cisbotctlr
commented
4 years ago cisbot will assign the issue to one of the devs. @devs, use /jira for internal tracking.
Closed kylinsoong closed 4 years ago
cisbotctlr
commented
4 years ago cisbot will assign the issue to one of the devs. @devs, use /jira for internal tracking.
agupta49
commented
4 years ago @kylinsoong Please make sure, if you want virtual servers to reference a SNAT pool, it exists in the /Common partition on the BIG-IP device.
mdditt2000
commented
4 years ago thanks @agupta49 another option is use a AS3 override to provide the correct snat pool for that virtual. I think global CIS based policies aren't the best way to accomplish this.
kylinsoong
commented
4 years ago @agupta49 , the snat pool exist in /Common.
agupta49
commented
4 years ago @kylinsoong Thanks for the update. As @mdditt2000 suggested you can use CIS Override feature to update snat pool for particular VS. Doc link to use override: https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-as3-override.html Example: Update snat pool using override configmap: https://github.com/agupta49/examples/blob/master/override/SNAT.yaml
mdditt2000
commented
4 years ago @kylinsoong did you try using the AS3 override to handle the SNAT
"snat": {
"bigip": "/Common/SNAT_Pool_MP"
},You can simple reference a SNATPOOL from /Common. This is a better approach than using "--vs-snat-pool-name=SNAT_Pool_MP",
mdditt2000
commented
4 years ago Closing this issue out
Setup Details
CIS Version : 2.X
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP x.x.x
AS3 Version: 3.x
Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Cluster/Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>
Description
If config
--vs-snat-pool-name, the controller will configure each virtual server to reference the sname pool with this name, but it doesn't,Once use the below args
No snat pool
SNAT_Pool_MPreference with VS.