L7 CRD Rule
L7Rule CRD can be used to modify the properties of the L7 virtual services, which are not part of the HostRule CRD.
L7Rule is applicable only when
AKO
is running in EVH mode.A sample L7Rule CRD is shown below:
apiVersion: ako.vmware.com/v1alpha2 kind: L7Rule metadata: name: my-l7-rule namespace: l7rule-ns spec: allowInvalidClientCert: true closeClientConnOnConfigUpdate: false ignPoolNetReach: false removeListeningPortOnVsDown: false sslSessCacheAvgSize: 1024 botPolicyRef: bot hostNameXlate: host.com minPoolsUp: 2 performanceLimits: maxConcurrentConnections: 2000 maxThroughput: 3000 securityPolicyRef: secPolicy trafficCloneProfileRef: tcp
The L7Rule CRD must be configured in the same namespace as HostRule.
Specific Usage of L7Rule CRD
L7Rule CRD is created to set some of the default properties in a L7 virtual service. The parameters section below covers the details and associated rules for using each field of the L7Rule CRD.
Parameters
Parameter | Description | Default |
|---|---|---|
allowInvalidClientCert | Process request even if invalid client certificate is presented. | False |
closeClientConnOnConfigUpdate | Close client connection on virtual service config update. | False |
ignPoolNetReach | Ignore pool servers network reachability constraints for virtual service placement. | False |
removeListeningPortOnVsDown | Remove listening port if virtual service is down. | False |
sslSessCacheAvgSize | The expected number of SSL session cache entries can be exceeded. Allowed values are 1024-16383. | 1024 |
botPolicyRef | Bot detection policy for the Virtual Service. It is a reference to an object of type BotDetectionPolicy.The BotDetectionPolicy reference used by VirtualService requires at least 552 MB extra_shared_config_memory configured in ServiceEngineGroup on the Controller, or else virtual service creation will fail. | Nil |
hostNameXlate | It translates the hostname sent to the servers from this value and translates the hostname sent from servers back to the value used by the client. It is not applied to child virtual services. | Nil |
minPoolsUp | Minimum number of UP pools to mark virtual service up. | 0 |
performanceLimits.maxConcurrentConnections | The maximum number of concurrent client connections allowed to the virtual service. It is not applied to child virtual services. | Nil |
performanceLimits.maxThroughput | The maximum throughput per second for all clients allowed through the client side of the virtual service per SE. It is not applied to child virtual services. | Nil |
securityPolicyRef | Security policy applied to the traffic of the virtual service. This policy is used to perform security actions such as Distributed Denial of Service (DDoS) attack mitigation, and so on. It is a reference to an object of type SecurityPolicy and is not applied to child virtual service. | Nil |
trafficCloneProfileRef | Server network or list of servers for cloning traffic. It is a reference to an object of type TrafficCloneProfile . | Nil |
Attaching L7Rule to HostRule
An L7Rule is specified in the HostRule specification. Respective L7Rule Properties are applied to the virtual service created through the corresponding Hostrule. An L7Rule can be attached in the Hostrule CRD specification with
L7Rule
as the key and the name of the L7rule CRD
as the value.apiVersion: ako.vmware.com/v1beta1 kind: HostRule metadata: name: my-host-rule spec: virtualhost: fqdn: test-ingclass.avi.internal fqdnType: Exact l7Rule: my-l7-rule
Status Messages
The status messages are used to give instantaneous feedback to the users about the reference objects specified in the L7Rule CRD.
Following are a few sample status messages:
- Accepted L7Rule object
- $ kubectl get l7rule NAME STATUS AGE my-l7-rule Accepted 3d5sAn L7Rule is accepted when all the reference objects specified inside it exist in theAvi Load Balancer Controller.
- Rejected L7Rule object
- $ kubectl get l7rule NAME STATUS AGE my-l7-rule-alt Rejected 2d23hThe status provides the detailed reason for rejection, as shown below:status: error: botPolicyRef "My-L7-Application" not found on controller status: Rejected
Caveats
- L7Rule deletion
- If an L7Rule is deleted, the corresponding fields in L7 virtual services in theAvi Load Balancer Controllerwill be configured with the default values.
- HostRule deletion
- If a HostRule referencing an L7Rule is deleted, the corresponding fields in L7 virtual services in theAvi Load Balancer Controllerwill be configured with the default values.
- L7Rule admission
- An L7Rule CRD is only admitted if all the objects referenced in it exist in theAvi Load Balancer Controller. If the object references are deleted out-of-band after admission, thenAKOdoes not re-validate the associated HostRule CRD objects. The user needs to manually edit or delete the object for new changes to take effect.