F5SPKGlobalOptions¶
The F5SPKGlobalOptions CRD enables you to define multiple different behaviours at the global level (Traffic Management Microkernel (TMM)) on the BlueField-3 (BF3) Data Processing Unit (DPU) using Data Center Operations and Communications Acceleration (DOCA) APIs. These APIs provide secure, high-speed encryption and decryption. The BlueField-3 DPU employs the Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) engine to enhance performance and security for traffic management operations.
Parameters¶
The table below describes the attributes in spec parameters that can be defined in F5GlobalOptions CR:
| Parameters | Descriptions | Default |
|---|---|---|
ip object |
This parameter is used to configure multiple different behaviours at the global level, such as whether IPv4 options can be accepted. | |
ip.acceptIPOptions boolean |
Specifies if the IP options are accepted at the global level. | false |
dnscache object |
This parameter is used to define multiple DNS Cache options at the global level. | |
dnscache.matchWildcardVip boolean |
Allows Unbound backend service resolution to match to a wildcard Virtual IP (VIP). The VIP must be a fully-wildcard, aka 0.0.0.0/0 or ::/0, and must have a source-address-translation of a snatpool. This is meant to allow SNATing of backend resolutions. | false |
crypto object |
This parameter is used to enable or disable hardware acceleration. | |
crypto.hwAccel boolean |
Enables or disables crypto hardware acceleration on the BlueField-3 Data Processing Unit (DPU). | true |
firewall object |
This parameter is used to configure multiple different behaviors at the global level, such as the default action to apply on traffic. | |
firewall.defaultAction string |
The default action to apply on traffic not matching any firewall rule in Secure Context or Gateway. The possible enum values are, "", "accept", “reject", "drop". - accept: Allows traffic matching the rule to continue in software. - reject: Rejects packets. - drop: Drops packet silently. |
"" |
firewall.defaultActionLog boolean |
Indicates that an HSL message must be generated when the defaultAction option is applied. | true |
firewall.hardwareOffload boolean |
Enables or disables hardware offloading of firewall rules if the platform supports it. Note: - Rules with the drop action are only offloaded to Hardware. - You must specify value in this to overwrite the previously set value. |
F5SPKGlobalOptions CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5SPKGlobalOptions
metadata:
name: global-options
spec:
firewall:
defaultAction: reject
defaultActionLog: True
hardwareOffload: True
Disabling Crypto Hardware Acceleration on the BlueField-3 DPU¶
Follow the steps below to disable crypto hardware acceleration on the BlueField-3 DPU:
Copy the F5SPKGlobalOptions example CR below to a YAML file. Set the
crypto.hwAccelparameter tofalseand save:In this example, the CR installs to the spk-ingress Project:
apiVersion: k8s.f5net.com/v1 kind: F5SPKGlobalOptions metadata: name: global-options namespace: spk-ingress spec: crypto: hwAccel: false
Apply the F5SPKGlobalOptions CR that you have created:
kubectl apply -f f5-global-options.yaml
The crypto hardware acceleration is now disabled on the BlueField-3 DPU, and a software-based codec will be enabled.
Enabling Crypto Hardware Acceleration on the BlueField-3 DPU¶
Prerequisites:
To enable crypto hardware acceleration on the BlueField-3 Data Processing Unit (DPU), ensure you have the following:
A BlueField-3 DPU must have a crypto-capable device.
A Scalable Function (SF) must be created on the BlueField-3 DPU.
Follow the steps below to enable crypto hardware acceleration on the BlueField-3 DPU:
Copy the F5SPKGlobalOptions example CR below to a YAML file. Set the
crypto.hwAccelparameter to true and save:In this example, the CR installs to the spk-ingress Project:
apiVersion: k8s.f5net.com/v1 kind: F5SPKGlobalOptions metadata: name: global-options namespace: default spec: crypto: hwAccel: true
Apply the F5SPKGlobalOptions CR that you have created:
kubectl apply -f f5-global-options.yaml
The crypto hardware acceleration is now enabled on the BlueField-3 DPU, and a software-based codec will be disabled.
Feedback¶
Provide feedback to improve this document by emailing spkdocs@f5.com.