El archivo YAML de NCP incluye el ConfigMap de nsx-ncp-config. Puede actualizar las opciones del entorno. A continuación se muestra nsx-ncp-config ConfigMap de ncp-ubuntu-policy.yaml para NCP 3.1.2.
apiVersion: v1 kind: ConfigMap metadata: name: nsx-ncp-config namespace: nsx-system labels: version: v1 data: ncp.ini: | [vc] # IpAddress or Hostname of VC #vc_endpoint = <None> # The SSO domain associated with the deployment #sso_domain = vsphere.local # VC API server HTTPS port. #https_port = 443 [coe] # Container orchestrator adaptor to plug in. #adaptor = kubernetes # Specify cluster for adaptor. #cluster = k8scluster # Log level for NCP modules (controllers, services, etc.). Ignored if debug # is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel = <None> # Log level for NSX API client operations. Ignored if debug is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #nsxlib_loglevel = <None> # Enable SNAT for all projects in this cluster. Modification of topologies # for existing Namespaces is not supported if this option is reset. #enable_snat = True # Option to enable profiling #profiling = False # The interval of reporting performance metrics (0 means disabled) #metrics_interval = 0 # Name of log file for outputting metrics only (if not defined, use default # logging facility) #metrics_log_file = <None> # The type of container host node # Choices: HOSTVM BAREMETAL CLOUD WCP_WORKER #node_type = HOSTVM # The time in seconds for NCP/nsx_node_agent to recover the connection to # NSX manager/container orchestrator adaptor/Hyperbus before exiting. If # the value is 0, NCP/nsx_node_agent won't exit automatically when the # connection check fails #connect_retry_timeout = 0 # Enable system health status report for SHA #enable_sha = True [DEFAULT] # If set to true, the logging level will be set to DEBUG instead of the # default INFO level. #debug = False # If set to true, log output to standard error. #use_stderr = True # Destination to send api log to. STDOUT or STDERR for console output. FILE # to write log to file configured in "api_log_file". NONE to disable api # log. # Choices: STDOUT STDERR FILE NONE #api_log_output = NONE # Name of log file to send API access log to. #api_log_file = ncp_api_log.txt # Interval in seconds to logs api call to output configured in # api_log_output #api_log_interval = 60 # When api_log_output is not NONE, this option determines if api calls # should be collected per NSX cluster or individual NSX manager. # Choices: API_LOG_PER_ENDPOINT API_LOG_PER_CLUSTER #api_log_mode = API_LOG_PER_ENDPOINT # If set to true, use syslog for logging. #use_syslog = False # The base directory used for relative log_file paths. #log_dir = <None> # Name of log file to send logging output to. #log_file = <None> # max MB for each compressed file. Defaults to 100 MB. #log_rotation_file_max_mb = 100 # max MB for each compressed file for API logs.Defaults to 10 MB. #api_log_rotation_file_max_mb = 10 # Total number of compressed backup files to store. Defaults to 5. #log_rotation_backup_count = 5 # Total number of compressed backup files to store API logs. Defaults to 5. #api_log_rotation_backup_count = 5 # Log level for the root logger. If debug=True, the default root logger # level will be DEBUG regardless of the value of this option. If this # option is unset, the default root logger level will be either DEBUG or # INFO according to the debug option value # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel = <None> [nsx_v3] # Set NSX API adaptor to NSX Policy API adaptor. If unset, NSX adaptor will # be set to the NSX Manager based adaptor. If unset or False, the NSX # resource ID in other options can be resource name or UUID #policy_nsxapi = False # Path to NSX client certificate file. If specified, the nsx_api_user and # nsx_api_password options will be ignored. Must be specified along with # nsx_api_private_key_file option #nsx_api_cert_file = <None> # Path to NSX client private key file. If specified, the nsx_api_user and # nsx_api_password options will be ignored. Must be specified along with # nsx_api_cert_file option #nsx_api_private_key_file = <None> # IP address of one or more NSX managers separated by commas. The IP # address should be of the form: # [<scheme>://]<ip_adress>[:<port>] # If scheme is not provided https is used. If port is not provided port 80 # is used for http and port 443 for https. #nsx_api_managers = [] # If True, skip fatal errors when no endpoint in the NSX management cluster # is available to serve a request, and retry the request instead #cluster_unavailable_retry = False # Maximum number of times to retry API requests upon stale revision errors. #retries = 10 # Specify one or a list of CA bundle files to use in verifying the NSX # Manager server certificate. This option is ignored if "insecure" is set # to True. If "insecure" is set to False and "ca_file" is unset, the # "thumbprint" will be used. If "thumbprint" is unset, the system root CAs # will be used to verify the server certificate. #ca_file = [] # Specify one or a list of thumbprint strings to use in verifying the NSX # Manager server certificate. This option is ignored if "insecure" is set # to True or "ca_file" is defined. #thumbprint = [] # If true, the NSX Manager server certificate is not verified. If false the # CA bundle specified via "ca_file" will be used or if unset the # "thumbprint" will be used. If "thumbprint" is unset, the default system # root CAs will be used. #insecure = False # The time in seconds before aborting a HTTP connection to a NSX manager. #http_timeout = 10 # The time in seconds before aborting a HTTP read response from a NSX # manager. #http_read_timeout = 180 # Maximum number of times to retry a HTTP connection. #http_retries = 3 # Maximum concurrent connections to all NSX managers. If multiple NSX # managers are configured, connections will be spread evenly across all # managers, rounded down to the nearest integer. Each NSX manager will have # at least 1 connection. This value should be a multiple of # [nsx_v3]nsx_api_managers length. #concurrent_connections = 10 # The amount of time in seconds to wait before ensuring connectivity to the # NSX manager if no manager connection has been used. #conn_idle_timeout = 10 # Number of times a HTTP redirect should be followed. #redirects = 2 # Subnet prefix of IP block. #subnet_prefix = 24 # Subnet prefix for v6 IP blocks #v6_subnet_prefix = 64 # Indicates whether distributed firewall DENY rules are logged. #log_dropped_traffic = False # Indicates whether distributed firewall rules are logged. Option 'ALL' # will enable logging for all DFW rules (both DENY and ALLOW), and option # 'DENY' will enable logging only for DENY rules. Remove this config if no # logging is desired. When IPv6 is enabled this setting will not apply to # rules for allowing ND traffic. # Choices: ALL DENY <None> #log_firewall_traffic = <None> # Option to use native load balancer or not #use_native_loadbalancer = True # Option to auto scale layer 4 load balancer or not. If set to True, NCP # will create additional LB when necessary upon K8s Service of type LB # creation/update. #l4_lb_auto_scaling = True # Option to use native load balancer or not when ingress class annotation # is missing. Only effective if use_native_loadbalancer is set to true #default_ingress_class_nsx = True # Path to the default certificate file for HTTPS load balancing. Must be # specified along with lb_priv_key_path option #lb_default_cert_path = <None> # Path to the private key file for default certificate for HTTPS load # balancing. Must be specified along with lb_default_cert_path option #lb_priv_key_path = <None> # Option to set load balancing algorithm in load balancer pool object. # Choices: ROUND_ROBIN LEAST_CONNECTION IP_HASH WEIGHTED_ROUND_ROBIN #pool_algorithm = ROUND_ROBIN # Option to set load balancer service size. MEDIUM Edge VM (4 vCPU, 8GB) # only supports SMALL LB. LARGE Edge VM (8 vCPU, 16GB) only supports MEDIUM # and SMALL LB. Bare Metal Edge (IvyBridge, 2 socket, 128GB) supports # LARGE, MEDIUM and SMALL LB # Choices: SMALL MEDIUM LARGE #service_size = SMALL # Option to set load balancer persistence option. If cookie is selected, # cookie persistence will be offered.If source_ip is selected, source IP # persistence will be offered for ingress traffic through L7 load balancer # Choices: <None> cookie source_ip #l7_persistence = <None> # An integer for LoadBalancer side timeout value in seconds on layer 7 # persistence profile, if the profile exists. #l7_persistence_timeout = 10800 # Option to set load balancer persistence option. If source_ip is selected, # source IP persistence will be offered for ingress traffic through L4 load # balancer # Choices: <None> source_ip #l4_persistence = <None> # Option to set distributed load balancer source ip persistence option, # only available when use_native_dlb = True # Choices: <None> source_ip #dlb_l4_persistence = <None> # Resource ID of the container ip blocks that will be used for creating # subnets. If name, it must be unique. If policy_nsxapi is enabled, it also # support automatically creating the IP blocks. The definition is a comma # separated list: CIDR,CIDR,... Mixing different formats (e.g. UUID,CIDR) # is not supported. #container_ip_blocks = [] # Resource ID of the container ip blocks that will be used for creating # subnets for no-SNAT projects. If specified, no-SNAT projects will use # these ip blocks ONLY. Otherwise they will use container_ip_blocks #no_snat_ip_blocks = [] # Resource ID of the external ip pools that will be used for allocating IP # addresses which will be used for translating container IPs via SNAT # rules. If policy_nsxapi is enabled, it also support automatically # creating the ip pools. The definition is a comma separated list: # CIDR,IP_1-IP_2,... Mixing different formats (e.g. UUID, CIDR&IP_Range) is # not supported. #external_ip_pools = [] # Resource ID of the top-tier router for the container cluster network, # which could be either tier0 or tier1. If policy_nsxapi is enabled, should # be ID of a tier0/tier1 gateway. #top_tier_router = <None> # Option to use single-tier router for the container cluster network #single_tier_topology = False # Option to use single-tier router for the container cluster network. Each # namespace will have dedicated tier-1 router created. Namespaces with # "sr_shared_res: true" annotation will share t1 and lbs. #single_tier_sr_topology = False # Resource ID of the external ip pools that will be used only for # allocating IP addresses for Ingress controller and LB service. If # policy_nsxapi is enabled, it also supports automatically creating the ip # pools. The definition is a comma separated list: CIDR,IP_1-IP_2,... # Mixing different formats (e.g. UUID, CIDR&IP_Range) is not supported. #external_ip_pools_lb = [] # Resource ID of the NSX overlay transport zone that will be used for # creating logical switches for container networking. It must refer to an # already existing resource on NSX and every transport node where VMs # hosting containers are deployed must be enabled on this transport zone #overlay_tz = <None> # Name of the enforcement point used to look up overlay transport zones and # edge cluster paths, e.g. vmc-enforcementpoint, default, etc. #enforcement_point = default # Resource ID of the lb service that can be attached by virtual servers #lb_service = <None> # Resource ID of the IPSet containing the IPs of all the virtual servers #lb_vs_ip_set = <None> # Enable X_forward_for for ingress. Available values are INSERT or REPLACE. # When this config is set, if x_forwarded_for is missing, LB will add # x_forwarded_for in the request header with value client ip. When # x_forwarded_for is present and its set to REPLACE, LB will replace # x_forwarded_for in the header to client_ip. When x_forwarded_for is # present and its set to INSERT, LB will append client_ip to # x_forwarded_for in the header. If not wanting to use x_forwarded_for, # remove this config # Choices: <None> INSERT REPLACE #x_forwarded_for = <None> # Resource ID of the firewall section that will be used to create firewall # sections below this mark section #top_firewall_section_marker = <None> # Resource ID of the firewall section that will be used to create firewall # sections above this mark section #bottom_firewall_section_marker = <None> # Replication mode of container logical switch, set SOURCE for cloud as it # only supports head replication mode # Choices: MTEP SOURCE #ls_replication_mode = MTEP # The resource which NCP will search tag 'node_name' on, to get parent VIF # or transport node uuid for container LSP API context field. For HOSTVM # mode, it will search tag on LSP. For BM mode, it will search tag on LSP # then search TN. For CLOUD mode, it will search tag on VM. For WCP_WORKER # mode, it will search TN by hostname. # Choices: tag_on_lsp tag_on_tn tag_on_vm hostname_on_tn #search_node_tag_on = tag_on_lsp # Determines which kind of information to be used as VIF app_id. Defaults # to pod_resource_key. In WCP mode, pod_uid is used. # Choices: pod_resource_key pod_uid #vif_app_id_type = pod_resource_key # If this value is not empty, NCP will append it to nameserver list #dns_servers = [] # Set this to True to enable NCP to report errors through NSXError CRD. #enable_nsx_err_crd = False # Maximum number of virtual servers allowed to create in cluster for # LoadBalancer type of services. #max_allowed_virtual_servers = 9223372036854775807 # Edge cluster ID needed when creating Tier1 router for loadbalancer # service. Information could be retrieved from Tier0 router #edge_cluster = <None> # Inventory feature switch #enable_inventory = True # For internal container network CIDR, NCP adds redistribution deny rule to # stop T0 router advertise subnets to external network outside of T0 # router. If BGP or route redistribution is disabled, or # T1_CONNECTED/TIER1_SEGMENT option is not selected, NCP would not add the # deny rule. If users enable BGP and route redistribution, or select # T1_CONNECTED/TIER1_SEGMENT option after NCP starts, user needs to restart # NCP to let NCP set deny rule. If there is already a route map attached, # NCP will create IP prefix list on the existing route map. Otherwise NCP # will create a new route map and attach it. This option could be used only # in SNAT mode and when policy_nsxapi = True. #configure_t0_redistribution = False # Health check interval for nsx lb monitor profile #lb_hc_profile_interval = 5 # Health check timeout for nsx lb monitor profile #lb_hc_profile_timeout = 15 # Health check failed count for nsx lb monitor profile. Pool member failed # for this amount will be marked as down. #lb_hc_profile_fall_count = 3 # Health check rise count for nsx lb monitor profile. Pool members # previously marked down will be brought up, if succeed in the health check # for this amount fo time. #lb_hc_profile_rise_count = 3 # Maximum size of the buffer used to store HTTP request headers for L7 # virtual servers in cluster. A request with header larger than this value # will be processed as best effort whereas a request with header below this # value is guaranteed to be processed. #lb_http_request_header_size = 1024 # Maximum size of the buffer used to store HTTP response headers for all L7 # virtual servers in cluster. A response with header larger than this value # will be dropped. #lb_http_response_header_size = 4096 # Maximum server idle time in seconds for L7 virtual servers in cluster. If # backend server does not send any packet within this time, the connection # is closed. #lb_http_response_timeout = 60 # Determines the behavior when a Tier-1 instance restarts after a failure. # If set to PREEMPTIVE, the preferred node will take over, even if it # causes another failure. If set to NON_PREEMPTIVE, then the instance that # restarted will remain secondary. Applicable to Tier-1 across cluster that # was created by NCP and has edge cluster configured. # Choices: PREEMPTIVE NON_PREEMPTIVE #failover_mode = NON_PREEMPTIVE # Set this to ENABLE to enable NCP enforced pool member limit for all load # balancer servers in cluster. Set this to CRD_LB_ONLY will only enforce # the limit for load balancer servers created using lb CRD. Set this to # DISABLE to turn off all limit checks. This option requires # relax_scale_validation set to True, l4_lb_auto_scaling set to False, and # works on Policy API only. When not disabled, NCP will enforce a pool # member limit on LBS to prevent one LBS from using up all resources on # edge nodes. # Choices: DISABLE ENABLE CRD_LB_ONLY #ncp_enforced_pool_member_limit = DISABLE # Maximum number of pool member allowed for each small load balancer # service. Requires ncp_enforced_pool_member_limit set to ENABLE or # CRD_LB_ONLY to take effect. #members_per_small_lbs = 2000 # Maximum number of pool member allowed for each medium load balancer # service. Requires ncp_enforced_pool_member_limit set to ENABLE or # CRD_LB_ONLY to take effect. #members_per_medium_lbs = 2000 # Interval in seconds to clean empty segments. #segment_gc_interval = 600 # Determines the mode NCP limits rate when sending API calls to NSX. # Choices: NO_LIMIT SLIDING_WINDOW ADAPTIVE_AIMD #api_rate_limit_mode = ADAPTIVE_AIMD # When nsx_v3.api_rate_limit_mode is not set to NO_LIMIT, determines the # maximum number of API calls sent per manager ip per second. Should be a # positive integer. #max_api_rate = 40 # Resource ID of the client SSL profile which will be used by Loadbalancer # while participating in TLS handshake with the client #client_ssl_profile = <None> # Enable security policy notification, If this optionis enabled, NCP will # configure container network afterNSX creates logical port and finishes # security policysynchronization #wait_for_security_policy_sync = False # Set this to True to enable rule tag as cluster name in DFW logs for k8s. # When IPv6 is enabled, the tag will not be applied to rules created by NCP # for allowing ND traffic. #enable_rule_tag = True # Set this to enable logging for snat rule, supported choices are : None, # Basic and Extended.none for no logging, basic for logging for # namespacesnat rules, extended for logging for snat rules for # allnamespaces and services # Choices: none basic extended #snat_rule_logging = none # Log properties of virtual server for ingress/routeIt maps to two # parameters access_log_enabled andlog_significant_event_only of virtual # server.It decides whether to log and what events to recordby virtual # server. # Choices: none all significant #vs_access_log = none # The time in seconds before a released IP can be reallocated. This value # is used to determine if a previously exhuasted logical switch can be used # again for creating a new logical port #ip_reallocation_time = 60 # Specify a custom cookie name for NSX default LB when l7_persistence type # is set to cookie. It has no effect if l7_persistence is not set. #cookie_name = <None> [ha] # Time duration in seconds of mastership timeout. NCP instance will remain # master for this duration after elected. Note that the heartbeat period # plus the update timeout must not be greater than this period. This is # done to ensure that the master instance will either confirm liveness or # fail before the timeout. #master_timeout = 18 # Time in seconds between heartbeats for elected leader. Once an NCP # instance is elected master, it will periodically confirm liveness based # on this value. #heartbeat_period = 6 # Timeout duration in seconds for update to election resource. The default # value is calculated by subtracting heartbeat period from master timeout. # If the update request does not complete before the timeout it will be # aborted. Used for master heartbeats to ensure that the update finishes or # is aborted before the master timeout occurs. #update_timeout = <None> [k8s] # Kubernetes API server IP address. #apiserver_host_ip = <None> # Kubernetes API server port. #apiserver_host_port = <None> # Full path of the Token file to use for authenticating with the k8s API # server. client_token_file = /var/run/secrets/kubernetes.io/serviceaccount/token # Full path of the client certificate file to use for authenticating with # the k8s API server. It must be specified together with # "client_private_key_file". #client_cert_file = <None> # Full path of the client private key file to use for authenticating with # the k8s API server. It must be specified together with # "client_cert_file". #client_private_key_file = <None> # Specify a CA bundle file to use in verifying the k8s API server # certificate. ca_file = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt # Specify whether ingress controllers are expected to be deployed in # hostnework mode or as regular pods externally accessed via NAT # Choices: hostnetwork nat #ingress_mode = hostnetwork # Log level for the kubernetes adaptor. Ignored if debug is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel = <None> # The default HTTP ingress port for non-NSX ingress controllers in NAT # mode. #http_ingress_port = 80 # The default HTTPS ingress port for non-NSX ingress controllers in NAT # mode. #https_ingress_port = 443 # Specifying whether the TCP connections between the LoadBalancer service # and backend could be reused by multiple client requests. #lb_connection_multiplexing_enabled = False # Specifying the maximum number of multiplexing connections. #lb_connection_multiplexing_number = 6 # Specify thread pool size to process resource events #resource_watcher_thread_pool_size = 1 # User specified IP address for HTTP and HTTPS ingresses #http_and_https_ingress_ip = <None> # Set this option to configure the ability to allow a virtual IP that is # not in the range of external_ip_pools_lb specified in spec.loadBalancerIP # of K8s service of type LoadBalancer to be realized in NSX.When the value # is relaxed, any IP specified in spec.loadBalancerIP can be allowed. When # the value is strict, only IP within the range of external_ip_pools_lb # will be allowed. # Choices: relaxed strict #lb_ip_allocation = relaxed # Set this to True to enable NCP to create tier1 router, first segment and # default SNAT IP for VirtualNetwork CRD, and then create segment port for # VM through VirtualNetworkInterface CRD. #enable_vnet_crd = False # Set this to True to enable NCP to create LoadBalancer on a Tier-1 for # LoadBalancer CRD. This option does not support LB autoscaling. #enable_lb_crd = False # Set this to True to enable NCP to create LbMonitor CR for NSX LBS #enable_lb_monitor_crd = False # Set this to True to enable NCP to manage network resources and resource # quotas per Namespace. This option only works under WCP T1 per Supervisor # Namespace networking topology #enable_nsnetwork_crd = False # Option to set the type of baseline cluster policy. ALLOW_CLUSTER creates # an explicit baseline policy to allow any pod to communicate any other pod # within the cluster. ALLOW_NAMESPACE creates an explicit baseline policy # to allow pods within the same namespace to communicate with each other. # By default, no baseline rule will be created and the cluster will assume # the default behavior as specified by the backend. Modification is not # supported after the value is set. # Choices: <None> allow_cluster allow_namespace #baseline_policy_type = <None> # Maximum number of endpoints allowed to create for a service. #max_allowed_endpoints = 1000 # Set this to True to enable NCP reporting NSX backend error to k8s object # using k8s event #enable_ncp_event = False # Set this to True to enable multus to create multiple interfaces for one # pod. Requires policy_nsxapi set to True to take effect. If passthrough # interface is used as additional interface, user should deploy the network # device plugin to provide device allocation information for NCP. Pod # annotations with prefix "k8s.v1.cni.cncf.io" cannot be modified once pod # is realized. User defined IP will not be allocated from the Segment # IPPool. The "gateway" in NetworkAttachmentDefinition is not used to # configure secondary interfaces, as the default gateway of Pod is # configured by the primary CNI on the main network interface. User must # define IP and/or MAC if no "ipam" is configured. Only available if node # type is HOSTVM and not to be leveraged in conjunction with 3rd party CNI # plugin #enable_multus = True # Interval of polling loadbalancer statistics. Default to60 seconds. #lb_statistic_monitor_interval = 600 # Option to enable polling virtual server statistics. #enable_lb_vs_statistics_monitor = False # This option is for toggling process of network CRD.It should be set to # False when the network status setting is done by OCP4 NetworkOperator #process_oc_network = True # nsx-node-agent will add iptables rules for K8s pod which has hostPort, # client packets to hostPort will be SNATed to node IP. We leverage portmap # plugin to add iptables DNAT rules for hostPort ingress traffic. This # hostPort feature is only supported on K8s Linux node. #enable_hostport_snat = False # If this option is True, nsx-ncp-bootstrap pod will install portmap plugin # from nsx-ncp image, nsx-ncp-cleanup pod will remove portmap plugin. #use_ncp_portmap = False #[nsx_v3] # Deprecated option: tier0_router # Replaced by [nsx_v3] top_tier_router # Deprecated option: deny_subnets_redistribution # Replaced by [nsx_v3] configure_t0_redistribution