Skip to content

3.控制器Configmap设定

myf5 edited this page Mar 16, 2022 · 9 revisions

该configmap的主要作用是设定CES控制器的运行参数,它会影响F5的配置,并为应用人员(或策略设定者)屏蔽F5配置对象的细节。它更好的解耦k8s平台管理员与F5管理员之间的工作。configmap的设定人员应由熟悉F5的人员进行配置。

以下将通过in-line方式讲解配置参数含义:

apiVersion: v1
data:
  ces-conf.yaml: |-
    clusterName: k8s
    ##clusterName using for k8s cluster identifer,when F5 act as egress gateway for multi k8s clusters
    masterCluster: k8s
    ##When multi clusters docking single BIG-IP,the master cluster will write global level policy to F5.
    ##Global level policy means for all clusters, each cluster has one CES. Only one CES need own for global 		level policy.
    isSupportRouteDomain: false
    ##If the CNI(for example Kube-ovn) supports strict network isolation, F5 use route domain to support it. 
    schemaVersion: "3.28.0"
    iRule:
      - bwc-1mbps-irule
      - bwc-2mbps-irule
    ##Set the irule name that for bandwidth limit. The irule need to be created in F5 manually.
    ##Log pool setting, for sending AFM events to outside by using HSL.
    logPool:
      loggingEnabled: true
      #this switch is used for if globally enable ACL matching logs. If true, will use below logging template.
      enableRemoteLog: true
      ##this switch is for controlling remote log. 
      ##if true, will send logs to remote log member(which is set by HSL)
      healthmonitor: gateway_icmp
      ## the health monitor support one of tcp, udp, gateway_icmp
      serverAddresses:
        - "1.2.3.4:514"
        - "2.2.2.2:1514"
      ##External log servers
      ##below template is the HSL related AS3 configurations. F5 administrator should be consulted for detail.
      template: '{
                     "k8s_afm_hsl_log_profile": {
                         "network": {
                             "publisher": {
                                 "use": "/{{tenant}}/Shared/k8s_firewall_hsl_log_publisher"
                             },
                             "storageFormat": {
                                 "fields": [
                                     "bigip-hostname",
                                     "acl-rule-name",
                                     "acl-policy-name",
                                     "acl-policy-type",
                                     "protocol",
                                     "action",
                                     "drop-reason",
                                     "context-name",
                                     "context-type",
                                     "date-time",
                                     "src-ip",
                                     "src-port",
                                     "vlan",
                                     "route-domain",
                                     "dest-ip",
                                     "dest-port"
                                 ]
                             },
                             "logRuleMatchAccepts": true,
                             "logRuleMatchRejects": true,
                             "logRuleMatchDrops": true,
                             "logIpErrors": true,
                             "logTcpErrors": true,
                             "logTcpEvents": true
                         },
                         "class": "Security_Log_Profile"
                     },
                     "k8s_firewall_hsl_log_publisher": {
                         "destinations": [
                             {
                                 "use": "/{{tenant}}/Shared/k8s_remote-hsl-dest-format"
                             },
                             {
                                 "bigip": "/Common/local-db"
                             }
                         ],
                         "class": "Log_Publisher"
                     },
                     "k8s_remote-hsl-dest": {
                         "pool": {
                             "use": "/{{tenant}}/Shared/k8s_log_pool"
                         },
                         "class": "Log_Destination",
                         "type": "remote-high-speed-log"
                     },
                     "k8s_remote-hsl-dest-format": {
                         "format": "rfc5424",
                         "remoteHighSpeedLog": {
                             "use": "/{{tenant}}/Shared/k8s_remote-hsl-dest"
                         },
                         "class": "Log_Destination",
                         "type": "remote-syslog"
                     }
                 }'
    tenant:
      ## tennat using for the mapping between k8s namespace and F5 partition/route domain ID
      ##common partiton config, init AS3 needs. If you dont want to use strict network isolation
      ##then just set Common, put all namesapces under the common tenant
      ##if use route domian, then need create related partitions,route domain ID in F5 first, then set here
      - name: "Common"
        namespaces: "default,kube-system,ns-600,ns-700"
        virtualService:
          ##This template is for vs setting, leave blank means use default template
          ##Set the template will overwrite the below virtualaddress sinc the template include vs ip
          template: ''
          virtualAddresses:
            ## this is for vsIP
            virtualAddress: "0.0.0.0"
            ## this is for virtualaddress setting, you can control icmp or ap
            ## optional, CES inlcude default setting
            icmpEcho: "disable"
            ## optional, CES include default setting
            arpEnabled: false
            ## if you want to set more for virtual address, then use template. this will overwrite the above
            ## icmp and arp setting
            template: ''
        gwPool:
          serverAddresses:
            - "172.16.10.254"
      ## virtualService template and gw pool is for F5. In case of different route domain need different outbound vs and gw pool. Leave virtualServer as blank, CES will use default VS setting. gwPool is a must parameter. Remove below tenant example if you are not using route domain.
      - name: "p1"
        namespaces: "ns-800"
        routeDomain:
          id: 1
          name: "rd1"
        virtualService:
          template: ''
        gwPool:
          serverAddresses:
            - "172.16.10.254"
kind: ConfigMap
metadata:
  name: ces-controller-configmap
  namespace: kube-system

也可以查看这里https://github.com/f5devcentral/container-egress-service/blob/master/doc/zh_cn.md 看更多配置示例。

对于log的几个开关的逻辑关系:

在CES解决方案中,存在三处关于log的控制开关,上述configmap包含两个,每个具体的规则设定里包含一个logging开关。这三者的不同组合产生的效果如下

组合 效果
loggingEnabled: true
enableRemoteLog: false
+
logging:true
Log event to local
loggingEnabled: true
enableRemoteLog: false
+
logging:false
will not log event (logging field is disabled in the rule, but vs has correct logging profile attached)
loggingEnabled: true
enableRemoteLog: true
+
logging:false
will log event (logging field is disabled in the rule, but vs has correct logging profile attached and has remote HSL setting)
loggingEnabled: true
enableRemoteLog: true
+
logging:true
log event to remote (hsl,logging profile setting will follow the log template that in configmap)
AS f5 behavior, this will cause events will not be save into local db if remote hsl pool is down.

注意:

如果修改了CES的configmap参数,建议等到CES报出如下日志后再做后续操作,以便控制获取到CM的变化。一般来说等待1-2分钟:

init.go:30] file[ces-conf.yaml] has been modified, configuration reinitialization !

下一步

了解CES的场景用法