vxlan-policy-agent job from silk/3.34.0

Github source: 0341c35e or master branch

Properties¶

asg_poll_interval_seconds¶

The VXLAN policy agent queries the policy server on this interval in seconds and updates local security groups rules.

Default

60

ca_cert¶

Trusted CA certificate that was used to sign the policy server’s server cert and key.

client_cert¶

Client certificate for TLS to access policy server.

client_key¶

Client private key for TLS to access policy server.

debug_server_port¶

Port for the debug server. Use this to adjust log level at runtime or dump process stats.

Default

8721

disable¶

Disable this monit job. It will not run. Required for backwards compatability

Default

false

disable_container_network_policy¶

WARNING!!! Disables network policy enforcement. Setting this property to true allows all app containers to access any other app container with no restrictions.

Default

false

enable_asg_syncing¶

Enable dynamic updates to ASG rules for running containers

Default

true

enable_overlay_ingress_rules¶

Experimental feature. Allows ingress over the overlay network, from a vm running silk-daemon in singleIPMode

Default

false

force_policy_poll_cycle_port¶

Port for force policy poll cycle server. Use this server to force an immediate poll cycle.

Default

8722

iptables_accepted_udp_logs_per_sec¶

Maximum number of iptables logs per second for accepted UDP packets.

Default

100

iptables_logging¶

Enables iptables logging for container to container traffic. Logs to the kernel log.

Default

false

log_level¶

Logging level (debug, info, warn, error).

Default

info

loggregator¶

ca_cert¶

CA Cert used to communicate with local metron agent over gRPC

cert¶

Cert used to communicate with local metron agent over gRPC

key¶

Key used to communicate with local metron agent over gRPC

use_v2_api¶

True to use local metron agent gRPC v2 API. False to use UDP v1 API.

Default

false

v2_api_port¶

Local metron agent gRPC port

Default

3458

metron_port¶

Port of metron agent on localhost. This is used to forward metrics.

Default

3457

policy_poll_interval_seconds¶

The VXLAN policy agent queries the policy server on this interval in seconds and updates local policy rules.

Default

5

policy_server¶

hostname¶

Host name for the policy server. E.g. the service advertised via Consul DNS. Must match common name in the policy_server.server_cert

Default

policy-server.service.cf.internal

internal_listen_port¶

Policy server handles requests from the vxlan policy agent on this port.

Default

4003

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/vxlan-policy-agent/ directory (learn more).

• bin/post-start (from post-start.erb)
• bin/pre-start (from pre-start.erb)
• bin/start (from start.erb)
• config/bpm.yml (from bpm.yml.erb)
• config/certs/ca.crt (from ca.crt.erb)
• config/certs/client.crt (from client.crt.erb)
• config/certs/client.key (from client.key.erb)
• config/certs/loggregator/ca.crt (from loggregator_ca.crt.erb)
• config/certs/loggregator/client.crt (from loggregator_client.crt.erb)
• config/certs/loggregator/client.key (from loggregator_client.key.erb)
• config/vxlan-policy-agent.json (from vxlan-policy-agent.json.erb)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• silk-ctl-utils
• vxlan-policy-agent