a responsive member for a connection |
| serviceDownAction | String | Optional | None | serviceDownAction specifies connection handling when member is non-responsive |
| slowRampTime | Integer | Optional | 10 | BIG-IP AS3 sets the connection rate to a newly-active member slowly during this interval (seconds) |
Default Pool Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| service | String | Required | N/A | Service deployed in kubernetes cluster |
| serviceNamespace | String | Optional | N/A | Namespace of service, define it if service is present in a namespace other than the one where Virtual Server Custom Resource is present |
| servicePort | Integer or String | Required | N/A | Port to access Service.Could be service port, service port name or targetPort of the service |
| loadBalancingMethod | String | Optional | round-robin | Allowed values are existing BIG-IP Load Balancing methods for pools. |
| nodeMemberLabel | String | Optional | N/A | List of Nodes to consider in NodePort Mode as BIG-IP pool members. This Option is only applicable for NodePort Mode |
| monitors | monitor | Optional | N/A | Specifies multiple monitors for VS Pool |
| serviceDownAction | String | Optional | none | Specifies connection handling when member is non-responsive |
| reselectTries | Integer | Optional | 0 | Maximum number of attempts to find a responsive member for a connection |
| reference | String | Required | N/A | Allowed values are bigip or service |
| name | String | Optional | N/A | pool name or reference to the pool name existing on bigip |
Adapt Profile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| request | String | Optional | N/A | Reference to existing request adapt profile on BIG-IP |
| response | String | Optional | N/A | Reference to existing response adapt profile on BIG-IP |
Note
The profileAdapt in Virtual Server CR takes precedence over profileAdapt in Policy CR.
Examples Repository¶
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.