Policy

Policy CRD is used to apply existing BIG-IP profiles and policy with Virtual Server and Transport server. The Policy CRD resource defines the profile configuration for a virtual server in BIG-IP. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource if the respective feature is supported. Examples of features supported in all resource CRD (i.e. VirtualServer, TransportServer, and Policy) are waf and persistenceProfile.

sample-policy-crd.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  labels:
    f5cr: "true"
  name: sample-policy
  namespace: default
spec:
  snat: auto
  l7Policies:
    waf: /Common/WAF_Policy
  l3Policies:
    firewallPolicy: /Common/AFM_Policy
    dos: /Common/dos
    botDefense: /Common/bot-defense
    allowSourceRange:
      - 1.1.1.0/24
      - 2.2.2.0/24
  profiles:
    tcp:
      client: /Common/f5-tcp-lan
      server: /Common/f5-tcp-wan
    udp: /Common/udp
    http: /Common/http
    http2: /Common/http2
    persistenceProfile: none
    profileL4: /Common/security-fastL4
    profileMultiplex: /Common/oneconnect
    logProfiles:
      - /Common/Log all requests
      - /Common/local-dos
    htmlProfile: /Common/html
  iRules:
    secure: /Common/irule1
    insecure: /Common/irule1
    priority: high

Note

CIS will only process custom resources with f5cr label set as true. See lines 4-5 above.


Using Policy with a Virtual Server, Transport Server, and ServiceTypeLB

You can attach the policy with VS and TS with policyName field in spec and for ServiceTypeLB with cis.f5.com/policyName as an annotation in metadata.

VirtualServer with Policy

sample-vs.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: my-virtual-server
  labels:
    f5cr: "true"
spec:
  # This is an insecure virtual, Please use TLSProfile to secure the virtual
  # check out tls examples to understand more.
  host: cafe.example.com
  virtualServerAddress: "172.16.3.4"
  policyName: sample-policy
  pools:
  - path: /coffee
    service: svc-1
    servicePort: 80

Transport Server with Policy

sample-ts.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: "cis.f5.com/v1"
kind: TransportServer
metadata:
  labels:
    f5cr: "true"
  name: my-transport-server
  namespace: default
spec:
  virtualServerAddress: "172.16.3.9"
  virtualServerPort: 8544
  virtualServerName: my-ts
  policyName: sample-policy
  mode: standard
  pool:
    service: svc-1
    servicePort: 8181
    monitor:
      type: tcp
      interval: 10
      timeout: 10

ServiceTypeLB with Policy

sample-serviceTypeLB.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: v1
kind: Service
metadata:
  annotations:
    cis.f5.com/ipamLabel: test
    cis.f5.com/health: '{"interval": 10, "timeout": 31}'
    cis.f5.com/policyName: policy1
  labels:
    app: svc-lb1
  name: svc-lb1
  namespace: default
spec:
  ports:
    - name: svc-lb1-80
      port: 80
      protocol: TCP
      targetPort: 80
    - name: svc-lb1-8080
      port: 8080
      protocol: TCP
      targetPort: 8080
  selector:
    app: svc-lb1
  type: LoadBalancer

Using Policy CR with NextGen Routes

You can define the Policy CRD in extended ConfigMap for NextGen Routes:

ConfigMap
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
apiVersion: v1
kind: ConfigMap
metadata:
  name: default-extended-spec
  namespace: kube-system
data:
  extendedSpec: |
    extendedRouteSpec:
    - namespace: foo
      vserverAddr: 10.8.3.11
      vserverName: nextgenroutes
      allowOverride: true
      policyCR: default/sample-policy
    - namespace: bar
      vserverAddr: 10.8.3.12
      allowOverride: true
      policyCR: default/sample-policy

Components

Policy Components

Parameter Type Required Default Description
l7Policies Object Optional N/A BIG-IP l7Policies in Policy CR.
l3Policies Object Optional N/A BIG-IP l3Policies in Policy CR.
ltmPolicies Object Optional N/A BIG-IP LTM Policies in Policy CR.
iRules Object Optional N/A BIG-IP iRules in Policy CR.
iRuleList List Optional N/A BIG-IP iRules in Policy CR.
profiles Object Optional N/A Various BIG-IP Profiles in Policy CR.
tcp Object Optional N/A BIG-IP TCP client and server profiles in Policy CR.
snat String Optional auto Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
autoLastHop String Optional N/A Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
poolSettings Object Optional N/A Default pool settings to set on virtuals via Policy CR.
defaultPool Object Optional N/A Default pool to set on virtuals via Policy CR. VirtualServer CRD resource takes precedence over Policy CRD resource

L7 Policy Components

Parameter Type Required Default Description
waf String Optional N/A Pathname of existing BIG-IP WAF policy.
profileAdapt Object Optional N/A BIG-IP Adapt profile for Virtual Server.

L3 Policy Components

Parameter Type Required Default Description
botDefense String Optional N/A Pathname of the existing BIG-IP botDefense policy.
dos String Optional N/A Pathname of existing BIG-IP DOS policy.
firewallPolicy String Optional N/A Pathname of existing BIG-IP firewall(AFM) policy.
allowSourceRange String Optional N/A Comma-separated list of CIDR addresses to allow inbound to services corresponding to VirtualServer CRD. Allowed values are comma-separated, CIDR formatted, IP addresses. For example: 1.2.3.4/32,2.2.2.0/24
allowVlans List of Vlans Optional N/A List of Vlan objects to allow traffic from towards virtual in BIGIP. Object configured in VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
ipIntelligencePolicy String Optional N/A Pathname of existing BIG-IP ipIntelligence Policy.

LTM Policy Components

Parameter Type Required Default Description
insecure String Optional N/A  
secure String Optional N/A  
priority String Optional N/A Defines the level of priority. Allowed values are low and high.

iRules Components

Parameter Type Required Default Description
insecure String Optional N/A Pathname of existing BIG-IP iRule.
secure String Optional N/A Pathname of existing BIG-IP iRule.
priority String Optional N/A Defines the level of priority. Allowed values are low and high.

Profile Components

Parameter Type Required Default Description
tcp Object Optional N/A TCP Client & Server Profiles
udp String Optional N/A Pathname of existing BIG-IP UDP profile.
http String Optional N/A Pathname of existing BIG-IP HTTP profile.
https String Optional N/A Pathname of existing BIG-IP SSL profile.
http2 String Optional N/A Pathname of existing BIG-IP HTTP2 profile.
logProfiles List of string Optional N/A Pathname of existing BIG-IP log profile.
persistenceProfile String Optional VirtualServer uses cookie TransportServer uses source-address CIS uses the AS3 default persistence profile. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP Persistence profiles.
profileMultiplex String Optional N/A CIS uses the AS3 default profileMultiplex profile. Allowed values are existing BIG-IP profileMultiplex profiles.
profileL4 String Optional basic The default value is basic but it is not configurable if the profileL4 spec is not included in TS or Policy CR. Transport CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP profileL4 profiles.
httpMrfRoutingEnabled String Optional N/A Reference to Http mrf router on BIGIP.
sslProfiles String Optional N/A Reference to existing ssl profiles on BIGIP. Policy sslProfiles will have the highest precedence and will override route level profiles
analyticsProfiles String Optional N/A Configures different analytics profiles on BIGIP virtual server.
htmlProfile String Optional N/A Pathname of existing BIG-IP HTML profile. VirtualServer CRD resource takes precedence over Policy CRD. Allowed values are existing BIG-IP HTML profiles.
ftpProfile String Optional N/A Reference to existing BIG-IP FTP profile and is supported only for Transport Server

Note

  • sslProfiles is only applicable to NextGen routes

TCP Profile Components

Parameter Type Required Default Description
client String Required N/A Custom_TCP CIS uses the AS3 default TCP client profile. Allowed values are existing BIG-IP TCP Client profiles.
server String Optional N/A Allowed values are existing BIG-IP TCP Server profiles. Note: Server TCP Profile can only be used along with Client profile.

HTTP2 Profile Components

Parameter Type Required Default Description
client String Required N/A Reference to existing ingress HTTP2 profile on BIG-IP
server String Optional N/A Reference to existing egress HTTP2 profile on BIG-IP

SSL Profile Components

Parameter Type Required Default Description
clientProfiles Array Required N/A Reference to list of existing client SSL profiles on BIGIP
serverProfiles Array Optional N/A Reference to list of existing server SSL profiles on BIGIP

Note

  • SSL profile components are only applicable to NextGen routes

Pool Settings Components

Parameter Type Required Default Description
reselectTries Integer Optional 0 reselectTries specifies the maximum number of attempts to find a responsive member for a connection
serviceDownAction String Optional None serviceDownAction specifies connection handling when member is non-responsive
slowRampTime Integer Optional 10 BIG-IP AS3 sets the connection rate to a newly-active member slowly during this interval (seconds)

Default Pool Components

Parameter Type Required Default Description
service String Required N/A Service deployed in kubernetes cluster
serviceNamespace String Optional N/A Namespace of service, define it if service is present in a namespace other than the one where Virtual Server Custom Resource is present
servicePort Integer or String Required N/A Port to access Service.Could be service port, service port name or targetPort of the service
loadBalancingMethod String Optional round-robin Allowed values are existing BIG-IP Load Balancing methods for pools.
nodeMemberLabel String Optional N/A List of Nodes to consider in NodePort Mode as BIG-IP pool members. This Option is only applicable for NodePort Mode
monitors monitor Optional N/A Specifies multiple monitors for VS Pool
serviceDownAction String Optional none Specifies connection handling when member is non-responsive
reselectTries Integer Optional 0 Maximum number of attempts to find a responsive member for a connection
reference String Required N/A Allowed values are bigip or service
name String Optional N/A pool name or reference to the pool name existing on bigip

Adapt Profile Components

Parameter Type Required Default Description
request String Optional N/A Reference to existing request adapt profile on BIG-IP
response String Optional N/A Reference to existing response adapt profile on BIG-IP

Note

The profileAdapt in Virtual Server CR takes precedence over profileAdapt in Policy CR.

Examples Repository

View more examples on GitHub.


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.