Forum Discussion
MVPHow can k8s CIS CRD VirtualServer reference existing APM Access profile?
Hey Everyone,
How can k8s Container Ingress Services (CIS) CRD VirtualServer reference existing APM Acess profile?
I know that this is in as3 ( https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.32/declarations/access-related.html ) but I don't see such options in the virtualserver ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) or policy ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) crd and I don't want to use old way with config maps.
Edit:
A not great workaround I found is attaching an access profile by using an irule (APM access-profile can be assigned from iRule only) as the F5 CRD supports attaching configured existing irules.
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
name: vs-test
namespace: xxxx
labels:
f5cr: "true"
spec:
virtualServerAddress: "xxxx"
virtualServerHTTPPort: xxx
snat: auto
iRules:
- "/Common/test-irule"
pools:
- monitor:
interval: 10
recv: ""
send: "GET /"
timeout: 31
type: http
path: /
service: XXX
servicePort: 80
Hi Nikoolayy1 ,
Update: I looked through some example Policy CRD's and this one looks like it might be what you are after? https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/customResource/Policy/policy-with-profileAccess.yaml
apiVersion: cis.f5.com/v1
kind: Policy
metadata:
labels:
f5cr: "true"
name: cr-policy1
namespace: default
spec:
l7Policies:
profileAccess: /Common/prof-access
policyPerRequestAccess: /Common/per-req-pol
waf: /Common/WAF_Policy1I will assume you know how to add a policy and link to it? Can you shoot me a message if this works for you?
3 Replies
- MichaelOLeary
Employee
Hi Nikoolayy1
Judging from the docs, it looks like the answer is no. https://clouddocs.f5.com/containers/latest/userguide/crd/policy.html
However, the best way to let F5 PM know you want this is currently to sumbit a Github issue here: https://github.com/F5Networks/k8s-bigip-ctlr/issues
You can message me directly or email me if you want to discuss more. I'd be more than happy to help out personally.
Mike.
- MichaelOLeary
Hi Nikoolayy1 ,
Update: I looked through some example Policy CRD's and this one looks like it might be what you are after? https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/customResource/Policy/policy-with-profileAccess.yaml
apiVersion: cis.f5.com/v1
kind: Policy
metadata:
labels:
f5cr: "true"
name: cr-policy1
namespace: default
spec:
l7Policies:
profileAccess: /Common/prof-access
policyPerRequestAccess: /Common/per-req-pol
waf: /Common/WAF_Policy1I will assume you know how to add a policy and link to it? Can you shoot me a message if this works for you?
- Nikoolayy1
Hey MichaelOLeary will test it with APM access as I have enough resources just for f5 asm/awaf at the moment but I did test it with waf and it worked.
If I see issues I will open a case under git. Just to ask if APM/Access api-protection profile can be applied the same way?
Other interesting question is if there is F5 AS3 declaration called "policy" as I think the CIS CRD should match 1 to 1 with AS3 declarations in the backend but I could not find it.
