Workload Settings
When running workloads on a BYOK Location, there are some additional configuration settings that are available.
Internal Firewall Settings
When a workload is running on the Control Plane cloud platform IP Addresses and CIDR blocks configured for the external firewall of a workload are ignored if they are in any private address ranges. When running in a BYOK location these internal address ranges are allowed and can be used to directly access internal resources in your data center.
extra k8s options
Some specific k8s options can be configured on workloads.
- Right now, only
affinity,tolerations, andtopologySpreadConstraintsare supported. - These options will be merged with the default ones.
Custom Tags
An extra list of Control Plane tags can be used to change the behavior of workloads when they are run in BYOK Locations.
Disable Service Mesh
cpln/disableServiceMesh=true
- When this tag is added to a workload the inbound and outbound sidecar is completely disabled. this can be useful in situations where proxying can confuse clients that are expecting direct IP communication without any NAT.
Disable Service Mesh Inbound Port
cpln/disableServiceMeshInboundPort
- A comma delimited list of ports to exclude from being intercepted by the sidecar proxy inbound.
Disable Service Mesh Outbound Port
cpln/disableServiceMeshOutboundPort
- A comma delimited list of ports to exclude from being intercepted by the sidecar proxy outbound.
Disable Service Mesh Outbound CIDR
cpln/disableServiceMeshOutboundPort
- A comma delimited list of CIDR IP ranges to exclude from being intercepted by the sidecar proxy outbound.
ClusterRole
cpln/k8sClusterRole
- The ClusterRole that should be binded to the workload
The actuator must be configured to allow this. See BYOK Actuator settings
Workload Settings
When running workloads on a BYOK Location, there are some additional configuration settings that are available.
Internal Firewall Settings
When a workload is running on the Control Plane cloud platform IP Addresses and CIDR blocks configured for the external firewall of a workload are ignored if they are in any private address ranges. When running in a BYOK location these internal address ranges are allowed and can be used to directly access internal resources in your data center.
extra k8s options
Some specific k8s options can be configured on workloads.
- Right now, only
affinity,tolerations, andtopologySpreadConstraintsare supported. - These options will be merged with the default ones.
Custom Tags
An extra list of Control Plane tags can be used to change the behavior of workloads when they are run in BYOK Locations.
Disable Service Mesh
cpln/disableServiceMesh=true
- When this tag is added to a workload the inbound and outbound sidecar is completely disabled. this can be useful in situations where proxying can confuse clients that are expecting direct IP communication without any NAT.
Disable Service Mesh Inbound Port
cpln/disableServiceMeshInboundPort
- A comma delimited list of ports to exclude from being intercepted by the sidecar proxy inbound.
Disable Service Mesh Outbound Port
cpln/disableServiceMeshOutboundPort
- A comma delimited list of ports to exclude from being intercepted by the sidecar proxy outbound.
Disable Service Mesh Outbound CIDR
cpln/disableServiceMeshOutboundPort
- A comma delimited list of CIDR IP ranges to exclude from being intercepted by the sidecar proxy outbound.
ClusterRole
cpln/k8sClusterRole
- The ClusterRole that should be binded to the workload
The actuator must be configured to allow this. See BYOK Actuator settings