BIG-IP Next for Kubernetes CRDs¶
The BIG-IP Next for Kubernetes Custom Resource Definitions (CRDs) extend the Kubernetes API, allowing the Traffic Management Microkernel (TMM) to be setup using SPK’s Custom Resources (CRs) from BIG-IP Next for Kubernetes. These CRs enable TMM to handle low-latency application traffic, and implement networking configurations such as interface IP addresses and static routes. For information on the specific CRs and complete list of parameters available for creating a CR, refer the corresponding CRD. All the Custom Resource Definitions (CRDs) are installed by the F5 Orchestrator, see F5 Orchestrator.
Networking CRDs¶
Networking CRs configure the networking components of TMM, such as network interfaces and static routes.
Available network management CRDs:
- F5SPKVLAN - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, and so on.
- F5SPKVXLAN - TMM interface configuration: Virtual Network Identifier (VNI), Self IP addresses, MTU sizes, and so on.
- F5SPKStaticRoute - TMM static routing table management.
Application traffic CRDs¶
When an application traffic CR is applied, the TMM is configured to act as a proxy and distribute application traffic through protocols like TCP, UDP, SCTP, and NGAP. This results in the TMM receiving various objects related to managing application traffic.
Object | Description |
---|---|
Virtual Server | An IP address and service port that receives and processes ingress application traffic. |
Network Virtual Server | An IP address subnet representing a range of destination IP addresses to receive and process ingress application traffic. |
Wildcard Virtual Server | Receive and process all destination application traffic. Specified using IPv4 address 0.0.0.0/0 or IPv6 address ::/0. |
Protocol Profile | Provide application traffic intelligence, and options to adapt how connections are handled. |
Load Balancing Pool | The Service object Endpoints that TMM distributes traffic to using round robin load balancing. |
Available traffic management CRDs:
- F5SPKIngressTCP - Ingress layer 4 TCP application traffic management.
- F5SPKIngressUDP - Ingress layer 4 UDP application traffic management.
- F5SPKIngressHTTP2 - Ingress HTTP/2 application traffic management.
- F5SPKEgress - Egress application traffic for pods using SNAT, Shared SNAT with Flow Forwarding or PseudoCNI.
- F5SPKSnatpool - Allocate IP addresses for egress Pod connections.
- F5BigContextGlobal - Modifies the default firewall action of the F5BigFwPolicy CR.
Protection and NAT CRDs¶
Traffic Management CRs can utilize Protection and NAT CRs to safeguard applications against unauthorized and malicious network traffic.
- F5SPKGlobalOptions - Includes configurable options to enable or disable crypto hardware acceleration on the BlueField-3 Data Processing Unit (DPU).
Firewall CRDs¶
The following CR is used to define the Firewall policy logic to secure BIG-IP Next for Kubernetes, and can be often modified by operations:
- F5BigFwPolicy - Granular stateful-flow filtering based on access control list (ACL) policies.
The following CR is used to match traffic that the Firewall policy applies to, and will be created or modified when applications are created or changed:
- F5BigContextGlobal - Modifies the default firewall action of F5BigFwPolicy CR.
The following CRs are used for BIG-IP Next for Kubernetes Firewall Logging:
- F5BigLogProfile - Specifies subscriber connection information sent to remote logging servers.
- F5BigLogHslpub - Defines remote logging server endpoints for the F5BigLogProfile.
Finalizers¶
The finalizers prevent the deletion of Custom Resources (CRs) until backend configurations are safely removed, ensuring reliable cleanup and consistency.
- Finalizers are namespaced keys that instruct Kubernetes to wait until specific conditions are met before completely deleting resources marked for deletion. The BIG-IP Next for Kubernetes Controller utilizes Kubernetes finalizers to ensure consistency between CRs and backend configurations.
- The BIG-IP Next for Kubernetes Controller adds a finalizer to any newly created CR.
- Upon CR deletion, the BIG-IP Next for Kubernetes Controller first removes the respective configuration from the backends and then eliminates the finalizer, permitting Kubernetes to complete the deletion process. As long as the finalizer is present in the CR, it will not be completely deleted.
- When a CR is deleted, finalizers prevent it from being deleted if the BIG-IP Next for Kubernetes Controller is offline. When the controller comes back online, it takes out the configuration from the backend and then removes the finalizer. This makes sure that CRs are only deleted after the configuration is removed from the backends.