When running workloads on a BYOK Location, there are some additional configuration settings that are available.

Internal Firewall Settings

When a workload is running on the Control Plane cloud platform IP Addresses and CIDR blocks configured for the external firewall of a workload are ignored if they are in any private address ranges. When running in a BYOK location these internal address ranges are allowed and can be used to directly access internal resources in your data center.

extra k8s options

Some specific k8s options can be configured on workloads.
YAML
spec:
  extras:
    affinity: ...
    tolerations: ...
    topologySpreadConstraints: ...
  • Right now, only affinity, tolerations, and topologySpreadConstraints are supported.
  • These options will be merged with the default ones.

Custom Tags

An extra list of Control Plane tags can be used to change the behavior of workloads when they are run in BYOK Locations.

Disable Service Mesh

cpln/disableServiceMesh=true
  • When this tag is added to a workload the inbound and outbound sidecar is completely disabled. this can be useful in situations where proxying can confuse clients that are expecting direct IP communication without any NAT.

Disable Service Mesh Inbound Port

cpln/disableServiceMeshInboundPort
  • A comma delimited list of ports to exclude from being intercepted by the sidecar proxy inbound.

Disable Service Mesh Outbound Port

cpln/disableServiceMeshOutboundPort
  • A comma delimited list of ports to exclude from being intercepted by the sidecar proxy outbound.

Disable Service Mesh Outbound CIDR

cpln/disableServiceMeshOutboundPort
  • A comma delimited list of CIDR IP ranges to exclude from being intercepted by the sidecar proxy outbound.

ClusterRole

cpln/k8sClusterRole
  • The ClusterRole that should be binded to the workload
    The actuator must be configured to allow this. See BYOK Actuator settings