Skip to content

vxlan-policy-agent job from silk/3.42.0

Github source: ec4b046f or master branch

Properties

asg_poll_interval_seconds

The VXLAN policy agent queries the policy server on this interval in seconds and updates local security groups rules.

Default
60

ca_cert

Trusted CA certificate that was used to sign the policy server’s server cert and key.

client_cert

Client certificate for TLS to access policy server.

client_key

Client private key for TLS to access policy server.

debug_server_port

Port for the debug server. Use this to adjust log level at runtime or dump process stats.

Default
8721

disable

Disable this monit job. It will not run. Required for backwards compatability

Default
false

disable_container_network_policy

WARNING!!! Disables network policy enforcement. Setting this property to true allows all app containers to access any other app container with no restrictions.

Default
false

enable_asg_syncing

Enable dynamic updates to ASG rules for running containers

Default
true

enable_overlay_ingress_rules

Experimental feature. Allows ingress over the overlay network, from a vm running silk-daemon in singleIPMode

Default
false

force_policy_poll_cycle_port

Port for force policy poll cycle server. Use this server to force an immediate poll cycle.

Default
8722

iptables_accepted_udp_logs_per_sec

Maximum number of iptables logs per second for accepted UDP packets.

Default
100

iptables_logging

Enables iptables logging for container to container traffic. Logs to the kernel log.

Default
false

log_level

Logging level (debug, info, warn, error).

Default
info

loggregator

ca_cert

CA Cert used to communicate with local metron agent over gRPC

cert

Cert used to communicate with local metron agent over gRPC

key

Key used to communicate with local metron agent over gRPC

use_v2_api

True to use local metron agent gRPC v2 API. False to use UDP v1 API.

Default
false

v2_api_port

Local metron agent gRPC port

Default
3458

metron_port

Port of metron agent on localhost. This is used to forward metrics.

Default
3457

policy_poll_interval_seconds

The VXLAN policy agent queries the policy server on this interval in seconds and updates local policy rules.

Default
5

policy_server

hostname

Host name for the policy server. E.g. the service advertised via Consul DNS. Must match common name in the policy_server.server_cert

Default
policy-server.service.cf.internal

internal_listen_port

Policy server handles requests from the vxlan policy agent on this port.

Default
4003

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/vxlan-policy-agent/ directory (learn more).

  • bin/post-start (from post-start.erb)
  • bin/pre-start (from pre-start.erb)
  • bin/start (from start.erb)
  • config/bpm.yml (from bpm.yml.erb)
  • config/certs/ca.crt (from ca.crt.erb)
  • config/certs/client.crt (from client.crt.erb)
  • config/certs/client.key (from client.key.erb)
  • config/certs/loggregator/ca.crt (from loggregator_ca.crt.erb)
  • config/certs/loggregator/client.crt (from loggregator_client.crt.erb)
  • config/certs/loggregator/client.key (from loggregator_client.key.erb)
  • config/vxlan-policy-agent.json (from vxlan-policy-agent.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.