-
Notifications
You must be signed in to change notification settings - Fork 454
3.控制器Configmap设定
Oilbeater edited this page Dec 12, 2021
·
1 revision
该configmap的主要作用是设定CES控制器的运行参数,它会影响F5的配置,并为应用人员(或策略设定者)屏蔽F5配置对象的细节。它更好的解耦k8s平台管理员与F5管理员之间的工作。configmap的设定人员应由熟悉F5的人员进行配置。
以下将通过in-line方式讲解配置参数含义:
apiVersion: v1
data:
ces-conf.yaml: |-
clusterName: k8s
##clusterName using for k8s cluster identifer,when F5 act as egress gateway for multi k8s clusters
masterCluster: k8s
##When multi clusters docking single BIG-IP,the master cluster will write global level policy to F5.
##Global level policy means for all clusters, each cluster has one CES. Only one CES need own for global level policy.
isSupportRouteDomain: false
##If the CNI(for example Kube-ovn) supports strict network isolation, F5 use route domain to support it.
schemaVersion: "3.28.0"
iRule:
- bwc-1mbps-irule
- bwc-2mbps-irule
##Set the irule name that for bandwidth limit.
##Log pool setting, for sending AFM events to outside by using HSL.
logPool:
loggingEnabled: true
#this switch is used for if globally enable ACL matching logs. If true, will use below logging template.
enableRemoteLog: true
##this switch is for controlling remote log.
##if true, will send logs to remote log member(which is set by HSL)
serverAddresses:
- "1.2.3.4"
##External log servers
##below template is the HSL related AS3 configurations. F5 administrator should be consulted for detail.
template: '{
"k8s_afm_hsl_log_profile": {
"network": {
"publisher": {
"use": "/{{tenant}}/Shared/k8s_firewall_hsl_log_publisher"
},
"storageFormat": {
"fields": [
"bigip-hostname",
"acl-rule-name",
"acl-policy-name",
"acl-policy-type",
"protocol",
"action",
"drop-reason",
"context-name",
"context-type",
"date-time",
"src-ip",
"src-port",
"vlan",
"route-domain",
"dest-ip",
"dest-port"
]
},
"logRuleMatchAccepts": true,
"logRuleMatchRejects": true,
"logRuleMatchDrops": true,
"logIpErrors": true,
"logTcpErrors": true,
"logTcpEvents": true
},
"class": "Security_Log_Profile"
},
"k8s_firewall_hsl_log_publisher": {
"destinations": [
{
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest-format"
},
{
"bigip": "/Common/local-db"
}
],
"class": "Log_Publisher"
},
"k8s_remote-hsl-dest": {
"pool": {
"use": "/{{tenant}}/Shared/k8s_log_pool"
},
"class": "Log_Destination",
"type": "remote-high-speed-log"
},
"k8s_remote-hsl-dest-format": {
"format": "rfc5424",
"remoteHighSpeedLog": {
"use": "/{{tenant}}/Shared/k8s_remote-hsl-dest"
},
"class": "Log_Destination",
"type": "remote-syslog"
}
}'
tenant:
## tennat using for the mapping between k8s namespace and F5 partition/route domain ID
##common partiton config, init AS3 needs. If you dont want to use strict network isolation
##then just set Common, put all namesapces under the common tenant
##if use route domian, then need create related partitions,route domain ID in F5 first, then set here
- name: "Common"
namespaces: "default,kube-system,ns-600,ns-700"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
## virtualService template and gw pool is for F5. In case of different route domain need different outbound vs and gw pool. Leave virtualServer as blank, CES will use default VS setting. gwPool is a must parameter. Remove below tenant example if you are not using route domain.
- name: "p1"
namespaces: "ns-800"
routeDomain:
id: 1
name: "rd1"
virtualService:
template: ''
gwPool:
serverAddresses:
- "172.16.10.254"
initialized: "false"
##Initially, this is false when installation, CES will control the value. Dont manually change it after CES running.
kind: ConfigMap
metadata:
name: ces-controller-configmap
namespace: kube-system
对于log的几个开关的逻辑关系:
在CES解决方案中,存在三处关于log的控制开关,上述configmap包含两个,每个具体的规则设定里包含一个logging
开关。这三者的不同组合产生的效果如下
组合 | 效果 |
---|---|
loggingEnabled: true enableRemoteLog: false + logging:true |
Log event to local |
loggingEnabled: true enableRemoteLog: false + logging:false |
will not log event (logging field is disabled in the rule, but vs has correct logging profile attached) |
loggingEnabled: true enableRemoteLog: true + logging:false |
will log event (logging field is disabled in the rule, but vs has correct logging profile attached and has remote HSL setting) |
loggingEnabled: true enableRemoteLog: true + logging:true |
log event to remote (hsl,logging profile setting will follow the log template that in configmap) AS f5 behavior, this will cause events will not be save into local db if remote hsl pool is down. |
注意:
如果修改了CES的configmap参数,建议等到CES报出如下日志后再做后续操作,以便控制获取到CM的变化。一般来说等待1-2分钟:
init.go:30] file[ces-conf.yaml] has been modified, configuration reinitialization !
下一步: