您可以使用以下示例 user-spec.yaml 作为参考。
对于 NCP 3.0.1:
SharedResources:
# IMPORTANT: If there are multiple resources with the same
# display_name, please make the display_names unique before
# initiating the import
IpPool:
resources:
# Specify the resources to import here with their UUID or
# display_name
k8s-snat-pool:
# Duplicate MP to Policy imports allowed for ip-allocations
# ip-allocations:
# - key: "172.24.4.4"
# value: "ip-alloc-1"
k8s-lb-pool:
IpBlock:
resources:
k8s-container-block:
IpSet:
resources:
vs-ipset-1:
Tier0Router:
resources:
node-t0:
Tier1Router:
resources:
# NOTE: If a Tier1 router is a top-tier router, it should not be imported
# as a shared resource
node-lr:
is-any-cluster-top-tier: False # required attribute
Tier1RouterPortsAndStaticRoutes:
resources:
# NOTE: If a Tier1 router is a top-tier router for any cluster,
# it should not be imported as a shared resource
node-lr:
is-any-cluster-top-tier: False # required attribute
# static_routes_import_info:
# - key: "a4b04674-feb9-4418-8d5f-ac8bca4665eb"
# value: st-r-1
# router_ports_import_info:
# - key: "s2f24456-feb9-4418-8d5f-ar8aqa4665vf"
# value: rp-1
NsGroup:
# resources:
# test-ns-group:
# domain: my-domain
SpoofguradProfile:
resources:
nsx-default-spoof-guard-vif-profile:
NodeLogicalSwitch:
resources:
node-ls:
FirewallSectionsAndRules:
resources:
# Make sure to write the DFW Section and Rules in the order
# in which they should be imported. Otherwise there might be a
# moment in which the section that is present at lower priority
# is imported before section that is present above it making the
# traffic flow inconsistent. The best way to do it is to mention
# the Sections and Rules with increasing |priority| number. Note
# that lower priority numbers are present at the top in the Section
# and Rules order in NSX
fw-section-1:
section_info:
# category is a Security Policy attribute
category: "Application"
# You can specify either priority or bool is_top_section.
# If is_top_section is True, priority is auto-assigned to 5
# If is_top_section is False, priority is auto-assigned to 95
# If is_top_section and priority are specified, priority is used
# If both are not specified, error is thrown
is_top_section: True
# priority: 1
# domain is a Security Policy attribute
domain: "my-domain"
rules_info:
- name: "rule-name" # name or id must be specified
priority: 1 # optional. If not specified, FW Rule priority will be
# used as sequence number of Policy Rule
- id: 'rule-id' # name or id must be specified
Certificate:
resources:
my-cert:
k8s-clusters:
k8scluster:
# top-tier-router-id (MP) is required for each cluster
top-tier-router-id: null
# top-tier-router-type is required for each cluster
# choices: TIER0 or TIER1
top-tier-router-type: TIER0
# lb-service-mp-id is the same as lb_service in ncp.ini config file
lb-service-mp-id: null # optional
# NamespaceResources:
# Tier1Router:
# custom_resources:
# 6d93a932-87ea-42de-a30c-b39f397322b0:
k8scluster-2:
# top-tier-router-id (MP) is required for each cluster
top-tier-router-id: null
top-tier-router-type: TIER1
# Provide custom resources as follow:
NamespaceResources:
Tier1Router:
custom_resources:
# Custom resources are specified only with MP ID
6d93a932-87ea-42de-a30c-b39f397322b0:
metadata:
# It should be a list
- key: 'metadata-key'
value: 'metadata-value'
linked_ids:
# It should be a list
- key: 'linked_id-key'
value: 'linked_id-value'
对于 NCP 3.0.2:
SharedResources:
# IMPORTANT: If there are multiple resources with the same
# display_name, please make the display_names unique before
# initiating the import
IpPool:
resources:
# Specify the resources to import here with their UUID or
# display_name
k8s-snat-pool:
# Duplicate MP to Policy imports allowed for ip-allocations
# ip-allocations:
# - key: "172.24.4.4"
# value: "ip-alloc-1"
k8s-lb-pool:
IpBlock:
resources:
k8s-container-block:
IpSet:
resources:
vs-ipset-1:
Tier0Router:
resources:
node-t0:
Tier1Router:
resources:
# NOTE: If a Tier1 router is a top-tier router, it should not be imported
# as a shared resource
node-lr:
is-any-cluster-top-tier: False # required attribute
Tier1RouterPortsAndStaticRoutes:
resources:
# NOTE: If a Tier1 router is a top-tier router for any cluster,
# it should not be imported as a shared resource
node-lr:
is-any-cluster-top-tier: False # required attribute
# static_routes_import_info:
# - key: "a4b04674-feb9-4418-8d5f-ac8bca4665eb"
# value: st-r-1
# router_ports_import_info:
# - key: "s2f24456-feb9-4418-8d5f-ar8aqa4665vf"
# value: rp-1
NsGroup:
# resources:
# test-ns-group:
# domain: my-domain
SpoofguradProfile:
resources:
nsx-default-spoof-guard-vif-profile:
NodeLogicalSwitch:
resources:
node-ls:
FirewallSectionsAndRules:
resources:
# Make sure to write the DFW Section and Rules in the order
# in which they should be imported. Otherwise there might be a
# moment in which the section that is present at lower priority
# is imported before section that is present above it making the
# traffic flow inconsistent. The best way to do it is to mention
# the Sections and Rules with increasing |priority| number. Note
# that lower priority numbers are present at the top in the Section
# and Rules order in NSX
fw-section-1:
section_info:
# category is a Security Policy attribute
category: "Application"
# You can specify either priority or bool is_top_section.
# If is_top_section is True, priority is auto-assigned to 5
# If is_top_section is False, priority is auto-assigned to 95
# If is_top_section and priority are specified, priority is used
# If both are not specified, error is thrown
is_top_section: True
# priority: 1
# domain is a Security Policy attribute
domain: "my-domain"
rules_info:
- name: "rule-name" # name or id must be specified
priority: 1 # optional. If not specified, FW Rule priority will be
# used as sequence number of Policy Rule
- id: 'rule-id' # name or id must be specified
Certificate:
resources:
my-cert:
k8s-clusters:
k8scluster:
# top-tier-router-id (MP) is required for each cluster
top-tier-router-id: null
# top-tier-router-type is required for each cluster
# choices: TIER0 or TIER1
top-tier-router-type: TIER0
# lb-service-mp-id is the same as lb_service in ncp.ini config file
lb-service-mp-id: null # optional
external-ip-pools-lb-mp-id: [] # required. leave empty, [], if not used
external-ip-pools-mp-id: [] # required. leave empty, [], if not used
http-and-https-ingress-ip: null
# NamespaceResources:
# Tier1Router:
# custom_resources:
# 6d93a932-87ea-42de-a30c-b39f397322b0:
k8scluster-2:
# top-tier-router-id (MP) is required for each cluster
top-tier-router-id: null
top-tier-router-type: TIER1
# lb-service-mp-id is the same as lb_service in ncp.ini config file
lb-service-mp-id: null # optional
external-ip-pools-lb-mp-id: [] # required. leave empty, [], if not used
external-ip-pools-mp-id: [] # required. leave empty, [], if not used
http-and-https-ingress-ip: null
# Provide custom resources as follow:
NamespaceResources:
Tier1Router:
custom_resources:
# Custom resources are specified only with MP ID
6d93a932-87ea-42de-a30c-b39f397322b0:
metadata:
# It should be a list
- key: 'metadata-key'
value: 'metadata-value'
linked_ids:
# It should be a list
- key: 'linked_id-key'
value: 'linked_id-value'
