-
Notifications
You must be signed in to change notification settings - Fork 7
3.控制器Configmap设定
myf5 edited this page Nov 24, 2021
·
9 revisions
该configmap的主要作用是设定CES控制器的运行参数,它会影响F5的配置,并为应用人员(或策略设定者)屏蔽F5配置对象的细节。它更好的解耦k8s平台管理员与F5管理员之间的工作。configmap的设定人员应由熟悉F5的人员进行配置。
以下将通过in-line方式讲解配置参数含义:
apiVersion: v1
data:
ces-conf.yaml: |-
clusterName: k8s
##clusterName using for k8s cluster identifer,when F5 act as egress gateway for multi k8s clusters
masterCluster: k8s
##When multi clusters docking single BIG-IP,the master cluster will write global level policy to F5.
##Global level policy means for all clusters, each cluster has one CES. Only one CES need own for global level policy.
isSupportRouteDomain: false
##If the CNI(for example Kube-ovn) supports strict network isolation, F5 use route domain to support it.
schemaVersion: "3.28.0"
iRule:
- bwc-1mbps-irule
- bwc-2mbps-irule
##Set the irule name that for bandwidth limit.
##Log pool setting, for sending AFM events to outside by using HSL.
logPool:
enableRemoteLog: yes
##if yes, then CES will write related configurations into F5.
serverAddresses:
- "1.2.3.4"
##External log servers
##below template is the HSL related AS3 configurations. F5 administrator should be consulted for detail.
template: '{
"k8s_afm_hsl_log_profile": {
"network": {
"publisher": {
"use": "/{{tenant}}/Shared/k8s_firewall_hsl_log_publisher"
},
"storageFormat": {
"fields": [
"bigip-hostname",
"acl-rule-name",
"acl-policy-name",
"acl-policy-type",
"protocol",
"action",
"drop-reason",
"context-name",
"context-type",
"date-time",
"src-ip",
"src-port",
"vlan",
"route-domain",
"dest-ip",
"dest-port"
]
},
"logRuleMatchAccepts": true,
"logRuleMatchRejects": true,
"logRuleMatchDrops": true,
"logIpErrors": true,
"logTcpErrors": true,
"logTcpEvents": true
},
"class": "Security_Log_Profile"
},
"k8s_firewall_hsl_log_publisher": {
"destinations": [
{
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest-format"
},
{
"bigip": "/Common/local-db"
}
],
"class": "Log_Publisher"
},
"k8s_remote-hsl-dest": {
"pool": {
"use": "/{{tenant}}/Shared/k8s_log_pool"
},
"class": "Log_Destination",
"type": "remote-high-speed-log"
},
"k8s_remote-hsl-dest-format": {
"format": "rfc5424",
"remoteHighSpeedLog": {
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest"
},
"class": "Log_Destination",
"type": "remote-syslog"
}
}'
tenant:
## tennat using for the mapping between k8s namespace and F5 partition/route domain ID
##common partiton config, init AS3 needs. If you dont want to use strict network isolation
##then just set Common, put all namesapces under the common tenant
##if use route domian, then need create related partitions,route domain ID in F5 first, then set here
- name: "Common"
namespaces: "default,kube-system,ns-600,ns-700"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
## virtualService template and gw pool is for F5. In case of different route domain need different outbound vs and gw pool. Leave virtualServer as blank, CES will use default VS setting. gwPool is a must parameter. Remove below tenant example if you are not using route domain.
- name: "p1"
namespaces: "ns-800"
routeDomain:
id: 1
name: "rd1"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
initialized: "false"
##Initially, this is false when installation, CES will control the value. Dont manually change it after CES running.
kind: ConfigMap
metadata:
name: ces-controller-configmap
namespace: kube-system