Forum Discussion
MVPF5 CIS IngressLink attaching WAF policy on the big-ip through the CRD ?
Hey Everyone,
I did a lot of lab testing for F5 CIS.
One interesting thing I saw it that the IngressLink integration between F5 BIG-IP and Nginx Ingress does not have the policy option where you create a policy CRD with WAF, APM Access and F5 profiles and attach it to the VirtualServer or Service of type load balancer.
Maybe the option is there but at https://clouddocs.f5.com/containers/latest/userguide/ingresslink/ or https://github.com/F5Networks/k8s-bigip-ctlr I just don't see it and I have no F5 Nginx Ingress to test as in my lab I have F5 BIG-IP and the Community Nginx.
I may open a git case but in the future as I still don't have use case for this just I saw it and became interested if the policy option is there but just not documented.
Ok I tested it and actually even with the community edition it works but sort of 😅 One small issue is the community edition returns 404 error when sending health monitor request to / without hostname and ingresslink attaches http monitors as it is meant to for the F5 Networks nginx version that has a default response page with 200 code. Also IngressLink creates F5 VIP that is just layer 3/4 without HTTP profile, so this explains a lot!
This feature is meant where F5 is Tier 0 and just provides basic protections like Global AFM DOS, AFM rules, TCP profile cookie security etc. It seems the main features like WAF (Nginx AppProtect ) , SAML and OAUth authentication/authorization in that case will be on the Nginx Plus (not the community opensource one) Ingress
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-ingresslink
namespace: ingress-nginx
labels:
app: ingresslink
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-ingress
---
apiVersion: "cis.f5.com/v1"
kind: IngressLink
metadata:
name: nginx-ingress
namespace: ingress-nginx
spec:
virtualServerAddress: "xxxx"
host: demo.localdev.me
# iRules:
# - /Common/nginx-ingress
selector:
matchLabels:
app: ingresslink
1 Reply
- Nikoolayy1
Ok I tested it and actually even with the community edition it works but sort of 😅 One small issue is the community edition returns 404 error when sending health monitor request to / without hostname and ingresslink attaches http monitors as it is meant to for the F5 Networks nginx version that has a default response page with 200 code. Also IngressLink creates F5 VIP that is just layer 3/4 without HTTP profile, so this explains a lot!
This feature is meant where F5 is Tier 0 and just provides basic protections like Global AFM DOS, AFM rules, TCP profile cookie security etc. It seems the main features like WAF (Nginx AppProtect ) , SAML and OAUth authentication/authorization in that case will be on the Nginx Plus (not the community opensource one) Ingress
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-ingresslink
namespace: ingress-nginx
labels:
app: ingresslink
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-ingress
---
apiVersion: "cis.f5.com/v1"
kind: IngressLink
metadata:
name: nginx-ingress
namespace: ingress-nginx
spec:
virtualServerAddress: "xxxx"
host: demo.localdev.me
# iRules:
# - /Common/nginx-ingress
selector:
matchLabels:
app: ingresslink
