The NCP YAML file includes the nsx-ncp-config ConfigMap. You can update the options for your environment. Below is the nsx-ncp-config ConfigMap from ncp-ubuntu-policy.yaml for NCP 3.2.1.
apiVersion: v1 kind: ConfigMap metadata: name: nsx-ncp-config namespace: nsx-system labels: version: v1 data: ncp.ini: | [DEFAULT] # If set to true, the logging level will be set to DEBUG instead of the # default INFO level. #debug = False # If set to true, use syslog for logging. #use_syslog = False # The base directory used for relative log_file paths. #log_dir = <None> # Name of log file to send logging output to. #log_file = <None> # max MB for each compressed file. Defaults to 100 MB. #log_rotation_file_max_mb = 100 # max MB for each compressed file for API logs.Defaults to 10 MB. #api_log_rotation_file_max_mb = 10 # Total number of compressed backup files to store. Defaults to 5. #log_rotation_backup_count = 5 # Total number of compressed backup files to store API logs. Defaults to 5. #api_log_rotation_backup_count = 5 # Log level for the root logger. If debug=True, the default root logger # level will be DEBUG regardless of the value of this option. If this # option is unset, the default root logger level will be either DEBUG or # INFO according to the debug option value # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel = <None> [coe] # Container orchestrator adaptor to plug in. #adaptor = kubernetes # Specify cluster for adaptor. #cluster = k8scluster # Log level for NCP modules (controllers, services, etc.). Ignored if debug # is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel = <None> # Log level for NSX API client operations. Ignored if debug is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #nsxlib_loglevel = <None> # Enable SNAT for all projects in this cluster. Modification of topologies # for existing Namespaces is not supported if this option is reset. #enable_snat = True # The time in seconds for NCP/nsx_node_agent to recover the connection to # NSX manager/container orchestrator adaptor/Hyperbus before exiting. If # the value is 0, NCP/nsx_node_agent won't exit automatically when the # connection check fails #connect_retry_timeout = 0 # Enable system health status report for SHA #enable_sha = True [ha] # Time duration in seconds of mastership timeout. NCP instance will remain # master for this duration after elected. Note that the heartbeat period # plus the update timeout must not be greater than this period. This is # done to ensure that the master instance will either confirm liveness or # fail before the timeout. #master_timeout = 18 # Time in seconds between heartbeats for elected leader. Once an NCP # instance is elected master, it will periodically confirm liveness based # on this value. #heartbeat_period = 6 # Timeout duration in seconds for update to election resource. The default # value is calculated by subtracting heartbeat period from master timeout. # If the update request does not complete before the timeout it will be # aborted. Used for master heartbeats to ensure that the update finishes or # is aborted before the master timeout occurs. #update_timeout = <None> [k8s] # Kubernetes API server IP address. #apiserver_host_ip = <None> # Kubernetes API server port. #apiserver_host_port = <None> # Full path of the Token file to use for authenticating with the k8s API # server. client_token_file = /var/run/secrets/kubernetes.io/serviceaccount/token # Specify a CA bundle file to use in verifying the k8s API server # certificate. ca_file = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt # Specify whether ingress controllers are expected to be deployed in # hostnework mode or as regular pods externally accessed via NAT # Choices: hostnetwork nat #ingress_mode = hostnetwork # Log level for the kubernetes adaptor. Ignored if debug is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel = <None> # Specifying whether the TCP connections between the LoadBalancer service # and backend could be reused by multiple client requests. #lb_connection_multiplexing_enabled = False # Specifying the maximum number of multiplexing connections. #lb_connection_multiplexing_number = 6 # User specified IP address for HTTP and HTTPS ingresses #http_and_https_ingress_ip = <None> # Set this option to configure the ability to allow a virtual IP that is # not in the range of external_ip_pools_lb specified in spec.loadBalancerIP # of K8s service of type LoadBalancer to be realized in NSX.When the value # is relaxed, any IP specified in spec.loadBalancerIP can be allowed. When # the value is strict, only IP within the range of external_ip_pools_lb # will be allowed. # Choices: relaxed strict #lb_ip_allocation = relaxed # Set this to True to enable NCP to create LoadBalancer on a Tier-1 for # LoadBalancer CRD. This option does not support LB autoscaling. #enable_lb_crd = False # Option to set the type of baseline cluster policy. ALLOW_CLUSTER creates # an explicit baseline policy to allow any pod to communicate any other pod # within the cluster. ALLOW_NAMESPACE creates an explicit baseline policy # to allow pods within the same namespace to communicate with each other. # ALLOW_NAMESPACE_STRICT inherits the behaviors of ALLOW_NAMESPACE, and # also restricts service talk to resources outside the cluster. By default, # no baseline rule will be created and the cluster will assume the default # behavior as specified by the backend. # Choices: <None> allow_cluster allow_namespace allow_namespace_strict #baseline_policy_type = <None> # Set this to True to enable NCP reporting NSX backend error to k8s object # using k8s event #enable_ncp_event = False # Set this to True to enable multus to create multiple interfaces for one # pod. Requires policy_nsxapi set to True to take effect. If passthrough # interface is used as additional interface, user should deploy the network # device plugin to provide device allocation information for NCP. Pod # annotations with prefix "k8s.v1.cni.cncf.io" cannot be modified once pod # is realized. User defined IP will not be allocated from the Segment # IPPool. The "gateway" in NetworkAttachmentDefinition is not used to # configure secondary interfaces, as the default gateway of Pod is # configured by the primary CNI on the main network interface. User must # define IP and/or MAC if no "ipam" is configured. Only available if node # type is HOSTVM and not to be leveraged in conjunction with 3rd party CNI # plugin #enable_multus = False # Set this to True to enable NSX restore support (only effective in NSX # Policy API mode). #enable_restore = False # nsx-node-agent will add iptables rules for K8s pod which has hostPort, # client packets to hostPort will be SNATed to node IP. We leverage portmap # plugin to add iptables DNAT rules for hostPort ingress traffic. This # hostPort feature is only supported on K8s Linux node. #enable_hostport_snat = False # If true, pod ip of statefulset will locate in the ip_range in annotation # of statefulset. It only works for policy mode. #statefulset_ip_range = False # If true, user can set ncp/subnets annotation on namespace to specify the # subnets for no-snat namespace. It only works for policy mode. #enable_namespace_subnets = False # If true, NCP will collect prometheus metrics and export the metrics # through the prometheus_metrics_port.On VMC metric monitoring will always # be enabled regardless of this option. #enable_prometheus_metrics = False # The port number for NCP to expose prometheus metrics. #prometheus_metrics_port = 8001 [nsx_v3] # Set NSX API adaptor to NSX Policy API adaptor. If unset, NSX adaptor will # be set to the NSX Manager based adaptor. If unset or False, the NSX # resource ID in other options can be resource name or UUID #policy_nsxapi = False # Path to NSX client certificate file. If specified, the nsx_api_user and # nsx_api_password options will be ignored. Must be specified along with # nsx_api_private_key_file option #nsx_api_cert_file = <None> # Path to NSX client private key file. If specified, the nsx_api_user and # nsx_api_password options will be ignored. Must be specified along with # nsx_api_cert_file option #nsx_api_private_key_file = <None> # IP address of one or more NSX managers separated by commas. The IP # address should be of the form: # [<scheme>://]<ip_adress>[:<port>] # If scheme is not provided https is used. If port is not provided port 80 # is used for http and port 443 for https. #nsx_api_managers = [] # If True, skip fatal errors when no endpoint in the NSX management cluster # is available to serve a request, and retry the request instead #cluster_unavailable_retry = False # Maximum number of times to retry API requests upon stale revision errors. #retries = 10 # Specify one or a list of CA bundle files to use in verifying the NSX # Manager server certificate. This option is ignored if "insecure" is set # to True. If "insecure" is set to False and "ca_file" is unset, the # "thumbprint" will be used. If "thumbprint" is unset, the system root CAs # will be used to verify the server certificate. #ca_file = [] # Specify one or a list of thumbprint strings to use in verifying the NSX # Manager server certificate. This option is ignored if "insecure" is set # to True or "ca_file" is defined. #thumbprint = [] # The time in seconds before aborting a HTTP connection to a NSX manager. #http_timeout = 10 # The time in seconds before aborting a HTTP read response from a NSX # manager. #http_read_timeout = 180 # Maximum number of times to retry a HTTP connection. #http_retries = 3 # Maximum concurrent connections to all NSX managers. If multiple NSX # managers are configured, connections will be spread evenly across all # managers, rounded down to the nearest integer. Each NSX manager will have # at least 1 connection. This value should be a multiple of # [nsx_v3]nsx_api_managers length. #concurrent_connections = 10 # The amount of time in seconds to wait before ensuring connectivity to the # NSX manager if no manager connection has been used. #conn_idle_timeout = 10 # Number of times a HTTP redirect should be followed. #redirects = 2 # Subnet prefix of IP block. #subnet_prefix = 24 # Subnet prefix for v6 IP blocks #v6_subnet_prefix = 64 # Indicates whether distributed firewall DENY rules are logged. #log_dropped_traffic = False # Indicates whether distributed firewall rules are logged. Option 'ALL' # will enable logging for all DFW rules (both DENY and ALLOW), and option # 'DENY' will enable logging only for DENY rules. Remove this config if no # logging is desired. When IPv6 is enabled this setting will not apply to # rules for allowing ND traffic. # Choices: ALL DENY <None> #log_firewall_traffic = <None> # Option to use native load balancer or not #use_native_loadbalancer = True # Option to auto scale layer 4 load balancer or not. If set to True, NCP # will create additional LB when necessary upon K8s Service of type LB # creation/update. #l4_lb_auto_scaling = True # Path to the default certificate file for HTTPS load balancing. Must be # specified along with lb_priv_key_path option #lb_default_cert_path = <None> # Path to the private key file for default certificate for HTTPS load # balancing. Must be specified along with lb_default_cert_path option #lb_priv_key_path = <None> # Option to set load balancing algorithm in load balancer pool object. # Choices: ROUND_ROBIN LEAST_CONNECTION IP_HASH WEIGHTED_ROUND_ROBIN #pool_algorithm = ROUND_ROBIN # Option to set load balancer service size. MEDIUM Edge VM (4 vCPU, 8GB) # only supports SMALL LB. LARGE Edge VM (8 vCPU, 16GB) only supports MEDIUM # and SMALL LB. Bare Metal Edge (IvyBridge, 2 socket, 128GB) supports # LARGE, MEDIUM and SMALL LB # Choices: SMALL MEDIUM LARGE #service_size = SMALL # Option to set load balancer persistence option. If cookie is selected, # cookie persistence will be offered.If source_ip is selected, source IP # persistence will be offered for ingress traffic through L7 load balancer # Choices: <None> cookie source_ip #l7_persistence = <None> # An integer for LoadBalancer side timeout value in seconds on layer 7 # persistence profile, if the profile exists. #l7_persistence_timeout = 10800 # Option to set load balancer persistence option. If source_ip is selected, # source IP persistence will be offered for ingress traffic through L4 load # balancer # Choices: <None> source_ip #l4_persistence = <None> # Name or ID of the container ip blocks that will be used for creating # subnets. If name, it must be unique. If policy_nsxapi is enabled, it also # support automatically creating the IP blocks. The definition is a comma # separated list: CIDR,CIDR,... Mixing different formats (e.g. UUID,CIDR) # is not supported. #container_ip_blocks = [] # Resource ID of the container ip blocks that will be used for creating # subnets for no-SNAT projects. If specified, no-SNAT projects will use # these ip blocks ONLY. Otherwise they will use container_ip_blocks #no_snat_ip_blocks = [] # Name or ID of the external ip pools that will be used for allocating IP # addresses which will be used for translating container IPs via SNAT # rules. If policy_nsxapi is enabled, it also support automatically # creating the ip pools. The definition is a comma separated list: # CIDR,IP_1-IP_2,... Mixing different formats (e.g. UUID, CIDR&IP_Range) is # not supported. #external_ip_pools = [] # Name or ID of the top-tier router for the container cluster network, # which could be either tier0 or tier1. If policy_nsxapi is enabled, should # be ID of a tier0/tier1 gateway. #top_tier_router = <None> # Option to use single-tier router for the container cluster network #single_tier_topology = False # Resource ID of the external ip pools that will be used only for # allocating IP addresses for Ingress controller and LB service. If # policy_nsxapi is enabled, it also supports automatically creating the ip # pools. The definition is a comma separated list: CIDR,IP_1-IP_2,... # Mixing different formats (e.g. UUID, CIDR&IP_Range) is not supported. #external_ip_pools_lb = [] # Name or ID of the NSX overlay transport zone that will be used for # creating logical switches for container networking. It must refer to an # already existing resource on NSX and every transport node where VMs # hosting containers are deployed must be enabled on this transport zone #overlay_tz = <None> # Resource ID of the lb service that can be attached by virtual servers #lb_service = <None> # Resource ID of the IPSet containing the IPs of all the virtual servers #lb_vs_ip_set = <None> # Enable X_forward_for for ingress. Available values are INSERT or REPLACE. # When this config is set, if x_forwarded_for is missing, LB will add # x_forwarded_for in the request header with value client ip. When # x_forwarded_for is present and its set to REPLACE, LB will replace # x_forwarded_for in the header to client_ip. When x_forwarded_for is # present and its set to INSERT, LB will append client_ip to # x_forwarded_for in the header. If not wanting to use x_forwarded_for, # remove this config # Choices: <None> INSERT REPLACE #x_forwarded_for = <None> # Resource ID of the firewall section that will be used to create firewall # sections below this mark section #top_firewall_section_marker = <None> # Resource ID of the firewall section that will be used to create firewall # sections above this mark section #bottom_firewall_section_marker = <None> # If this value is not empty, NCP will append it to nameserver list #dns_servers = [] # Set this to True to enable NCP to report errors through NSXError CRD. #enable_nsx_err_crd = False # Maximum number of virtual servers allowed to create in cluster for # LoadBalancer type of services. #max_allowed_virtual_servers = 9223372036854775807 # Edge cluster ID needed when creating Tier1 router for loadbalancer # service. Information could be retrieved from Tier0 router #edge_cluster = <None> # Maximum size of the buffer used to store HTTP request headers for L7 # virtual servers in cluster. A request with header larger than this value # will be processed as best effort whereas a request with header below this # value is guaranteed to be processed. #lb_http_request_header_size = 1024 # Maximum size of the buffer used to store HTTP response headers for all L7 # virtual servers in cluster. A response with header larger than this value # will be dropped. #lb_http_response_header_size = 4096 # Maximum server idle time in seconds for L7 virtual servers in cluster. If # backend server does not send any packet within this time, the connection # is closed. #lb_http_response_timeout = 60 # Determines the behavior when a Tier-1 instance restarts after a failure. # If set to PREEMPTIVE, the preferred node will take over, even if it # causes another failure. If set to NON_PREEMPTIVE, then the instance that # restarted will remain secondary. Applicable to Tier-1 across cluster that # was created by NCP and has edge cluster configured. # Choices: PREEMPTIVE NON_PREEMPTIVE #failover_mode = NON_PREEMPTIVE # Set this to ACTIVATE to enable NCP enforced pool member limit for all # load balancer servers in cluster. Set this to CRD_LB_ONLY will only # enforce the limit for load balancer servers created using lb CRD. Set # this to DEACTIVATE to turn off all limit checks. This option requires # relax_scale_validation set to True, l4_lb_auto_scaling set to False, and # works on Policy API only. When activated, NCP will enforce a pool member # limit on LBS to prevent one LBS from using up all resources on edge # nodes. # Choices: DEACTIVATE ACTIVATE CRD_LB_ONLY #ncp_enforced_pool_member_limit = DEACTIVATE # Maximum number of pool member allowed for each small load balancer # service. Requires ncp_enforced_pool_member_limit set to ACTIVATE or # CRD_LB_ONLY to take effect. #members_per_small_lbs = 2000 # Maximum number of pool member allowed for each medium load balancer # service. Requires ncp_enforced_pool_member_limit set to ACTIVATE or # CRD_LB_ONLY to take effect. #members_per_medium_lbs = 2000 # Resource ID of the client SSL profile which will be used by Loadbalancer # while participating in TLS handshake with the client #client_ssl_profile = <None> # Set this to True to enable rule tag as cluster name in DFW logs for k8s. # When IPv6 is enabled, the tag will not be applied to rules created by NCP # for allowing ND traffic. #enable_rule_tag = True # Set this to enable logging for snat rule, supported choices are : None, # Basic and Extended.none for no logging, basic for logging for # namespacesnat rules, extended for logging for snat rules for # allnamespaces and services # Choices: none basic extended #snat_rule_logging = none # Log properties of virtual server for ingress/routeIt maps to two # parameters access_log_enabled andlog_significant_event_only of virtual # server.It decides whether to log and what events to recordby virtual # server. # Choices: none all significant #vs_access_log = none # The time in seconds before a released IP can be reallocated. This value # is used to determine if a previously exhuasted logical switch can be used # again for creating a new logical port #ip_reallocation_time = 60 # Specify a custom cookie name for NSX default LB when l7_persistence type # is set to cookie. It has no effect if l7_persistence is not set. #cookie_name = <None> # This parameter indicate how firewall is applied to a traffic packet. # Firewall can be bypassed, or be applied to external/internal address of # NAT rule # Choices: MATCH_EXTERNAL_ADDRESS MATCH_INTERNAL_ADDRESS BYPASS #natfirewallmatch = MATCH_INTERNAL_ADDRESS [vc] #[nsx_v3] # Deprecated option: tier0_router # Replaced by [nsx_v3] top_tier_router # Deprecated option: deny_subnets_redistribution # Replaced by [nsx_v3] configure_t0_redistribution