Policy

Policy is used to apply existing BIG-IP profiles and policy with Virtual Server and Transport server. Policy CRD resource defines the profile configuration for a virtual server in BIG-IP.

sample-policy-crd.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  labels:
    f5cr: "true"
  name: sample-policy
  namespace: default
spec:
  l7Policies:
    waf: /Common/WAF_Policy
  l3Policies:
    firewallPolicy: /Common/AFM_Policy
  profiles:
    tcp: /Common/f5-tcp-wan
    udp: /Common/udp
    http: /Common/http
    http2: /Common/http2
    logProfiles:
      - /Common/Log all requests
      - /Common/local-dos
  iRule:
    secure: /Common/rule1
    insecure: /Common/rule1
    priority: high

Note

CIS will only process custom resources with f5cr label set as true. See lines 4-5 above.


Using Policy with a Virtual Server and Transport Server

You can attach the policy with VS and TS with policyName field in spec.

VS with Policy

sample-vs.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: my-virtual-server
  labels:
    f5cr: "true"
spec:
  # This is an insecure virtual, Please use TLSProfile to secure the virtual
  # check out tls examples to understand more.
  host: cafe.example.com
  virtualServerAddress: "172.16.3.4"
  policyName: sample-policy
  pools:
  - path: /coffee
    service: svc-1
    servicePort: 80

TS with Policy

sample-ts.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: "cis.f5.com/v1"
kind: TransportServer
metadata:
  labels:
    f5cr: "true"
  name: my-transport-server
  namespace: default
spec:
  virtualServerAddress: "172.16.3.9"
  virtualServerPort: 8544
  virtualServerName: my-ts
  policyName: sample-policy
  mode: standard
  pool:
    service: svc-1
    servicePort: 8181
    monitor:
      type: tcp
      interval: 10
      timeout: 10

Components

Policy Components

Parameter Type Required Default Description
l7Policies Object Optional N/A BIG-IP l7Policies in Policy CR.
l3Policies Object Optional N/A BIG-IP l3Policies in Policy CR.
ltmPolicies Object Optional N/A BIG-IP LTM Policies in Policy CR.
iRules Object Optional N/A BIG-IP iRules in Policy CR.
profiles Object Optional N/A Various BIG-IP Profiles in Policy CR.

L7 Policy Components

Parameter Type Required Default Description
waf String Optional N/A Pathname of existing BIG-IP WAF policy.

L3 Policy Components

Parameter Type Required Default Description
dos String Optional N/A Pathname of existing BIG-IP DOS policy.
firewallPolicy String Optional N/A Pathname of existing BIG-IP firewall(AFM) policy.

LTM Policy Components

Parameter Type Required Default Description
insecure String Optional N/A  
secure String Optional N/A  
priority String Optional N/A Defines the level of priority. Allowed values are low and high.

iRules Components

Parameter Type Required Default Description
insecure String Optional N/A Pathname of existing BIG-IP iRule.
secure String Optional N/A Pathname of existing BIG-IP iRule.
priority String Optional N/A Defines the level of priority. Allowed values are low and high.

Profiles Components

Parameter Type Required Default Description
tcp String Optional N/A Pathname of existing BIG-IP TCP profile.
udp String Optional N/A Pathname of existing BIG-IP UDP profile.
http String Optional N/A Pathname of existing BIG-IP HTTP profile.
https String Optional N/A Pathname of existing BIG-IP SSL profile.
http2 String Optional N/A Pathname of existing BIG-IP HTTP2 profile.
rewriteProfile String Optional N/A Pathname of existing BIG-IP rewrite profile.
logProfiles List of string Optional N/A Pathname of existing BIG-IP log profile.

Note

To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.