BIG-IP Next for Kubernetes v2.0.0 Release Notes¶
Simplified BIG-IP Next for Kubernetes deployment with F5 Lifecycle Operator¶
F5 Lifecycle Operator (FLO) is a lifecycle management operator that manages BIG-IP Next for Kubernetes pods and deployments as Kubernetes resources. It streamlines the installation, upgrade, and uninstallation processes for BIG-IP Next for Kubernetes using BnkGatewayClass CR, requiring minimal user input. Upon applying the BnkGatewayClass CR, FLO effectively deploys all necessary BIG-IP Next for Kubernetes pods by instantiating a CR for each component, such as CWC, F5 Ingress, DSSM, and TMM. Furthermore, FLO continuously watches the BnkGatewayClass CR for any modifications and automatically redeploys any modified configurations to ensure optimal performance.
For more information, see F5 Lifecycle Operator.
Hardware acceleration in BIG-IP next for Kubernetes¶
BIG-IP Next for Kubernetes now leverages NVIDIA BlueField Data Processing Units (DPUs) to accelerate data pipelines by offloading network processing and security tasks to dedicated hardware. This integration results in significantly improved performance and reduced CPU load. BIG-IP Next for Kubernetes supports hardware acceleration for crypto operations, DDoS mitigation, and firewall policy by offloading these tasks to the BlueField-3 (BF3) DPU.
Hardware acceleration for Crypto and firewall can now be enabled through the F5SPKGlobalOptions CR, and the GlobalDDoS Custom Resource for DDoS mitigation.
Provides Gateway API community CRs¶
The Gateway API provides a robust, flexible, and scalable way to manage Ingress traffic in Kubernetes environments.
BIG-IP Next for Kubernetes has been enhanced to support multiple community CRs, including Gateway. Additionally, it features the F5 L4Route CR, designed to conform to the community standards of the Kubernetes Gateway API.
For more information, see Gateway API.
Leverage F5 IPAM Controller to manage IP addresses for Gateway resource¶
The F5 IPAM Controller (FIC) in BIG-IP Next for Kubernetes manages the dual-stack IP addresses (IPv4 and IPv6) for the Gateway resource. FIC is leveraged in Gateway API to implement a dynamic method of assigning IP addresses, especially for ingress traffic. In this release, FIC is designed to verify and allocate IP addresses based on the CIDR range of the network configured in BNKGateway CR.
For more information, see F5 IPAM Controller for Gateway API.
Seamless firewall policy integration in Gateway API¶
Enhance network management capabilities by seamlessly attaching firewall policies to GatewayClass, Gateway, and route (HTTP, TCP, UDP) for incoming and outgoing traffic. The ACL policies can now refer to multiple objects using the targetRef field supported in the Firewall Policy CR. In addition, you can now attach the High-Speed Log (HSL) profile to GatewayClass. This feature controls traffic flow securely and efficiently within the Gateway API.
For more information, see Firewall Policy in Gateway API.
Ingress DDoS protection in Gateway API¶
Enhance DDoS protection in the Gateway API for Kubernetes by enabling global DDoS policies at multiple levels, including GatewayClass, Gateway, and Route. This provides robust defences against Layer 4 DDoS attacks across protocols like HTTP, TCP, and UDP, offering improved control over incoming traffic.
For more information, see Ingress DDoS protection for Gateway API.
F5 License Proxy (FLP)¶
The F5 License Proxy (FLP) provides a streamlined solution for licensing and overseeing F5 BIG-IP Next for Kubernetes instances within a cluster. With FLP, users have the ability to directly license a new BIG-IP Next for Kubernetes cluster or seamlessly switch an already licensed cluster to FLP mode.
For more information, see F5 License Proxy (FLP).
Automate Core File debugging process with F5 Next Core Loader¶
F5 Next Core Loader, an utility designed to simplify and automate the debugging of system crash files (core files). It automatically verifies the crash file, gathers essential details such as container’s version and name, and retrieves necessary debugging artifacts (such as source code and symbols) from repositories like GitLab and Artifactory. This automation eliminates manual setup, accelerates troubleshooting, and enhances the efficiency of diagnosing and resolving system issues.
For more information, see Automate Core File Debugging with F5 Next Core Loader.
Core File collection and conversion with Coremond¶
Coremond utility runs as a DaemonSet on BIG-IP Next for Kubernetes. It is designed to collect crash data (core files) from unexpectedly terminated processes and convert them into F5-specific core files. These files let you analyze the system’s state at the time of failure.
For more information, see BIG-IP Next for Kubernetes Coremond.
Enforced access control for Debug and QKView APIs with Admin Token¶
The BIG-IP Next Kubernetes Cluster-Wide Controller (CWC) now enforces security restrictions on the Debug API and QKView APIs, limiting access exclusively to admin users. Access control is implemented using the Admin Token to ensure secure access to sensitive data, such as metrics, logs, and core files.
For more information, see Admin Access and API Restrictions.
Distributed TODA stats aggregation for BIG-IP Next for Kubernetes*¶
The distributed TODA stats aggregation system efficiently handles the high-volume data generated by BIG-IP Next for Kubernetes. This enhances scalability, efficiency, and observability, ensuring accurate stats aggregation and reporting.
For more information, see Distributed Toda for Stats Aggregation and Install BIG-IP Next for Kuberneters.
Egress traffic routing with CSRC*¶
The Centralized Service Routing Controller (CSRC) DaemonSet optimizes egress traffic routing from application pods. Running in privileged mode, CSRC configures routing rules and policies on the nodes hosting application pods to ensure efficient traffic flow.
The TMM running on the Data Processing Unit (DPU) local to each host node is now assigned the highest priority, ensuring faster and more efficient routing compared to other TMMs.
For more information see, PseudoCNI.
Simplified VXLAN configuration with F5SPKEgress CR*¶
The F5SPKEgress CR automates VXLAN configuration by detecting the node interface, gathering network details, and assigning a unique Virtual Network Identifier (VNI) and subnet. This significantly streamlines manual setup, mitigates potential errors, and enhances the overall efficiency of network configuration.
For more information, see VXLAN with F5SPKEgress CR.
Automated SF Binary Deployment*¶
The process of downloading and copying the SF binary to DPU nodes is automated and managed by the F5 Lifecycle Operator (FLO) deployment, eliminating the need for manual intervention. After deployment, DPU nodes can run TMM pods with the required network plugins stored in /opt/cni/bin/.
QKView API*¶
QKView API provide improved control, filtering, and support for Kubernetes environments.
The key features include:
Namespace Support: Enables selection of a specific namespace or all namespaces.
Filename: Allows assigning a custom name to the QKView tarball.
IPv6 Support: Prefers IPv6 for pod communication when dual-stack is enabled; defaults to IPv4 otherwise.
Pod Pattern Filtering: Retrieves data matching specified pod patterns.
Log Query Filtering: Filters log files and their contents for precise troubleshooting.
Core Files: Adds core file settings to the QKView for extended analysis.
Kubernetes Resources: Collects and embeds Kubernetes resources into QKView reports.
Error Message Filtering: Filters error messages to aid in log analysis.
Namespace Filtering: Filters logs based on specific namespaces.
For more information, see QKView API and iHealth.
* Indicates the enhancements from BIG-IP Next Kubernetes LA version.
Known Issue¶
To see the list of known issues with workarounds applicable for this release, see BIG-IP Next for Kubernetes Known Issues page.
