...
In the current K8S vFW demo, the sourceName is 'k8s-testing'. This will need to be made instance specific in the future.
NOTE: Further investigation reveals that the vFW obtained the sourceName of 'k8s-testing' by making an OpenStack metadata service query and using the subsequent name from the response. 'k8s-testing' was the OpenStack instance name of the VM in which the KUD cloud region was running. Adding a route in the vFW to reject the network used for OpenStack metadata (e.g. 169.254.0.0/16) causes the vFW VES code to default to the vFW hostname - which is the name of the vFW pod (e.g. profile1-firewall-6558957c88-2rxdh )
Add a vserver object to AAI
...
At this time, there is no heatbridge or AAI code for the K8S vFW deployments. So, in support of handling the AAI enrichment process by looking up via vserver, the following AAI object is added to AAI manually.
NOTE: As mentioned just above, the sourceName in this example happened to be 'k8s-testing', but the suggested approach is to use the pod name for the vserver-name.
PUT https://{{AAI1_PUB_IP}}:{{AAI1_PUB_PORT}}/aai/v11/bulkadd
...
Following picture shows how it was set several times over an hour and policy set it back to 5.
Info |
---|
In the following example, the vFW virtlet |