The NCP YAML file includes the nsx-ncp-config ConfigMap. You can update the options for your environment. Below is the nsx-ncp-config ConfigMap from ncp-ubuntu-policy.yaml for NCP 3.2.1.
apiVersion: v1
kind: ConfigMap
metadata:
name: nsx-ncp-config
namespace: nsx-system
labels:
version: v1
data:
ncp.ini: |
[DEFAULT]
# If set to true, the logging level will be set to DEBUG instead of the
# default INFO level.
#debug = False
# If set to true, use syslog for logging.
#use_syslog = False
# The base directory used for relative log_file paths.
#log_dir = <None>
# Name of log file to send logging output to.
#log_file = <None>
# max MB for each compressed file. Defaults to 100 MB.
#log_rotation_file_max_mb = 100
# max MB for each compressed file for API logs.Defaults to 10 MB.
#api_log_rotation_file_max_mb = 10
# Total number of compressed backup files to store. Defaults to 5.
#log_rotation_backup_count = 5
# Total number of compressed backup files to store API logs. Defaults to 5.
#api_log_rotation_backup_count = 5
# Log level for the root logger. If debug=True, the default root logger
# level will be DEBUG regardless of the value of this option. If this
# option is unset, the default root logger level will be either DEBUG or
# INFO according to the debug option value
# Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL
#loglevel = <None>
[coe]
# Container orchestrator adaptor to plug in.
#adaptor = kubernetes
# Specify cluster for adaptor.
#cluster = k8scluster
# Log level for NCP modules (controllers, services, etc.). Ignored if debug
# is True
# Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL
#loglevel = <None>
# Log level for NSX API client operations. Ignored if debug is True
# Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL
#nsxlib_loglevel = <None>
# Enable SNAT for all projects in this cluster. Modification of topologies
# for existing Namespaces is not supported if this option is reset.
#enable_snat = True
# The time in seconds for NCP/nsx_node_agent to recover the connection to
# NSX manager/container orchestrator adaptor/Hyperbus before exiting. If
# the value is 0, NCP/nsx_node_agent won't exit automatically when the
# connection check fails
#connect_retry_timeout = 0
# Enable system health status report for SHA
#enable_sha = True
[ha]
# Time duration in seconds of mastership timeout. NCP instance will remain
# master for this duration after elected. Note that the heartbeat period
# plus the update timeout must not be greater than this period. This is
# done to ensure that the master instance will either confirm liveness or
# fail before the timeout.
#master_timeout = 18
# Time in seconds between heartbeats for elected leader. Once an NCP
# instance is elected master, it will periodically confirm liveness based
# on this value.
#heartbeat_period = 6
# Timeout duration in seconds for update to election resource. The default
# value is calculated by subtracting heartbeat period from master timeout.
# If the update request does not complete before the timeout it will be
# aborted. Used for master heartbeats to ensure that the update finishes or
# is aborted before the master timeout occurs.
#update_timeout = <None>
[k8s]
# Kubernetes API server IP address.
#apiserver_host_ip = <None>
# Kubernetes API server port.
#apiserver_host_port = <None>
# Full path of the Token file to use for authenticating with the k8s API
# server.
client_token_file = /var/run/secrets/kubernetes.io/serviceaccount/token
# Specify a CA bundle file to use in verifying the k8s API server
# certificate.
ca_file = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Specify whether ingress controllers are expected to be deployed in
# hostnework mode or as regular pods externally accessed via NAT
# Choices: hostnetwork nat
#ingress_mode = hostnetwork
# Log level for the kubernetes adaptor. Ignored if debug is True
# Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL
#loglevel = <None>
# Specifying whether the TCP connections between the LoadBalancer service
# and backend could be reused by multiple client requests.
#lb_connection_multiplexing_enabled = False
# Specifying the maximum number of multiplexing connections.
#lb_connection_multiplexing_number = 6
# User specified IP address for HTTP and HTTPS ingresses
#http_and_https_ingress_ip = <None>
# Set this option to configure the ability to allow a virtual IP that is
# not in the range of external_ip_pools_lb specified in spec.loadBalancerIP
# of K8s service of type LoadBalancer to be realized in NSX.When the value
# is relaxed, any IP specified in spec.loadBalancerIP can be allowed. When
# the value is strict, only IP within the range of external_ip_pools_lb
# will be allowed.
# Choices: relaxed strict
#lb_ip_allocation = relaxed
# Set this to True to enable NCP to create LoadBalancer on a Tier-1 for
# LoadBalancer CRD. This option does not support LB autoscaling.
#enable_lb_crd = False
# Option to set the type of baseline cluster policy. ALLOW_CLUSTER creates
# an explicit baseline policy to allow any pod to communicate any other pod
# within the cluster. ALLOW_NAMESPACE creates an explicit baseline policy
# to allow pods within the same namespace to communicate with each other.
# ALLOW_NAMESPACE_STRICT inherits the behaviors of ALLOW_NAMESPACE, and
# also restricts service talk to resources outside the cluster. By default,
# no baseline rule will be created and the cluster will assume the default
# behavior as specified by the backend.
# Choices: <None> allow_cluster allow_namespace allow_namespace_strict
#baseline_policy_type = <None>
# Set this to True to enable NCP reporting NSX backend error to k8s object
# using k8s event
#enable_ncp_event = False
# Set this to True to enable multus to create multiple interfaces for one
# pod. Requires policy_nsxapi set to True to take effect. If passthrough
# interface is used as additional interface, user should deploy the network
# device plugin to provide device allocation information for NCP. Pod
# annotations with prefix "k8s.v1.cni.cncf.io" cannot be modified once pod
# is realized. User defined IP will not be allocated from the Segment
# IPPool. The "gateway" in NetworkAttachmentDefinition is not used to
# configure secondary interfaces, as the default gateway of Pod is
# configured by the primary CNI on the main network interface. User must
# define IP and/or MAC if no "ipam" is configured. Only available if node
# type is HOSTVM and not to be leveraged in conjunction with 3rd party CNI
# plugin
#enable_multus = False
# Set this to True to enable NSX restore support (only effective in NSX
# Policy API mode).
#enable_restore = False
# nsx-node-agent will add iptables rules for K8s pod which has hostPort,
# client packets to hostPort will be SNATed to node IP. We leverage portmap
# plugin to add iptables DNAT rules for hostPort ingress traffic. This
# hostPort feature is only supported on K8s Linux node.
#enable_hostport_snat = False
# If true, pod ip of statefulset will locate in the ip_range in annotation
# of statefulset. It only works for policy mode.
#statefulset_ip_range = False
# If true, user can set ncp/subnets annotation on namespace to specify the
# subnets for no-snat namespace. It only works for policy mode.
#enable_namespace_subnets = False
# If true, NCP will collect prometheus metrics and export the metrics
# through the prometheus_metrics_port.On VMC metric monitoring will always
# be enabled regardless of this option.
#enable_prometheus_metrics = False
# The port number for NCP to expose prometheus metrics.
#prometheus_metrics_port = 8001
[nsx_v3]
# Set NSX API adaptor to NSX Policy API adaptor. If unset, NSX adaptor will
# be set to the NSX Manager based adaptor. If unset or False, the NSX
# resource ID in other options can be resource name or UUID
#policy_nsxapi = False
# Path to NSX client certificate file. If specified, the nsx_api_user and
# nsx_api_password options will be ignored. Must be specified along with
# nsx_api_private_key_file option
#nsx_api_cert_file = <None>
# Path to NSX client private key file. If specified, the nsx_api_user and
# nsx_api_password options will be ignored. Must be specified along with
# nsx_api_cert_file option
#nsx_api_private_key_file = <None>
# IP address of one or more NSX managers separated by commas. The IP
# address should be of the form:
# [<scheme>://]<ip_adress>[:<port>]
# If scheme is not provided https is used. If port is not provided port 80
# is used for http and port 443 for https.
#nsx_api_managers = []
# If True, skip fatal errors when no endpoint in the NSX management cluster
# is available to serve a request, and retry the request instead
#cluster_unavailable_retry = False
# Maximum number of times to retry API requests upon stale revision errors.
#retries = 10
# Specify one or a list of CA bundle files to use in verifying the NSX
# Manager server certificate. This option is ignored if "insecure" is set
# to True. If "insecure" is set to False and "ca_file" is unset, the
# "thumbprint" will be used. If "thumbprint" is unset, the system root CAs
# will be used to verify the server certificate.
#ca_file = []
# Specify one or a list of thumbprint strings to use in verifying the NSX
# Manager server certificate. This option is ignored if "insecure" is set
# to True or "ca_file" is defined.
#thumbprint = []
# The time in seconds before aborting a HTTP connection to a NSX manager.
#http_timeout = 10
# The time in seconds before aborting a HTTP read response from a NSX
# manager.
#http_read_timeout = 180
# Maximum number of times to retry a HTTP connection.
#http_retries = 3
# Maximum concurrent connections to all NSX managers. If multiple NSX
# managers are configured, connections will be spread evenly across all
# managers, rounded down to the nearest integer. Each NSX manager will have
# at least 1 connection. This value should be a multiple of
# [nsx_v3]nsx_api_managers length.
#concurrent_connections = 10
# The amount of time in seconds to wait before ensuring connectivity to the
# NSX manager if no manager connection has been used.
#conn_idle_timeout = 10
# Number of times a HTTP redirect should be followed.
#redirects = 2
# Subnet prefix of IP block.
#subnet_prefix = 24
# Subnet prefix for v6 IP blocks
#v6_subnet_prefix = 64
# Indicates whether distributed firewall DENY rules are logged.
#log_dropped_traffic = False
# Indicates whether distributed firewall rules are logged. Option 'ALL'
# will enable logging for all DFW rules (both DENY and ALLOW), and option
# 'DENY' will enable logging only for DENY rules. Remove this config if no
# logging is desired. When IPv6 is enabled this setting will not apply to
# rules for allowing ND traffic.
# Choices: ALL DENY <None>
#log_firewall_traffic = <None>
# Option to use native load balancer or not
#use_native_loadbalancer = True
# Option to auto scale layer 4 load balancer or not. If set to True, NCP
# will create additional LB when necessary upon K8s Service of type LB
# creation/update.
#l4_lb_auto_scaling = True
# Path to the default certificate file for HTTPS load balancing. Must be
# specified along with lb_priv_key_path option
#lb_default_cert_path = <None>
# Path to the private key file for default certificate for HTTPS load
# balancing. Must be specified along with lb_default_cert_path option
#lb_priv_key_path = <None>
# Option to set load balancing algorithm in load balancer pool object.
# Choices: ROUND_ROBIN LEAST_CONNECTION IP_HASH WEIGHTED_ROUND_ROBIN
#pool_algorithm = ROUND_ROBIN
# Option to set load balancer service size. MEDIUM Edge VM (4 vCPU, 8GB)
# only supports SMALL LB. LARGE Edge VM (8 vCPU, 16GB) only supports MEDIUM
# and SMALL LB. Bare Metal Edge (IvyBridge, 2 socket, 128GB) supports
# LARGE, MEDIUM and SMALL LB
# Choices: SMALL MEDIUM LARGE
#service_size = SMALL
# Option to set load balancer persistence option. If cookie is selected,
# cookie persistence will be offered.If source_ip is selected, source IP
# persistence will be offered for ingress traffic through L7 load balancer
# Choices: <None> cookie source_ip
#l7_persistence = <None>
# An integer for LoadBalancer side timeout value in seconds on layer 7
# persistence profile, if the profile exists.
#l7_persistence_timeout = 10800
# Option to set load balancer persistence option. If source_ip is selected,
# source IP persistence will be offered for ingress traffic through L4 load
# balancer
# Choices: <None> source_ip
#l4_persistence = <None>
# Name or ID of the container ip blocks that will be used for creating
# subnets. If name, it must be unique. If policy_nsxapi is enabled, it also
# support automatically creating the IP blocks. The definition is a comma
# separated list: CIDR,CIDR,... Mixing different formats (e.g. UUID,CIDR)
# is not supported.
#container_ip_blocks = []
# Resource ID of the container ip blocks that will be used for creating
# subnets for no-SNAT projects. If specified, no-SNAT projects will use
# these ip blocks ONLY. Otherwise they will use container_ip_blocks
#no_snat_ip_blocks = []
# Name or ID of the external ip pools that will be used for allocating IP
# addresses which will be used for translating container IPs via SNAT
# rules. If policy_nsxapi is enabled, it also support automatically
# creating the ip pools. The definition is a comma separated list:
# CIDR,IP_1-IP_2,... Mixing different formats (e.g. UUID, CIDR&IP_Range) is
# not supported.
#external_ip_pools = []
# Name or ID of the top-tier router for the container cluster network,
# which could be either tier0 or tier1. If policy_nsxapi is enabled, should
# be ID of a tier0/tier1 gateway.
#top_tier_router = <None>
# Option to use single-tier router for the container cluster network
#single_tier_topology = False
# Resource ID of the external ip pools that will be used only for
# allocating IP addresses for Ingress controller and LB service. If
# policy_nsxapi is enabled, it also supports automatically creating the ip
# pools. The definition is a comma separated list: CIDR,IP_1-IP_2,...
# Mixing different formats (e.g. UUID, CIDR&IP_Range) is not supported.
#external_ip_pools_lb = []
# Name or ID of the NSX overlay transport zone that will be used for
# creating logical switches for container networking. It must refer to an
# already existing resource on NSX and every transport node where VMs
# hosting containers are deployed must be enabled on this transport zone
#overlay_tz = <None>
# Resource ID of the lb service that can be attached by virtual servers
#lb_service = <None>
# Resource ID of the IPSet containing the IPs of all the virtual servers
#lb_vs_ip_set = <None>
# Enable X_forward_for for ingress. Available values are INSERT or REPLACE.
# When this config is set, if x_forwarded_for is missing, LB will add
# x_forwarded_for in the request header with value client ip. When
# x_forwarded_for is present and its set to REPLACE, LB will replace
# x_forwarded_for in the header to client_ip. When x_forwarded_for is
# present and its set to INSERT, LB will append client_ip to
# x_forwarded_for in the header. If not wanting to use x_forwarded_for,
# remove this config
# Choices: <None> INSERT REPLACE
#x_forwarded_for = <None>
# Resource ID of the firewall section that will be used to create firewall
# sections below this mark section
#top_firewall_section_marker = <None>
# Resource ID of the firewall section that will be used to create firewall
# sections above this mark section
#bottom_firewall_section_marker = <None>
# If this value is not empty, NCP will append it to nameserver list
#dns_servers = []
# Set this to True to enable NCP to report errors through NSXError CRD.
#enable_nsx_err_crd = False
# Maximum number of virtual servers allowed to create in cluster for
# LoadBalancer type of services.
#max_allowed_virtual_servers = 9223372036854775807
# Edge cluster ID needed when creating Tier1 router for loadbalancer
# service. Information could be retrieved from Tier0 router
#edge_cluster = <None>
# Maximum size of the buffer used to store HTTP request headers for L7
# virtual servers in cluster. A request with header larger than this value
# will be processed as best effort whereas a request with header below this
# value is guaranteed to be processed.
#lb_http_request_header_size = 1024
# Maximum size of the buffer used to store HTTP response headers for all L7
# virtual servers in cluster. A response with header larger than this value
# will be dropped.
#lb_http_response_header_size = 4096
# Maximum server idle time in seconds for L7 virtual servers in cluster. If
# backend server does not send any packet within this time, the connection
# is closed.
#lb_http_response_timeout = 60
# Determines the behavior when a Tier-1 instance restarts after a failure.
# If set to PREEMPTIVE, the preferred node will take over, even if it
# causes another failure. If set to NON_PREEMPTIVE, then the instance that
# restarted will remain secondary. Applicable to Tier-1 across cluster that
# was created by NCP and has edge cluster configured.
# Choices: PREEMPTIVE NON_PREEMPTIVE
#failover_mode = NON_PREEMPTIVE
# Set this to ACTIVATE to enable NCP enforced pool member limit for all
# load balancer servers in cluster. Set this to CRD_LB_ONLY will only
# enforce the limit for load balancer servers created using lb CRD. Set
# this to DEACTIVATE to turn off all limit checks. This option requires
# relax_scale_validation set to True, l4_lb_auto_scaling set to False, and
# works on Policy API only. When activated, NCP will enforce a pool member
# limit on LBS to prevent one LBS from using up all resources on edge
# nodes.
# Choices: DEACTIVATE ACTIVATE CRD_LB_ONLY
#ncp_enforced_pool_member_limit = DEACTIVATE
# Maximum number of pool member allowed for each small load balancer
# service. Requires ncp_enforced_pool_member_limit set to ACTIVATE or
# CRD_LB_ONLY to take effect.
#members_per_small_lbs = 2000
# Maximum number of pool member allowed for each medium load balancer
# service. Requires ncp_enforced_pool_member_limit set to ACTIVATE or
# CRD_LB_ONLY to take effect.
#members_per_medium_lbs = 2000
# Resource ID of the client SSL profile which will be used by Loadbalancer
# while participating in TLS handshake with the client
#client_ssl_profile = <None>
# Set this to True to enable rule tag as cluster name in DFW logs for k8s.
# When IPv6 is enabled, the tag will not be applied to rules created by NCP
# for allowing ND traffic.
#enable_rule_tag = True
# Set this to enable logging for snat rule, supported choices are : None,
# Basic and Extended.none for no logging, basic for logging for
# namespacesnat rules, extended for logging for snat rules for
# allnamespaces and services
# Choices: none basic extended
#snat_rule_logging = none
# Log properties of virtual server for ingress/routeIt maps to two
# parameters access_log_enabled andlog_significant_event_only of virtual
# server.It decides whether to log and what events to recordby virtual
# server.
# Choices: none all significant
#vs_access_log = none
# The time in seconds before a released IP can be reallocated. This value
# is used to determine if a previously exhuasted logical switch can be used
# again for creating a new logical port
#ip_reallocation_time = 60
# Specify a custom cookie name for NSX default LB when l7_persistence type
# is set to cookie. It has no effect if l7_persistence is not set.
#cookie_name = <None>
# This parameter indicate how firewall is applied to a traffic packet.
# Firewall can be bypassed, or be applied to external/internal address of
# NAT rule
# Choices: MATCH_EXTERNAL_ADDRESS MATCH_INTERNAL_ADDRESS BYPASS
#natfirewallmatch = MATCH_INTERNAL_ADDRESS
[vc]
#[nsx_v3]
# Deprecated option: tier0_router
# Replaced by [nsx_v3] top_tier_router
# Deprecated option: deny_subnets_redistribution
# Replaced by [nsx_v3] configure_t0_redistribution
