-
Notifications
You must be signed in to change notification settings - Fork 6
EN_3_Configmap_setting
myf5 edited this page Nov 24, 2021
·
8 revisions
The main function of the configmap is to set the operating parameters of the CES controller, which will affect the configuration of F5 and shield the details of the F5 configuration object for the application personnel. It better decouples the work between k8s platform administrators and F5 administrators. The person who sets the configmap should be with F5.
The following will explain the meaning of configuration parameters in in-line:
apiVersion: v1
data:
ces-conf.yaml: |-
clusterName: k8s
##clusterName using for k8s cluster identifer,when F5 act as egress gateway for multi k8s clusters
masterCluster: k8s
##When multi clusters docking single BIG-IP,the master cluster will write global level policy to F5.
##Global level policy means for all clusters, each cluster has one CES. Only one CES need own for global level policy.
isSupportRouteDomain: false
##If the CNI(for example Kube-ovn) supports strict network isolation, F5 use route domain to support it.
schemaVersion: "3.28.0"
iRule:
- bwc-1mbps-irule
- bwc-2mbps-irule
##Set the irule name that for bandwidth limit.
##Log pool setting, for sending AFM events to outside by using HSL.
logPool:
enableRemoteLog: yes
##if yes, then CES will write related configurations into F5.
serverAddresses:
- "1.2.3.4"
##External log servers
##below template is the HSL related AS3 configurations. F5 administrator should be consulted for detail.
template: '{
"k8s_afm_hsl_log_profile": {
"network": {
"publisher": {
"use": "/{{tenant}}/Shared/k8s_firewall_hsl_log_publisher"
},
"storageFormat": {
"fields": [
"bigip-hostname",
"acl-rule-name",
"acl-policy-name",
"acl-policy-type",
"protocol",
"action",
"drop-reason",
"context-name",
"context-type",
"date-time",
"src-ip",
"src-port",
"vlan",
"route-domain",
"dest-ip",
"dest-port"
]
},
"logRuleMatchAccepts": true,
"logRuleMatchRejects": true,
"logRuleMatchDrops": true,
"logIpErrors": true,
"logTcpErrors": true,
"logTcpEvents": true
},
"class": "Security_Log_Profile"
},
"k8s_firewall_hsl_log_publisher": {
"destinations": [
{
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest-format"
},
{
"bigip": "/Common/local-db"
}
],
"class": "Log_Publisher"
},
"k8s_remote-hsl-dest": {
"pool": {
"use": "/{{tenant}}/Shared/k8s_log_pool"
},
"class": "Log_Destination",
"type": "remote-high-speed-log"
},
"k8s_remote-hsl-dest-format": {
"format": "rfc5424",
"remoteHighSpeedLog": {
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest"
},
"class": "Log_Destination",
"type": "remote-syslog"
}
}'
tenant:
## tennat using for the mapping between k8s namespace and F5 partition/route domain ID
##common partiton config, init AS3 needs. If you dont want to use strict network isolation
##then just set Common, put all namesapces under the common tenant
##if use route domian, then need create related partitions,route domain ID in F5 first, then set here
- name: "Common"
namespaces: "default,kube-system,ns-600,ns-700"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
## virtualService template and gw pool is for F5. In case of different route domain need different outbound vs and gw pool. Leave virtualServer as blank, CES will use default VS setting. gwPool is a must parameter. Remove below tenant example if you are not using route domain.
- name: "p1"
namespaces: "ns-800"
routeDomain:
id: 1
name: "rd1"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
initialized: "false"
##Initially, this is false when installation, CES will control the value. Dont manually change it after CES running.
kind: ConfigMap
metadata:
name: ces-controller-configmap
namespace: kube-system
Next step :