-
Notifications
You must be signed in to change notification settings - Fork 5
EN_3_Configmap_setting
myf5 edited this page Jan 4, 2022
·
8 revisions
The main function of the configmap is to set the operating parameters of the CES controller, which will affect the configuration of F5 and shield the details of the F5 configuration object for the application personnel. It better decouples the work between k8s platform administrators and F5 administrators. The person who sets the configmap should be with F5.
The following will explain the meaning of configuration parameters in in-line:
apiVersion: v1
data:
ces-conf.yaml: |-
clusterName: k8s
##clusterName using for k8s cluster identifer,when F5 act as egress gateway for multi k8s clusters
masterCluster: k8s
##When multi clusters docking single BIG-IP,the master cluster will write global level policy to F5.
##Global level policy means for all clusters, each cluster has one CES. Only one CES need own for global level policy.
isSupportRouteDomain: false
##If the CNI(for example Kube-ovn) supports strict network isolation, F5 use route domain to support it.
schemaVersion: "3.28.0"
iRule:
- bwc-1mbps-irule
- bwc-2mbps-irule
##Set the irule name that for bandwidth limit.
##Log pool setting, for se nding AFM events to outside by using HSL.
logPool:
loggingEnabled: true
#this switch is used for if globally enable ACL matching logs. If true, will use below logging template.
enableRemoteLog: true
##this switch is for controlling remote log.
##if true, will send logs to remote log member(which is set by HSL)
healthmonitor: gateway_icmp
## the health monitor support one of tcp, udp, gateway_icmp
serverAddresses:
- "1.2.3.4:514"
- "2.2.2.2:1514"
##External log servers
##below template is the HSL related AS3 configurations. F5 administrator should be consulted for detail.
template: '{
"k8s_afm_hsl_log_profile": {
"network": {
"publisher": {
"use": "/{{tenant}}/Shared/k8s_firewall_hsl_log_publisher"
},
"storageFormat": {
"fields": [
"bigip-hostname",
"acl-rule-name",
"acl-policy-name",
"acl-policy-type",
"protocol",
"action",
"drop-reason",
"context-name",
"context-type",
"date-time",
"src-ip",
"src-port",
"vlan",
"route-domain",
"dest-ip",
"dest-port"
]
},
"logRuleMatchAccepts": true,
"logRuleMatchRejects": true,
"logRuleMatchDrops": true,
"logIpErrors": true,
"logTcpErrors": true,
"logTcpEvents": true
},
"class": "Security_Log_Profile"
},
"k8s_firewall_hsl_log_publisher": {
"destinations": [
{
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest-format"
},
{
"bigip": "/Common/local-db"
}
],
"class": "Log_Publisher"
},
"k8s_remote-hsl-dest": {
"pool": {
"use": "/{{tenant}}/Shared/k8s_log_pool"
},
"class": "Log_Destination",
"type": "remote-high-speed-log"
},
"k8s_remote-hsl-dest-format": {
"format": "rfc5424",
"remoteHighSpeedLog": {
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest"
},
"class": "Log_Destination",
"type": "remote-syslog"
}
}'
tenant:
## tennat using for the mapping between k8s namespace and F5 partition/route domain ID
##common partiton config, init AS3 needs. If you dont want to use strict network isolation
##then just set Common, put all namesapces under the common tenant
##if use route domian, then need create related partitions,route domain ID in F5 first, then set here
- name: "Common"
namespaces: "default,kube-system,ns-600,ns-700"
virtualService:
##This template is for vs setting, leave blank means use default template
##Set the template will overwrite the below virtualaddress sinc the template include vs ip
template: ''
virtualAddresses:
## this is for vsIP
virtualAddress: "0.0.0.0"
## this is for virtualaddress setting, you can control icmp or ap
## optional, CES inlcude default setting
icmpEcho: "disable"
## optional, CES include default setting
arpEnabled: false
## if you want to set more for virtual address, then use template. this will overwrite the above
## icmp and arp setting
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
## virtualService template and gw pool is for F5. In case of different route domain need different outbound vs and gw pool. Leave virtualServer as blank, CES will use default VS setting. gwPool is a must parameter. Remove below tenant example if you are not using route domain.
- name: "p1"
namespaces: "ns-800"
routeDomain:
id: 1
name: "rd1"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
kind: ConfigMap
metadata:
name: ces-controller-configmap
namespace: kube-systemChecking https://github.com/f5devcentral/container-egress-service/blob/master/doc/zh_cn.md for more configmap setting example.
The logical relationship of several switches for logging:
In the CES solution, there are three logging control switches, the above configmap contains two, and each specific rule setting contains a loggingswitch. The effects of different combinations of these three are as follows
| combination | Effect |
|---|---|
| loggingEnabled: true enableRemoteLog: false + logging:true | Log event to local |
| loggingEnabled: true enableRemoteLog: false + logging:false | will not log event (logging field is disabled in the rule, but vs has correct logging profile attached) |
| loggingEnabled: true enableRemoteLog: true + logging:false | will log event (logging field is disabled in the rule, but vs has correct logging profile attached and has remote HSL setting) |
| loggingEnabled: true enableRemoteLog: true + logging:true | log event to remote (hsl,logging profile setting will follow the log template that in configmap) AS f5 behavior, this will cause events will not be save into local db if remote hsl pool is down. |
Attention
Wait the below log from the controller, after you changing the CES configmap. Usually this need 1-2 minutes. Make sure the controller get new configuration before handling other new rules.
init.go:30] file[ces-conf.yaml] has been modified, configuration reinitialization !
Next step :