F5BigContextSecure¶
Overview¶
The F5BigContextSecure Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to perform as an application layer gateway (ALG) for low-latency 5G workloads. The F5BigContextSecure CR provides granular connection management using the following F5 protocol profiles: TCP, UDP and FastL4, and is an integral part of the DNS44, DNS46, and DNS64 implementations.
This document guides you through understanding, configuring and installing a simple F5BigContextSecure CR.
Service¶
The table below describes the CR service parameters.
| Parameter | Description |
|---|---|
name |
Selects the Service object name for the internal applications (Pods), and creates a round-robin load balancing pool using the Service Endpoints. |
port |
Selects the Service object port value. |
CR parameters¶
The tables below describe the F5BigSecureContext CR parameters used in this document, refer to the F5BigContextSecure Reference for the full list of parameters.
spec¶
| Parameter | Description |
|---|---|
destinationAddress |
Creates an IPv4 virtual server address that listens for ingress connections: host 10.10.10.50, subnet 10.10.10.0/24". |
ipv6destinationAddress |
Creates an IPv6 virtual server address that listens for ingress connections: host "4001::1", subnet "4001::/64". |
destinationPort |
Defines the service port for ingress connections. any (default). |
ipProtocol |
Specifies the virtual server IP protocol: tcp, udp, or any (default). |
selfipAsDest |
Specify whether to use selfip as the destination IP address for the secure context. If selfipAsDest is set to true and destination addresses are not specified, then the selfIPs from the vlans.vlanList get configured as destination IPs. The default is false. |
profile |
Specifies the profile to be used by the virtual server: tcp, udp, fastl4(default), or ipother. |
fastL4Settings.profileName |
Specifies how TMM handles connections using the F5BigFastl4Setting CR's metadata.name value. |
tcpSettings.clientSide |
Specifies how TMM handles clientside TCP connections using the F5BigTcpSetting CR's metadata.name value. |
tcpSettings.serverSide |
Specifies how TMM handles serverside TCP connections using the F5BigTcpSetting CR's metadata.name value. |
udpSettings.clientSide |
Specifies how TMM handles clientside UDP connections using the F5BigUdpSetting CR's metadata.name value. |
udpSettings.serverSide |
Specifies how TMM handles serverside UDP connections using the F5BigUdpSetting CR's metadata.name value. |
snat.type |
Specifies the type of address translation: none (default), automap, or snat. |
snat.pool |
When snat.type is snat, specifies the F5BigCneSnatpool CR to reference using the spec.name parameter. |
vlans.vlanList |
Specifies one or more F5BigNetVlan CRs using the metadata.name parameter, that listen for application traffic. |
CR Example¶
apiVersion: k8s.f5net.com/v1
kind: F5BigContextSecure
metadata:
name: "cnf-context"
namespace: "cnf-gateway"
spec:
ipv6destinationAddress: "2002::200:200:200:0/112"
destinationPort: 0
iRules: ["cnf-irule"]
ipProtocol: "tcp"
profile: "tcp"
tcpSettings:
clientSide: "tcp-high-bw-profile"
serverSide: "tcp-high-bw-profile"
vlans:
vlanList:
- "subscriber-vlan"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigContextSecure CR shortName is secctx.
View CR instance:
oc get secctx -n <namespace>
View CR configuration:
oc get secctx -n <namespace> -o yaml
Application Project¶
The Controller and Service Proxy TMM Pods install to a different Project than the TCP application (Pods). When installing the Controller, set the controller.watchNamespace parameter to the TCP Pod Project(s) in the Helm values file. For example:
_Note: The watchNamespace parameter accepts multiple namespaces.
controller:
watchNamespace:
- "web-apps"
- "web-apps2"
Dual-Stack environments¶
Service Proxy TMM’s load balancing pool is created by discovering the Kubernetes Service Endpoints in the Project. In IPv4/IPv6 dual-stack environments, to populate the load balancing pool with IPv6 members, set the Service PreferDualStack parameter to IPv6. For example:
kind: Service
metadata:
name: nginx-web-app
namespace: web-apps
labels:
app: nginx-web-app
spec:
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv6
- IPv4
_Important:: When enabling preferDualStack, ensure TMM’s internal F5SPKVlan interface configuration includes both IPv4 and IPv6 addresses.
Installation¶
Secure Context on Controller namespace¶
Use the following steps to obtain the application’s Service object configuration, and configure and install the F5CNFIngressTCP CR.
Switch to the application Project:
oc project <project>
In this example, the application is in the web-apps Project:
oc project web-apps
Use the Service object NAME and PORT to configure the CR service.name and service.port parameters:
oc get service
In this example, the Service object NAME is nginx-web-app and the PORT is 80:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) nginx-web-app NodePort 10.99.99.99 <none> 80:30714/TCP
Copy the example CR into a YAML file:
apiVersion: "ingresstcp.k8s.f5net.com/v1" kind: F5CNFIngressTCP metadata: name: "nginx-web-cr" namespace: "web-apps" service: name: "nginx-web-app" port: 80 spec: destinationAddress: "192.168.1.123" destinationPort: 80 ipv6destinationAddress: "2001::100:100" idleTimeout: 30 loadBalancingMethod: "ROUND_ROBIN" snat: "SRC_TRANS_AUTOMAP" persist: mode: "PERSIST_TYPE_SRCADDR" timeout: 60 ipv4PrefixLength: 24 vlans: vlanList: - vlan-external monitors: tcp: - interval: 3 timeout: 10
Install the F5CNFIngressTCP CR:
oc apply -f cnf-ingress-tcp.yaml
Verify the status of the installed CR:
oc get f5-cnf-ingresstcp -n nginx-apps
In this example, the CR has installed successfully. Installation failures may indicate a missing CR dependancy such as a referenced VLAN.
NAME STATUS MESSAGE nginx-web-cr SUCCESS CR config sent to all grpc endpoints
Web clients should now be able to connect to the application through the Service Proxy TMM.
Secure Context on Application Namespace¶
Use these steps to install the example F5BigContextSecure CR, and the optional CNFs F5BigTcpSetting CR. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigTcpSetting CR increases a number of packets buffers to increase performance. Copy and paste the example into a YAML file:
Note: The F5BigTcpSetting CR will be referenced by the F5BigContextSecure CR.
apiVersion: k8s.f5net.com/v2 kind: F5BigContextSecure metadata: name: sc-udp service: name: udpsvc port: 9300 spec: destinationAddress: "192.168.16.48" ipv6destinationAddress: "fdc0:168:16::aa" destinationPort: 9090 ipProtocol: udp
Install the F5BigTcpSetting CR:
oc apply -f cnf-tcp-high-bw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CRs were added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting", TcpSetting cnf-gateway/tcp-high-bw-profile was added/updated
The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, and only on the subscriber-vlan interface. The CR also references the F5BigTcpsettings profile. Copy and paste the example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 0 iRules: ["cnf-irule"] ipProtocol: "tcp" profile: "tcp" tcpSettings: clientSide: "tcp-high-bw-profile" serverSide: "tcp-high-bw-profile" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
oc apply -f f5-cnf-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-context was added/updated
Continue to the Additional CRs and ContextSecure statistics sections.
Additional CRs¶
The F5BigContextSecure CR can also reference these CNFs CRs:
- F5BigFwPolicy - Granular network packet filtering using access control lists.
- F5BigNatPolicy - Carrier-grade NAT (CG-NAT) functionality.
- F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.
- F5BigIpsPolicy - DNS packet inspection for protection against malignant network traffic.
- F5BigCneSnatpool - Provides TMMs with additional IP addresses for source IP address translation.
- F5BigLogProfile - Capture and send traffic processing events to remote logging servers.
ContextSecure statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigContextSecure statistics:
Clientside connections:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns ------------------------------------------ -------------------- cnf-gateway-cnf-context-SecureContext_vs 8
Serverside connections:
tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
name serverside.tot_conns ------------------------------------------ -------------------- cnf-gateway-cnf-context-SecureContext_vs 8
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.
Supplemental¶
- F5BigCneIrule - CNF supports iRules with Context Secure or any other usecase CRs (example: DNS Virtual Server and F5BigAlgFtp).