vSphere IaaS control plane does not support editing the NCP configuration file ncp.ini. You can create CustomResourceDefinitions (CRDs) in NCP to configure network and load balancer parameters.

NCPSetting CRD

Create a NCPSetting CRD and set values for the NCP configuration.

The following table describes the network and load balancer parameters that you can configure:
Parameter Description
log_dropped_traffic Indicate whether distributed firewall DENY rules are logged.

Values: True, False

Default is false
log_firewall_traffic Indicate whether DFW rules are logged.
Values are:
  • ALL. Enables logging for all DFW rules.
  • DENY. Enables logging only for DENY rules.
pool_algorithm Option to set the load balancing algorithm in the load balancer pool object.
Values are:
  • Round_Robin
  • Weighted_Round_Robin
  • Least_Connection
  • Weighted_Least_Connection
  • IP-Hash

Default is Round-Robin.
service_size Option to set the load balancer size.

Values are Small, Medium, and Large.

Default is Small.
l7_persistence Option to set the load balancer persistence option.
Values are:
  • cookie.
  • source_ip
l7_persistence_timeout Persistence timeout value in seconds on the L7 persistence profile.
cookie_name Specify a cookie name when l7_persistence type is set to cookie.
x_forward_for Enable X_forward_for for headers in ingress.
Values are:
  • Insert
  • Replace
snat_rule_logging Option to select logging for SNAT rules.
Values are:
  • None
  • Basic. Loging for all namespaces.
  • Extended. Logging for all namespaces and services.
vs_access_log Log properties of the virutal server for ingress and route.
Values are:
  • VS_access_log_none
  • access_log_enabled. Enables logging for the Layer 7 virtual server.
  • log_significant_event_only. Requests with an HTTP response status of >=400 are treated as a significant event.

Default is VS_access_log_none.
ip_reallocation_time Time in seconds before a released IP can be reallocated.

For more information about NCP and NSX objects, see the NSX documentation.

Perform the following steps to enable this feature:
  1. Set the enable_ncp_setting_crd to True.
  2. Create a YAML file with the following template: 
    apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: ncpsettings.vmware.com
spec:
  group: vmware.com
  versions:
    - name: v1
      served: true
      storage: true
      schema:
        openAPIV3Schema:          
          type: object
            properties:
              spec:
                type: object
                properties:
                  nsx_v3:
                    type: object
                    properties:
                      log_dropped_traffic:
                        description: 'Indicates whether distributed firewall DENY rules are logged.'
                        type: boolean
                      log_firewall_traffic:
                        description: 'Indicate whether DFW rules are logged.'
........ All configs that are allow to be configured via CRD........
                       
  scope: Cluster
  names:
    plural: ncpsettings
    singular: ncpsetting
    kind: NCPSetting
    shortNames:
    - ncpstg
    For example: 
    apiVersion: vmware.com/v1alpha2
kind: NCPSetting
metadata:
    name: ncp-setting-crd
spec:
    nsx_v3:
        log_dropped_traffic: True
        log_firewall_traffic: ALL
        pool_algorithm: Round_Robin
        l7_persistence: cookie
        x_forwarded_for: Insert
  3. Apply the YAML file with the following command:

    kubectl apply -f ncp-setting-crd.yaml.j2

To prevent mulitple CRDs from overriding the same configuration value, NCP only processses the CRD object with name ncp-setting-crd. Other CRDs with different names are annotated with errors and NCP does not process those CRDS.

Overriding NCP Configuration

The configuration parameters in the CRD might have corresponding NSX objects. When you create a CRD to override the parameters, the CRD does not change the parameters in the objects except in the following cases:
  • l7_persistence, l7_persistence_timeout, and cookie_name. If the l7_persistence is changed by the CRD, NCP creates a new persistence profile with the values of the l7_persistence, l7_persistence_timeout, and cookie_name.

    If l7_persistence_timeout and cookie_name are changed through the CRD, the existing profile is updated based on the new values.

  • x_forwarded_for. If x_forwarded_for is changed by the CRD, NCP creates a new application profile based on its value.
  • vs_access_log. If the vs_access_log is changed by the CRD, NCP updates the logging option of the virtual servers accordingly.