Policy

Policy CRD is used to apply existing BIG-IP profiles and policy with Virtual Server and Transport server. The Policy CRD resource defines the profile configuration for a virtual server in BIG-IP. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource if the respective feature is supported. Examples of features supported in all resource CRD (i.e. VirtualServer, TransportServer, and Policy) are waf and persistenceProfile.

sample-policy-crd.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  labels:
    f5cr: "true"
  name: sample-policy
  namespace: default
spec:
  snat: auto
  l7Policies:
    waf: /Common/WAF_Policy
  l3Policies:
    firewallPolicy: /Common/AFM_Policy
    dos: /Common/dos
    botDefense: /Common/bot-defense
    allowSourceRange:
      - 1.1.1.0/24
      - 2.2.2.0/24
  profiles:
    tcp:
      client: /Common/f5-tcp-lan
      server: /Common/f5-tcp-wan
    udp: /Common/udp
    http: /Common/http
    http2: /Common/http2
    persistenceProfile: none
    profileL4: /Common/security-fastL4
    profileMultiplex: /Common/oneconnect
    logProfiles:
      - /Common/Log all requests
      - /Common/local-dos
  iRules:
    secure: /Common/irule1
    insecure: /Common/irule1
    priority: high

Note

CIS will only process custom resources with f5cr label set as true. See lines 4-5 above.


Using Policy with a Virtual Server, Transport Server, and ServiceTypeLB

You can attach the policy with VS and TS with policyName field in spec and for ServiceTypeLB with cis.f5.com/policyName as an annotation in metadata.

VirtualServer with Policy

sample-vs.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: my-virtual-server
  labels:
    f5cr: "true"
spec:
  # This is an insecure virtual, Please use TLSProfile to secure the virtual
  # check out tls examples to understand more.
  host: cafe.example.com
  virtualServerAddress: "172.16.3.4"
  policyName: sample-policy
  pools:
  - path: /coffee
    service: svc-1
    servicePort: 80

Transport Server with Policy

sample-ts.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: "cis.f5.com/v1"
kind: TransportServer
metadata:
  labels:
    f5cr: "true"
  name: my-transport-server
  namespace: default
spec:
  virtualServerAddress: "172.16.3.9"
  virtualServerPort: 8544
  virtualServerName: my-ts
  policyName: sample-policy
  mode: standard
  pool:
    service: svc-1
    servicePort: 8181
    monitor:
      type: tcp
      interval: 10
      timeout: 10

ServiceTypeLB with Policy

sample-serviceTypeLB.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: v1
kind: Service
metadata:
  annotations:
    cis.f5.com/ipamLabel: test
    cis.f5.com/health: '{"interval": 10, "timeout": 31}'
    cis.f5.com/policyName: policy1
  labels:
    app: svc-lb1
  name: svc-lb1
  namespace: default
spec:
  ports:
    - name: svc-lb1-80
      port: 80
      protocol: TCP
      targetPort: 80
    - name: svc-lb1-8080
      port: 8080
      protocol: TCP
      targetPort: 8080
  selector:
    app: svc-lb1
  type: LoadBalancer

Using Policy CR with NextGen Routes

You can define the Policy CRD in Extended ConfigMap for NextGen Routes:

ConfigMap
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
apiVersion: v1
kind: ConfigMap
metadata:
  name: default-extended-route-spec
  namespace: kube-system
data:
  extendedSpec: |
    extendedRouteSpec:
    - namespace: foo
      vserverAddr: 10.8.3.11
      vserverName: nextgenroutes
      allowOverride: true
      policyCR: default/sample-policy
    - namespace: bar
      vserverAddr: 10.8.3.12
      allowOverride: true
      policyCR: default/sample-policy

Components

Policy Components

Parameter Type Required Default Description
l7Policies Object Optional N/A BIG-IP l7Policies in Policy CR.
l3Policies Object Optional N/A BIG-IP l3Policies in Policy CR.
ltmPolicies Object Optional N/A BIG-IP LTM Policies in Policy CR.
iRules Object Optional N/A BIG-IP iRules in Policy CR.
profiles Object Optional N/A Various BIG-IP Profiles in Policy CR.
tcp Object Optional N/A BIG-IP TCP client and server profiles in Policy CR.
snat String Optional auto Reference to SNAT pool on BIG-IP. The other allowed values are: auto (default) and none. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource.

L7 Policy Components

Parameter Type Required Default Description
waf String Optional N/A Pathname of existing BIG-IP WAF policy.

L3 Policy Components

Parameter Type Required Default Description
botDefense String Optional N/A Pathname of the existing BIG-IP botDefense policy.
dos String Optional N/A Pathname of existing BIG-IP DOS policy.
firewallPolicy String Optional N/A Pathname of existing BIG-IP firewall(AFM) policy.
allowSourceRange String Optional N/A Comma-separated list of CIDR addresses to allow inbound to services corresponding to VirtualServer CRD. Allowed values are comma-separated, CIDR formatted, IP addresses. For example: 1.2.3.4/32,2.2.2.0/24

LTM Policy Components

Parameter Type Required Default Description
insecure String Optional N/A  
secure String Optional N/A  
priority String Optional N/A Defines the level of priority. Allowed values are low and high.

iRules Components

Parameter Type Required Default Description
insecure String Optional N/A Pathname of existing BIG-IP iRule.
secure String Optional N/A Pathname of existing BIG-IP iRule.
priority String Optional N/A Defines the level of priority. Allowed values are low and high.

Profile Components

Parameter Type Required Default Description
udp String Optional N/A Pathname of existing BIG-IP UDP profile.
http String Optional N/A Pathname of existing BIG-IP HTTP profile.
https String Optional N/A Pathname of existing BIG-IP SSL profile.
http2 String Optional N/A Pathname of existing BIG-IP HTTP2 profile.
logProfiles List of string Optional N/A Pathname of existing BIG-IP log profile.
persistenceProfile String Optional VirtualServer uses cookie TransportServer uses source-address CIS uses the AS3 default persistence profile. VirtualServer or TransportServer CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP Persistence profiles.
profileMultiplex String Optional N/A CIS uses the AS3 default profileMultiplex profile. Allowed values are existing BIG-IP profileMultiplex profiles.
profileL4 String Optional basic The default value is basic but it is not configurable if the profileL4 spec is not included in TS or Policy CR. Transport CRD resource takes precedence over Policy CRD resource. Allowed values are existing BIG-IP profileL4 profiles.

TCP Profile Components

Parameter Type Required Default Description
client String Required N/A Custom_TCP CIS uses the AS3 default TCP client profile. Allowed values are existing BIG-IP TCP Client profiles.
server String Optional N/A Allowed values are existing BIG-IP TCP Server profiles. Note: Server TCP Profile can only be used along with Client profile.

Examples Repository

View more examples on GitHub.


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.