Last updated on: 2023-09-12 04:11:59.

Policy¶

Policy CRD is used to apply existing BIG-IP profiles and policy with Virtual Server and Transport server. The Policy CRD resource defines the profile configuration for a virtual server in BIG-IP. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource if the respective feature is supported. Examples of features supported in all resource CRD (i.e. VirtualServer, TransportServer, and Policy) are waf and persistenceProfile.

sample-policy-crd.yaml¶

apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  labels:
    f5cr: "true"
  name: sample-policy
  namespace: default
spec:
  snat: auto
  l7Policies:
    waf: /Common/WAF_Policy
  l3Policies:
    firewallPolicy: /Common/AFM_Policy
    dos: /Common/dos
    botDefense: /Common/bot-defense
    allowSourceRange:
      - 1.1.1.0/24
      - 2.2.2.0/24
  profiles:
    tcp:
      client: /Common/f5-tcp-lan
      server: /Common/f5-tcp-wan
    udp: /Common/udp
    http: /Common/http
    http2: /Common/http2
    persistenceProfile: none
    profileL4: /Common/security-fastL4
    profileMultiplex: /Common/oneconnect
    logProfiles:
      - /Common/Log all requests
      - /Common/local-dos
  iRules:
    secure: /Common/irule1
    insecure: /Common/irule1
    priority: high

Note

CIS will only process custom resources with f5cr label set as true. See lines 4-5 above.

Using Policy with a Virtual Server, Transport Server, and ServiceTypeLB¶

You can attach the policy with VS and TS with policyName field in spec and for ServiceTypeLB with cis.f5.com/policyName as an annotation in metadata.

VirtualServer with Policy¶

sample-vs.yaml¶

apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: my-virtual-server
  labels:
    f5cr: "true"
spec:
  # This is an insecure virtual, Please use TLSProfile to secure the virtual
  # check out tls examples to understand more.
  host: cafe.example.com
  virtualServerAddress: "172.16.3.4"
  policyName: sample-policy
  pools:
  - path: /coffee
    service: svc-1
    servicePort: 80

Transport Server with Policy¶

sample-ts.yaml¶

apiVersion: "cis.f5.com/v1"
kind: TransportServer
metadata:
  labels:
    f5cr: "true"
  name: my-transport-server
  namespace: default
spec:
  virtualServerAddress: "172.16.3.9"
  virtualServerPort: 8544
  virtualServerName: my-ts
  policyName: sample-policy
  mode: standard
  pool:
    service: svc-1
    servicePort: 8181
    monitor:
      type: tcp
      interval: 10
      timeout: 10

ServiceTypeLB with Policy¶

sample-serviceTypeLB.yaml¶

apiVersion: v1
kind: Service
metadata:
  annotations:
    cis.f5.com/ipamLabel: test
    cis.f5.com/health: '{"interval": 10, "timeout": 31}'
    cis.f5.com/policyName: policy1
  labels:
    app: svc-lb1
  name: svc-lb1
  namespace: default
spec:
  ports:
    - name: svc-lb1-80
      port: 80
      protocol: TCP
      targetPort: 80
    - name: svc-lb1-8080
      port: 8080
      protocol: TCP
      targetPort: 8080
  selector:
    app: svc-lb1
  type: LoadBalancer

Using Policy CR with NextGen Routes¶

Components¶

Policy Components¶

Parameter	Type	Required	Default	Description
l7Policies	Object	Optional	N/A	BIG-IP l7Policies in Policy CR.
l3Policies	Object	Optional	N/A	BIG-IP l3Policies in Policy CR.
ltmPolicies	Object	Optional	N/A	BIG-IP LTM Policies in Policy CR.
iRules	Object	Optional	N/A	BIG-IP iRules in Policy CR.
iRuleList	List	Optional	N/A	BIG-IP iRules in Policy CR.
profiles	Object	Optional	N/A	Various BIG-IP Profiles in Policy CR.
tcp	Object	Optional	N/A	BIG-IP TCP client and server profiles in Policy CR.
snat	String	Optional	auto	Reference to SNAT pool on BIG-IP. The other allowed values are: `auto` (default) and `none`. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
autoLastHop	String	Optional	N/A	Reference to SNAT pool on BIG-IP. The other allowed values are: `auto` (default) and `none`. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.

L7 Policy Components¶

Parameter	Type	Required	Default	Description
waf	String	Optional	N/A	Pathname of existing BIG-IP WAF policy.

L3 Policy Components¶

Parameter	Type	Required	Default	Description
botDefense	String	Optional	N/A	Pathname of the existing BIG-IP botDefense policy.
dos	String	Optional	N/A	Pathname of existing BIG-IP DOS policy.
firewallPolicy	String	Optional	N/A	Pathname of existing BIG-IP firewall(AFM) policy.
allowSourceRange	String	Optional	N/A	Comma-separated list of CIDR addresses to allow inbound to services corresponding to VirtualServer CRD. Allowed values are comma-separated, CIDR formatted, IP addresses. For example: `1.2.3.4/32,2.2.2.0/24`
allowVlans	List of Vlans	Optional	N/A	List of Vlan objects to allow traffic from towards virtual in BIGIP. Object configured in VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.
ipIntelligencePolicy	String	Optional	N/A	Pathname of existing BIG-IP ipIntelligence Policy.

LTM Policy Components¶

Parameter	Type	Required	Default	Description
insecure	String	Optional	N/A
secure	String	Optional	N/A
priority	String	Optional	N/A	Defines the level of priority. Allowed values are `low` and `high`.

iRules Components¶

Parameter	Type	Required	Default	Description
insecure	String	Optional	N/A	Pathname of existing BIG-IP iRule.
secure	String	Optional	N/A	Pathname of existing BIG-IP iRule.
priority	String	Optional	N/A	Defines the level of priority. Allowed values are `low` and `high`.

Profile Components¶

Parameter	Type	Required	Default	Description
tcp	Object	Optional	N/A	TCP Client & Server Profiles
udp	String	Optional	N/A	Pathname of existing BIG-IP UDP profile.
http	String	Optional	N/A	Pathname of existing BIG-IP HTTP profile.
https	String	Optional	N/A	Pathname of existing BIG-IP SSL profile.
http2	String	Optional	N/A	Pathname of existing BIG-IP HTTP2 profile.
logProfiles	List of string	Optional	N/A	Pathname of existing BIG-IP log profile.
persistenceProfile	String	Optional	VirtualServer uses `cookie` TransportServer uses `source-address`	CIS uses the AS3 default persistence profile. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP Persistence profiles.
profileMultiplex	String	Optional	N/A	CIS uses the AS3 default profileMultiplex profile. Allowed values are existing BIG-IP profileMultiplex profiles.
profileL4	String	Optional	basic	The default value is `basic` but it is not configurable if the profileL4 spec is not included in TS or Policy CR. Transport CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP profileL4 profiles.
httpMrfRoutingEnabled	String	Optional	N/A	Reference to Http mrf router on BIGIP.
sslProfiles	String	Optional	N/A	Reference to existing ssl profiles on BIGIP. Policy sslProfiles will have the highest precedence and will override route level profiles
analyticsProfiles	String	Optional	N/A	Configures different analytics profiles on BIGIP virtual server.

Note

sslProfiles is only applicable to NextGen routes

TCP Profile Components¶

Parameter	Type	Required	Default	Description
client	String	Required	N/A Custom_TCP	CIS uses the AS3 default TCP client profile. Allowed values are existing BIG-IP TCP Client profiles.
server	String	Optional	N/A	Allowed values are existing BIG-IP TCP Server profiles. Note: Server TCP Profile can only be used along with Client profile.

HTTP2 Profile Components¶

Parameter	Type	Required	Default	Description
client	String	Required	N/A	Reference to existing ingress HTTP2 profile on BIG-IP
server	String	Optional	N/A	Reference to existing egress HTTP2 profile on BIG-IP

SSL Profile Components¶

Note

SSL profile components are only applicable to NextGen routes

Examples Repository¶

View more examples on GitHub.

Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.

Previous Next