|
| 1 | +# Apply CRDs through annotations |
| 2 | + |
| 3 | +You can now apply CRDs such as Rewrite and Responder, Ratelimit, Auth, WAF, and Bot for ingress resources and services of type load balancer by referring them using annotations. Using this feature, when there are multiple services in an Ingress resource, you can apply the rewrite and responder policy for a specific service or all the services based on your requirements. |
| 4 | + |
| 5 | +The following are the two benefits of this feature: |
| 6 | + |
| 7 | +- You can apply a CRD at a per-ingress, per-service level. For example, the same service referred through an internal VIP may have different set of rewrite-responder policies compared to the one exposed outside. |
| 8 | +- Operations team can create CRD instances without specifying the service names. The application developers can choose the right policies based on their requirements. |
| 9 | + |
| 10 | +**Note:** CRD instances should be created without service names. |
| 11 | + |
| 12 | +## Ingress annotation for referring CRDs |
| 13 | + |
| 14 | +An Ingress resource can refer a Rewrite and Responder CRD directly using the `ingress.citrix.com/rewrite-responder` annotation. |
| 15 | + |
| 16 | +The following are different ways of referring the rewrite-responder CRD using annotations. |
| 17 | + |
| 18 | +- You can apply the Rewrite and Responder CRD for all the services referred in the given ingress using the following format: |
| 19 | + |
| 20 | + ingress.citrix.com/rewrite-responder_crd: <Rewritepolicy Custom-resoure-instance-name> |
| 21 | + |
| 22 | + Example: |
| 23 | + |
| 24 | + ingress.citrix.com/rewrite-responder_crd: "blockurlpolicy" |
| 25 | + |
| 26 | + In this example, the Rewrite and Responder policy is applied for all the services referred in the given ingress. |
| 27 | + |
| 28 | +- You can apply the Rewrite and Responder CRD to a specified Kubernetes service in an Ingress resource using the following format: |
| 29 | + |
| 30 | + ingress.citrix.com/rewrite-responder_crd: '{<Kubernetes-service-name>: <Rewritepolicy Custom-resoure-instance-name>}' |
| 31 | + |
| 32 | + Example: |
| 33 | + |
| 34 | + ingress.citrix.com/rewrite-responder_crd: '{"frontendsvc": "blockurlpolicy", "backendsvc": "addresponseheaders"}' |
| 35 | + |
| 36 | + In this example, the rewrite policy `blockurlpolicy` is applied on the traffic coming to the `frontendsvc` service and the `addresponseheaders` policy is applied to the `backendsvc` service coming through the current ingress. |
| 37 | + |
| 38 | +You can also apply the Auth, Bot, WAF, and Ratelimit CRDs using ingress annotations: |
| 39 | + |
| 40 | +The following table explains the annotations and examples for Auth, Bot, WAF, and Ratelimit CRDs. |
| 41 | + |
| 42 | +| Annotation | Examples | Description| |
| 43 | +| ------------------- | --------------------------------- |-----------| |
| 44 | +| `ingress.citrix.com/bot_crd` | `ingress.citrix.com/bot_crd: '{"frontend": "botdefense"}'` | Applies the `botdefense` policy to the traffic incoming to the front-end service.| |
| 45 | +| `ingress.citrix.com/auth_crd` | `ingress.citrix.com/auth_crd: '{"frontend": "authexample"}'` | Applies the `authexample` policy to the front-end service. | |
| 46 | +| `ingress.citrix.com/waf_crd` | `ingress.citrix.com/waf_crd: "wafbasic"` | Applies the WAF policy `wafbasic` to all services in the Ingress| |
| 47 | +| `ingress.citrix.com/ratelimit_crd` | `ingress.citrix.com/ratelimit_crd: "throttlecoffeeperclientip"` | Applies the rate limit policy `throttlecoffeeperclientip` to all services in the Ingress.| |
| 48 | + |
| 49 | +## Service of type LoadBalancer annotation for referring Rewrite and Responder CRD |
| 50 | + |
| 51 | +A service of type LoadBalancer can refer a Rewrite and Responder CRD using annotations. |
| 52 | + |
| 53 | +The following is the format for the annotation: |
| 54 | + |
| 55 | + service.citrix.com/rewrite-responder: <Rewritepolicy Custom-resoure-instance-name> |
0 commit comments